diff --git a/README.md b/README.md
index 5c05327..4ac3018 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,7 @@ Read more about Detection Lab on Medium here: https://medium.com/@clong/introduc
 NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.
 
 ## Primary Lab Features:
+* Microsoft Advanced Threat Analytics (https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics) is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
 * Splunk forwarders are pre-installed and all indexes are pre-created. Technology add-ons for Windows are also preconfigured.
 * A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
 * [Palantir's Windows Event Forwarding](http://github.com/palantir/windows-event-forwarding)  subscriptions and custom channels are implemented
@@ -19,6 +20,7 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr
 * All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)
 * SMBv1 Auditing is enabled
 
+
 ## Requirements
 * 55GB+ of free disk space
 * 16GB+ of RAM
@@ -124,6 +126,7 @@ Vagrant commands must be run from the "Vagrant" folder.
 * Fleet login: https://192.168.38.5:8412 - admin:admin123#
 * Splunk login: https://192.168.38.5:8000 - admin:changeme
 * Caldera login: https://192.168.38.5:8888 - admin:caldera
+* MS ATA login: https://192.168.38.3 - wef\vagrant:vagrant
 
 ## Lab Hosts
 * DC - Windows 2016 Domain Controller
@@ -134,7 +137,9 @@ Vagrant commands must be run from the "Vagrant" folder.
   * osquery
   * Splunk Universal Forwarder (Forwards Sysmon & osquery)
   * Sysinternals Tools
+  * Microsft Advanced Threat Analytics Lightweight Gateway
 * WEF - Windows 2016 Server
+  * Microsoft Advanced Threat Analytics
   * Windows Event Collector
   * Windows Event Subscription Creation
   * Powershell transcription logging share
@@ -235,7 +240,8 @@ Requests for tools and features will be reviewed on a case by case basis, but I
 ## Credits/Resources
 A sizable percentage of this code was borrowed and adapted from [Stefan Scherer](https://twitter.com/stefscherer)'s [packer-windows](https://github.com/StefanScherer/packer-windows) and [adfs2](https://github.com/StefanScherer/adfs2) Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment.
 
-# Acknowledgements
+# Acknowledgements 
+* [Microsoft Advanced Threat Analytics](https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics)
 * [Splunk](https://www.splunk.com)
 * [osquery](https://osquery.io)
 * [Fleet](https://kolide.co/fleet)
diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile
index 68604cb..fc858fa 100644
--- a/Vagrant/Vagrantfile
+++ b/Vagrant/Vagrantfile
@@ -57,15 +57,15 @@ Vagrant.configure("2") do |config|
 
     cfg.vm.provider "vmware_fusion" do |v, override|
       override.vm.box = "../Boxes/windows_2016_vmware.box"
-      v.memory = 2048
-      v.cpus = 1
+      v.memory = 6144
+      v.cpus = 2
       v.gui = true
     end
 
     cfg.vm.provider "virtualbox" do |vb, override|
       vb.gui = true
-      vb.customize ["modifyvm", :id, "--memory", 2048]
-      vb.customize ["modifyvm", :id, "--cpus", 1]
+      vb.customize ["modifyvm", :id, "--memory", 6144]
+      vb.customize ["modifyvm", :id, "--cpus", 2]
       vb.customize ["modifyvm", :id, "--vram", "32"]
       vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
       vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
@@ -96,18 +96,19 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: true
     cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true
     cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true
+    cfg.vm.provision "shell", path: "scripts/install-microsoft-ata.ps1", privileged: true
 
     cfg.vm.provider "vmware_fusion" do |v, override|
       override.vm.box = "../Boxes/windows_2016_vmware.box"
-      v.memory = 2048
-      v.cpus = 1
+      v.memory = 8192
+      v.cpus = 2
       v.gui = true
     end
 
     cfg.vm.provider "virtualbox" do |vb, override|
       vb.gui = true
-      vb.customize ["modifyvm", :id, "--memory", 2048]
-      vb.customize ["modifyvm", :id, "--cpus", 1]
+      vb.customize ["modifyvm", :id, "--memory", 8192]
+      vb.customize ["modifyvm", :id, "--cpus", 2]
       vb.customize ["modifyvm", :id, "--vram", "32"]
       vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
       vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
diff --git a/Vagrant/scripts/install_microsoft_ata.ps1 b/Vagrant/scripts/install_microsoft_ata.ps1
deleted file mode 100644
index 77b1547..0000000
--- a/Vagrant/scripts/install_microsoft_ata.ps1
+++ /dev/null
@@ -1,11 +0,0 @@
-# Purpose: Downloads and installs a copy of the Palantir WEF Github Repo. This includes WEF subscriptions and custom WEF channels.
-
-Write-Host "Downloading Microsoft ATA 1.9..."
-
-Invoke-WebRequest -Uri "http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-ABC6-C836A301290E/ATA1.9.iso" -OutFile $env:temp\ATA1.9.iso
-
-$Mount = Mount-DiskImage -ImagePath $env:temp\ATA1.9.iso -StorageType ISO -Access ReadOnly -PassThru
-$Volume = $Mount | Get-Volume
-Set-Location ($Volume.DriveLetter + ":")
-
-& '.\Microsoft ATA Center Setup.exe' /q --LicenseAccepted NetFrameworkCommandLineArguments="/q" --EnableMicrosoftUpdate
\ No newline at end of file
diff --git a/build.ps1 b/build.ps1
index cb99c99..0291e05 100644
--- a/build.ps1
+++ b/build.ps1
@@ -349,21 +349,39 @@ function vagrant_reload_host {
 function download {
   param(
     [string]$URL,
-    [string]$PatternToMatch
+    [string]$PatternToMatch,
+    [switch]$SuccessOn401
+
   )
   Write-Verbose "[download] Running for $URL, looking for $PatternToMatch"
   [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
   [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
 
   $wc = New-Object System.Net.WebClient
-  $result = $wc.DownloadString($URL)
-  if ($result -like "*$PatternToMatch*") {
-    Write-Verbose "[download] Found $PatternToMatch at $URL"
-    return $true
+  try
+  {
+    $result = $wc.DownloadString($URL)
+    if ($result -like "*$PatternToMatch*") {
+      Write-Verbose "[download] Found $PatternToMatch at $URL"
+      return $true
+    }
+    else {
+      Write-Verbose "[download] Could not find $PatternToMatch at $URL"
+      return $false
+    }
   }
-  else {
-    Write-Verbose "[download] Could not find $PatternToMatch at $URL"
-    return $false
+  catch
+  {
+    if ($_.Exception.InnerException.Response.StatusCode -eq 401 -and $SuccessOn401.IsPresent) 
+    {
+      return $true
+    }
+    else 
+    {
+      Write-Verbose "Error occured on webrequest: $_"
+      return $false  
+    }
+
   }
 }
 
@@ -381,6 +399,11 @@ function post_build_checks {
   $FLEET_CHECK = download -URL 'https://192.168.38.5:8412' -PatternToMatch 'Kolide Fleet'
   Write-Verbose "[post_build_checks] Fleet Result: $FLEET_CHECK"
 
+  Write-Verbose '[post_build_checks] Running MS ATA Check.'
+  $ATA_CHECK = download -URL 'https://192.168.38.3' -SuccessOn401 
+  Write-Verbose "[post_build_checks] ATA Result: $ATA_CHECK"
+
+
   if ($CALDERA_CHECK -eq $false) {
     Write-Warning 'Caldera failed post-build tests and may not be functioning correctly.'
   }
@@ -390,6 +413,9 @@ function post_build_checks {
   if ($FLEET_CHECK -eq $false) {
     Write-Warning 'Fleet failed post-build tests and may not be functioning correctly.'
   }
+  if ($ATA_CHECK -eq $false) {
+    Write-Warning 'MS ATA failed post-build tests and may not be functioning correctly.'
+  }
 }
 
 
diff --git a/build.sh b/build.sh
index 1915d75..c4e2751 100755
--- a/build.sh
+++ b/build.sh
@@ -253,12 +253,14 @@ post_build_checks() {
   CALDERA_CHECK=$(curl -ks -m 2 https://192.168.38.5:8888 | grep -c '302: Found' || echo "")
   SPLUNK_CHECK=$(curl -ks -m 2 https://192.168.38.5:8000/en-US/account/login?return_to=%2Fen-US%2F | grep -c 'This browser is not supported by Splunk' || echo "")
   FLEET_CHECK=$(curl -ks -m 2 https://192.168.38.5:8412 | grep -c 'Kolide Fleet' || echo "")
+  curl --fail -ks https://192.168.38.3 -m 2
+  ATA_CHECK=$([[ $? == 22 ]] && echo 1)
 
   BASH_MAJOR_VERSION=$(/bin/bash --version | grep 'GNU bash' | grep -o version\.\.. | cut -d ' ' -f 2 | cut -d '.' -f 1)
   # Associative arrays are only supported in bash 4 and up
   if [ "$BASH_MAJOR_VERSION" -ge 4 ]; then
     declare -A SERVICES
-    SERVICES=(["caldera"]="$CALDERA_CHECK" ["splunk"]="$SPLUNK_CHECK" ["fleet"]="$FLEET_CHECK")
+    SERVICES=(["caldera"]="$CALDERA_CHECK" ["splunk"]="$SPLUNK_CHECK" ["fleet"]="$FLEET_CHECK" ["ms_ata"]="$ATA_CHECK")
     for SERVICE in "${!SERVICES[@]}"; do
       if [ "${SERVICES[$SERVICE]}" -lt 1 ]; then
         (echo >&2 "Warning: $SERVICE failed post-build tests and may not be functioning correctly.")
@@ -274,6 +276,9 @@ post_build_checks() {
     if [ "$FLEET_CHECK" -lt 1 ]; then
       (echo >&2 "Warning: Fleet failed post-build tests and may not be functioning correctly.")
     fi
+    if [ "$ATA_CHECK" -lt 1 ]; then
+      (echo >&2 "Warning: MS ATA failed post-build tests and may not be functioning correctly.")
+    fi
   fi
 }