Microsoft Defender for Endpoint Reviews

We use it to prevent malware attacks.

The automatic report is very good, and it is easy to see which user or device has a problem. The benefit we were able to realize immediately was protection.

I like the simplicity of the portal and the integration with Microsoft Intune. Microsoft Defender for Endpoint is easy to use and implement.

It has helped automate routine tasks and the finding of high-value alerts. However, we have a small IT team, and we have not automated many tasks.

It has also helped us save a little time, but we have saved more time with email protection. We have saved money as well because of ransomware protection.

Microsoft Defender for Endpoint's threat intelligence has helped us prepare for potential threats before they hit and take proactive steps. We have a scoreboard of each device and can quickly see which device needs an upgrade.

This solution has made our threat detection and response time faster by a few hours.

Right now, there's a portal for Azure, portals for Microsoft Office, and portals for endpoints. It would be good to have only one portal and integrate everything.

I've been using this solution for five years.

Because it is in the cloud, the stability is good.

It is easy to scale and increase capacity.

We are at one location with multiple departments such as IT, marketing, sales, invoicing, etc. We are a small company and have 53 users of Microsoft Defender for Endpoint.

I have contacted Microsoft technical support a few times a year, and they have responded quickly. I'd give them a rating of nine out of ten.

Positive

We used a different solution and switched to Microsoft Defender for Endpoint because the integration and alignment with Microsoft was great. The previous solution was heavy, and it took a long time to update. 

The initial deployment was easy and took a few hours.

It is deployed to the cloud, and I don't have to spend time on maintenance.

I deployed it myself.

The ROI is very difficult to calculate, but it may be 20% ROI. We don't have any problems with ransomware or malware.

It is an expensive solution. It would be nice if it could be included with the Microsoft Office package.

In theory, the best-of-breed strategy is not secure, and practically, a single vendor's suite is better because there is only one contact.

I would recommend trying Microsoft Defender for Endpoint and would give it an overall rating of nine on a scale from one to ten.

We primarily used the solution as Endpoint Detection and protection (EDR, EPP) with secondary benefits of threats and vulnerability management, security incident response, automated query and real-time device monitoring, and with the capability of email security, identity management (DFI), and task automation (Power automate). We used respective licenses where required.

The solution was also used for an endpoint antivirus for workstations in a multi-OS environment, including Windows and Mac OS. We had file, device, and user trajectory monitoring for the security operations team.

The solution benefited the company via:

• OS-level/Tool compatibility for endpoints running Windows (since both are Microsoft products and Defender core files are included in Win10 or later delivery).
• Heuristic capability. Consistent usage of MDE indicates that the tools are continuously learning new prevention techniques by pulling real-time up-to-date cloud resources.

• Alert chaining. The solution makes security Incidents, events, and alerts less tedious from a Security Operation Center standpoint. This can result in false negatives or detriment for small to medium-scale firms running no or semi-automated threat response features.

The most valuable aspects of the solution include:

• Advanced hunting. The product offers flexibility, visibility, and automation capability using a user-friendly query language (KQL).
• Reporting. Clear and concisely plotted graphics show real-time data representation - which is valuable to upper management.

• Scalability/API. We are able to productively integrate with existing on-prem, hybrid, or cloud applications. 
• Great OOB features. The solution comes with SIEM-ingestion-ready features for extensive visibility, automation, and integration, including advanced hunting, threats and vulnerability management, embedded simulation for end-to-end testing, ransomware prevention (Controlled Folder Access), and Attack Surface Reduction (ASR) rules.

Improvements could be made via:

• Clicks. There's a poor user experience with lots of optimizable opportunities of user interface particularly on the newly improved portal (https://security.microsoft.com/). Features like device inventory continue to lack essential workstation drill-downs showing the entire device information with the least effort.

• De-centralized console features. Discrepancies with enabling core features at the click of a button within the MDE portal is mostly due to prerequisites that are tied to the functionality or partial enforcement requirements from other Microsoft tools (Group policy, Azure, Sentinel, SCCM, Intune). EDR in block mode requires Intune security baselines and tamper protection requires MAPS enabled. Web content filtering also has security baseline dependencies

• No single pane of glass. There are too many loose ends with tiny bits and pieces to enforce essential security policies compared to other EDR solutions within the same caliber. A typical example is having to create exclusions in different locations for entirely different functionalities, such as: automation folder exclusion, group policy exclusions (per tenant), Controlled Folder Access (ASR) Allowed application, and Attack Surface Reduction (ASR).

• Service Requests. Noncritical cases with MDE technical support teams tend to be queued for over a week before the first customer engagement. Most of these tickets also end up in the hands of temporary or contracted non-Microsoft employees who are scripted and offer little attention to unique incidents.

Suggested additional features that should be included in the next release include:

• Digestible interface/filter for crown-jewel capabilities like ASR, CFA and Exploit mitigation occurrences.
• Restoration of an always visible search bar from the previous console view (https://securitycenter.windows.com).
• A definitive action plan for Secure Score recommendations and deduplicate of controls.

We were using Microsoft Defender for Endpoint prior to its change of name from Defender ATP. We experienced a plethora of GA changes including, but not limited to, IOS/multiple OS support, device discovery, web content filtering, API updates, and continuous integrations with existing security tools.

We are using it for protection. We had a request from one of our customers, and we just started to implement it. We don't have any great idea about it. We are in the process of implementing it for the first time.

We are using its latest version. It is on-prem. The problem with going for a cloud version is that most of our customers prefer to work with on-prem solutions. So, we need all the features to be available on-prem as well as on the cloud.

We have just started to implement it. It is useful for protection from malware and ransomware. We are not exactly sure about zero-day, but we are trying to see if it will be effective for everyday antivirus purposes.

Auto recovery is the most important feature that we would need from this solution. For decryption, similar to Malwarebytes, there should be something to be able to recover the data up to the last normal status. Its ability to recover data to the last normal copy must not exceed 5 to 10 minutes.

We just started to use it.

We need to test its functionality in heavy environments.

Their support could be faster through the phone. The support through chat is very unuseful. It takes a lot of time and effort and but does not help in any way. We provide the first line of support to customers, so it is not a big issue for us.

We work on most of the protection products, such as Kaspersky, Malwarebytes. We normally use a lot of them. We had a request from one of our customers, so we started to implement Microsoft Defender for Endpoint.

Its initial setup is straightforward. The solution itself doesn't take more than 15 to 20 minutes, but the configuration duration depends on the environment, such as the number of policies, users, etc. It will vary according to the environment in which you are doing the implementation.

We implement it ourselves. Currently, we have only one customer of this solution.

Its price is fair. It has approximately the same price as the other products such as Kaspersky. It is much cheaper than Malwarebytes.

I would rate Microsoft Defender for Endpoint a seven out of 10.

We were using the basic endpoint from Sophos without Intercept X and the EDR model, and currently, we are in the selection process of a new platform that has EDR embedded. We are using Microsoft Defender Antivirus for the time being till we get the new platform.

It is easy to use because it is already pre-installed in Windows 10. We don't have to do anything to configure it. You can also configure the firewall by using a group policy so that it can be easily adopted in an environment.

Microsoft Defender in the basic form is not very useful for managing the security environment. The free version is not capable of covering the needs of centralized management, EDR, and behavioral analysis. If you don't have the commercial version, you can't have centralized management and set up the policies and other things. Each client is a standalone installation, which is not useful for security in an enterprise model.

I have been using this solution for six months.

Currently, we have about 2,000 users.

I didn't use support for this solution.

It was already pre-installed in Windows 10.

It is free. It is included in Windows 10.

We are using Microsoft Defender only for the time being. We will switch to another endpoint platform that can offer us more advanced features, centralized management, and EDR. We have not chosen the solution at the moment, but we might go for Bitdefender. It is one of the products that we have evaluated, and it can be suitable for our environment. It has some use cases that are really in the same line as our requirements.

I would recommend this solution only for small home environments. It is not for enterprise environments unless you buy the commercial version.

I would rate Microsoft Defender Antivirus a seven out of ten.

We use a package of Microsoft security products, including Defender for Endpoint, 365 Defender, Sentinel, and Defender for Identity. You can integrate them with a few clicks. They work together natively, and Sentinel provides advanced monitoring, so you know everything happening in your environment.

It's essential to have one space where you can manage all these solutions together because security can be complicated. It makes it that much more complex to have to navigate to a different portal for identity, email, etc. It's crucial to have a single place to manage all your security operations, so you don't have to move around. 

We started with endpoint protection, where you install an agent on your client with a sensor already built in. Once you have that agent installed, the endpoint can report to the Microsoft security portal. You'll be able to see the device onboarded on the portal using some scripts, and you can monitor most of the vulnerabilities. You can also detect, respond and remedy security vulnerabilities from the portal.

We added email protection by setting policies that will analyze our email. It analyzes our links and attachments to see if there's malware attached. We move ahead to use Defender for Office 365. We also moved forward with Defender for Cloud, and the solution for our workloads, like VM, our network security group, etc. There is another one called Defender for Identity that lets us manage our on-premises and cloud identity from a single portal.

Many of our users are on older operating systems and browsers with vulnerabilities that harm the environment. An attacker can take advantage of those old browsers to access the infrastructure. Defender for Endpoint lets us identify those browsers with vulnerabilities and resolve the issues. We can also find processes that we didn't initiate and stop them right away.

Defender helps us prioritize threats from the security portal. It shows us the dangers that matter the most to our own organization and which threats we should address first to achieve the most significant improvement in our security posture. 

We can manage Defender for Endpoint and Defender for 365 from the same integrated security portal, and it's user-friendly. Microsoft is much more user-friendly than Sophos. 

Microsoft covers every aspect of security and the global challenges we face. The biggest threat today is identity and access management. If someone has access to your identity, they can access much of your technology. They have solid solutions for identity, email, and cloud. I don't think there's anything Microsoft left out. Microsoft has your security environment protected. 

Sentinel enables you to ingest data from your entire ecosystem from on-premise to the cloud. It has single sign-on technology, so you can use your account from your on-prem to sign on to the cloud and vice versa. A user doesn't have to remember a lot of passwords.

Sentinel's data ingestion is essential. Security tasks can be tedious. It's great to have technology that lets you integrate all your data from different sources. You can also incorporate data from other clouds, not just Azure. You can have data from Azure and on-premise. 

So far, Sentinel is one of the most comprehensive SIEMs I've seen. They have even added this XDR. Sentinel doesn't just do SIEM and SOAR. It also covers XDR. The automation is there, so you don't have to do much work. The automation helps you look at the activities behind all this data and correlate them to see the relationships. It gives you information at a glance to see if there is a relationship between these various data sources. 

Defender saves us time. A task takes typically three days and could be accomplished in one day using Microsoft technology. With an on-premise network, you need to switch between portals on all your network devices, but you can achieve that from one portal. You can set policies that will block traffic to your infrastructure, so it saves time. The advanced threat protection using AI has also reduced our detection time. 

We've also saved money. We previously managed the technologies on-premise, so we had to maintain the solutions ourselves. We spend less using Microsoft cloud technology because we don't need to pay for those extra features. We only need to pay for operational expenses. 

We don't have to go to the affected devices when we see a security vulnerability from the portal. We can respond to those issues and resolve them using an endpoint management solution, like Intune. When we resolve a security issue, it takes a week to see the score, but we see the results immediately.

I like the security score that you can see from the portal. You can see the list of the vulnerabilities, and the security score tells you how well your organization is managing those vulnerabilities. It's a strong feature that helps improve your security operations.

Another helpful feature is the recommendations. The portal will guide you on how you can resolve those issues from your own endpoint. This feature is great if you don't have that kind of experience. It will help you understand the technology better and improve your security posture. 

Defender provides useful alerts and groups them. It sends an alert to your portal if it detects any malicious activity, and you can group multiple alerts to form an incident. 

I would like to see Sentinel better integrated with the rest of the security technology within one portal. 

I've been using Defender for more than a year.

I rate Microsoft support seven out of ten. I had some cases a while back and told an agent my issue. When I called the next day, I had to explain everything again to a different person, so I found it annoying to repeat myself all over. 

It would be helpful if they had some coordination between their support, so we don't have to repeat ourselves. They should be able to transfer your details from one agent to another. 

We previously used Sophos.

Defender doesn't cost that much. When you use Microsoft technology, you can start with the free version and see how much the technology helps your organization solve security problems before you use the subscription. They also do this pay-as-you-go model, so you only pay when you use it. 

I rate Defender for Endpoint nine out of ten. It's great. I don't have anything negative to say about those technologies. They are serving their purpose.

Normally, we use the solution for our workstations.

The solution is quite stable.

You get online privacy. It also protects the machines from malware and trojans.

It's a scalable product.

It is a straightforward setup.

There is always room for improvement. They can improve it on the online protection front since people nowadays are moving online and working from home. That would be a good thing to focus on. 

I've been using the solution for one year. It hasn't been that long just yet.

The product is very stable and quite reliable. There are no bugs or glitches. It doesn't crash or freeze. The performance has been good. 

The product can scale well.

Around 15 people are using it in our organization. 

We may increase it in the future. 

I can't recall ever contacting support.

I'm also familiar with Kaspersky. We were previously using ESET.

The initial setup is quite simple and quite straightforward. It's not overly complex or difficult. 

The deployment is fast. It only takes a minute or so.

You only need one person - an engineer - to manage the product once it is up and running. 

We handled the initial setup on our own. We did not need any consultant or integrator help.

We pay annually for a license. 

I'd rate the solution seven out of ten.

We are using Microsoft Defender for Endpoint with advanced threat production. Microsoft's enterprise mobility and security suite fulfills a large number of security strategy requirements for our organization. We are going to use this solution for identity production and for endpoint security.

It's a hybrid setup. The advanced threat protection only comes from the cloud intelligence engine. That's something of a new experience for us, but the rest of the components will be on-prem. We are using Microsoft's cloud. 

The whole suite of security enhancement doesn't just include Microsoft Defender. It also covers many of the features that come with the Windows Enterprise version. With this option, we are actually upgrading to the Enterprise version as well and unlocking those security features which are not available in Windows Professional. Microsoft Defender is a whole suite, which is simply not comparable with a usual anti-virus, anti-malware product.

In terms of the architecture of the management infrastructure, we found that other technologies are more simple. Microsoft Defender could be simpler too. Plus, Microsoft's philosophy is that they leverage the technology they have already built in Windows or any other services within Windows. So, it is good from that standpoint, but it also becomes a bit cumbersome when it comes to the dependency. Having dependency on many things can be a weakness sometimes because you add up more points of failure to the services. Whereas the other vendors are doing the limited thing, and that's why they're not comparable in prices, but their solutions basically aren't dependent on Microsoft's other services or anything else. They're more dependent on their agent. With Microsoft, it is not just the agent. It is the operating systems that aren't working well. The technology won't give you the desired output.

So, that's something that Microsoft may need to improve: making services more independent wherever possible. That's something of their philosophy. When they build something on their OS layer, they add on technologies, and then there's something for the ISV. That's their strategy, but we keep arguing with them that they have to compare the dependence as other vendors are doing.

From the Microsoft end, the design working depends on the health of other services and other components of the operating system. Whereas if you compare it with the Symantec technology, just the agent health has to be there. That's the case with McAfee as well. They build up their products on developed agents only.

We did the POC around 18 months ago, and then we consolidated our findings. As per the organization procedure, we proposed to the committee and then got the recommendation to move on with the pilot and decide the future roadmap.

Microsoft Defender is just one part of the advanced risk protection and advanced malware protection functionality that comes with the Microsoft product. It came with a lot of security, advisories, reviews, and consultancy during the last couple of years. There was a stack of 15-20 requirements that we had to fulfill, like mobile device management and identity protection. We found that Windows Defender meets most of our requirements.

We have had good experience with tech support so far.

We have a direct support agreement with Microsoft. One of the major reasons for moving from the current endpoint security is the support. The quality is not up to the mark. That's something incomparable with the kind of support Microsoft provides.

I would give Microsoft's support a 5 out of 5.

In terms of the technical aspect, I'm the lead of the area, which actually takes care of endpoint management, and we have been using Symantec products for that purpose. We have evaluated Microsoft Defender and Microsoft security products, and we are going to switch over to that product. We found that  because the endpoint devices are based on Microsoft Windows devices and Windows Defender is integrated with the foundation and the core layer, it makes it more integrated and more agile in terms of responding to any security threats or changes or development, whereas compared to the other vendors who develop anything on top of that platform, they're always lagging behind.

Symantec support is very pathetic. They are very methodical. They're very slow. We seldom find them providing solutions to any incident or issue in a reasonable time. It can take from days to weeks. In the case of Microsoft, their resolution time is reasonably faster than Symantec. Even in the case of VMware and Redhead, Microsoft stands on top of all those vendors.

I wouldn't say the setup is easier than other solutions but it's not bad. It's almost equivalent to what we have been using currently, but the strength comes in what it does and how it secures that part. The setup is similar to the other competitors. For Symantec, we use their endpoint manager deployment and then a deployment across the sites and branches.

We are doing deployment with Microsoft's tech support. But for the implementations and rollout of technologies, we have seldom used Microsoft. We have our own technical team who are trained and who keep on updating on their skills, and we continue to inject new resources to the team as well. When a new technology comes in, then we do a combo, whereby the in-house team actually learns with the local authorized partner.

Microsoft Defender is not comparable to a single endpoint security product, like Trend Micro, Symantec, or McAfee. Because of that, the price is higher than others because it is doing more than what the others are doing.

I would rate this solution 7 out of 10.

We call the solution MDATP - Microsoft Defender Advanced Persistent Threat Protection. At the same time, we're using it more from an EDR point of view, as an Endpoint Detection Response. It can detect any threats, malware, or processor, which are illegitimate and being executed by the end-users or malicious actors. When it sees this, it detects and reports to us. 

Not only that, at the same time, it's detection, prevention, and response. Mostly what we were working on is detection. When I refer to detection, I mean that it can, with pinpoint accuracy, detect something and expose the threat. It can also map those threats with a MITRE, which is one of the great things that I love about it, on top of the accuracy and the threat description it provides.

There are a few different use cases. We return with a query language, which is provided by Microsoft. We are able to create some threat hunting queries. We can pinpoint, accurately detect, and run pain testing. When there’s a threat or issue, I am able to find it and track it with great accuracy in MDATP. MDATP is able to tell me that, for example, in my organization, if there was a guy who was doing pain testing, which is black listed, and if there was an attempt to exploit something or install some malicious code or try to hack into the system. I am able to find this and pinpoint its occurrence. Not only that, I’m able to map them onto a MITRE framework and tell which stage of the attack it was, where the attacker came from, et cetera. I can see if it was something that was planned in the organization. 

I can both detect internally and externally. I have full faith that the MDATP will detect behaviors and warn us of issues.

When you go to do a deep-dive or investigation as a SOC analyst or any security analyst, it gives three structures or processes, as well as the execution that it performs. I am able to perform a very deep-level investigation with MDATP - more than I can with any other tool.

It did increase our security posture. While we had an antivirus before, it would only detect or prevent certain types of attacks. However, based on that capability, you cannot respond to the threat directly. For example, if there was ransomware on a system, the antivirus will be able to identify, detect, and mitigate it. However, at the same time, even if the antivirus detects that and tries to prevent it, you need to contain that machine, or you need to isolate that machine from the network. You don't want that machine to be talking to anybody in the network. Antivirus solutions can’t exactly do that.

With respect to prevention, it has an auto-remediation feature, which is a good feature that I love with respect to prevention. It does auto-remediation as well as manual remediation, which is pretty good.

With respect to response, we were able to contain, block, and respond to threats faster with MDATP. When we analyze the incidents or the threats it gives us a very good view of everything.

With this product, before containing or responding, we get the information and can see what exactly is happening and when that malicious file was installed. After that, we have an event timeline. The visibility is not that much when you only have an antivirus. Now, we see the full picture. When we adopted this tool, we got the detect, prevent, and response functionalities. Overall, our security posture looks much better and our attack surfaces are limited. Endpoints are also most vulnerable today and we can efficiently protect them now. Since we have reduced the attack surface our security posture has improved dramatically. On top of that, we have the capability to respond and to go deeper on a forensic level.

The product doesn’t affect our end-users. I do not see any major issues. There are exceptions where approvals may be necessary. However, the user acceptance is good. This is something that organizations pre-plan and there is nothing the user really has to worry about or act on.

Defender’s GUI can be optimized. The console needs to be more refined. After you have been using it for some time, you get used to it, and it is manageable. However, it should be a little bit more refined.

They should come up with pre-built inner workflows. I would really like to see this. There need to be workflows with respect to notifications, remediations, or any actions that people want to take. They should come up with predefined or prebuilt hunting capabilities. Right now, we have to manually write queries. I would prefer if they could come up with something more automated.

This is with respect to a SOC analyst perspective. Other users, other administrators, other different roles might have different issues. For me, there are no major concerns. It is a good tool, out of the box.

I've used the solution for about a year and a half, and have also done training on it.

The stability is good. It's a stable platform. I don't see any issues right now. However, I did see something in the past. I can't quite remember the exact situation. It's resolved and right now there are no issues. 

The solution is highly scalable.

You can onboard as many end systems as you want. If you bring more, for example, 100 users or 100 endpoints, you can integrate them with no issue. It's not a problem with MDATP.

We have somewhere around 2,000 to 3,000 users who are using it. We have an endpoint team and they manage the antiviruses and security tools and all those things. We manage the product partially from a policies perspective, and the endpoint team manages the platform and maintenance of it, including any upgrades, as necessary.

I've dealt with technical support in the past. It's good, not excellent. That said, it's okay.

Before using this solution, the company mostly dealt with antivirus solutions.

We moved to this solution to strengthen and report, detect and prevent, et cetera, which antivirus solutions don't offer. We wanted forensics and capabilities that were missing. Antiviruses simply cannot protect you from advanced persistent threats, and they cannot protect you from ransomware and they don't respond to things faster. Response capabilities were something that was missing. Basically, we just needed more.

I'm usually not part of the entire setup, however, I do manage it. We have to do certain policies within our organization. However, from what I've seen, it's not a complex setup. It is pretty straightforward.

In terms of how long the deployment takes, I don't remember the length of time. If you have a CCM centralized, you can push the policies within hours. 

The licensing is something that management decides on. I don't deal with the pricing or licensing.

We didn't really evaluate other options. We provided support for one of our clients, and it was a decision they made. 

We're a consulting company. We are not partners with Microsoft.

We use the solution as a SaaS.

I'd advise other companies to use this solution. It's an ideal choice, however, I'm not sure about the pricing. Maybe it's on the higher end of other competitors' pricing. That said, if you have an opportunity to use it, it will solve a lot of problems with respect to pain point detecting and doing investigations. At the same time, with Microsoft, if 80% of your organization is using Windows systems, it's going to be compatible. Specifically, with its platform, Microsoft understands what is right and what is wrong. Therefore, if the money is not a concern, or the budget is not a concern, opt for this. At the same time, as a generic statement, if not this solution, go for an EDR tool that suits your organization's needs best.

I'd rate the solution at a seven out of ten simply due to the fact that I have not fully optimized it.