Microsoft Defender for Endpoint Reviews

Our clients use it for antivirus and anti-malware purposes.

It depends on the licensing. Most of the customers have got at least a 365 E3 license, and they can use most of the features of Windows 10 Defender. So, anyone who has got an enterprise license can start using those features. Some of the customers have got E5 licenses, and they can use all advanced features. Customers with E5 licenses use the advanced site protection (ATP) features and web content filtering without going via a proxy, which gives the benefit of replacing the proxy. They can get the benefit of MCAS and integration with Intune and the endpoint manager. It is a kind of single platform for all 365 technologies. It helps customers in managing everything through a unified portal.

Normally, we implement the attack surface reduction (ASR) rules and exploit protections. We also use Microsoft Defender Application Guard and ad blocker. Instead of using the application control list, we use the ad blocker at most of the places.

What I've heard from the customers is that the anti-malware engine is not up to date. So, sometimes, it may not detect such threats. I, however, haven't got any data to show for this.

Its licensing can be better. Currently, customers with the E3 license cannot use many features, and they would like those features to be available. With Windows 10 E5, Microsoft is phasing out all the functionality. They have also made a lot of changes recently where you can also buy add-ons for Defender ATP, but for Office 365, ADT, and other stuff, you still require E5 licensing. If they can improve its licensing, it would definitely be helpful in implementing the features from the security point of view. E5 definitely has more features from the security point of view.

I would like Microsoft to have some kind of direct integration for USB controls. They have GPO and other controls to control the access of the USB drives on devices, but if there is something that can be directly implemented into the portal, it would be good. There should be a way to control via a cloud portal or something like that in a dynamic way. USB control for data exfiltration would be a good feature to implement. Currently, there are ways to do it, but it involves too many different things. You have to implement it via GPOs and other stuff, and then you move or copy those big files via Defender ATP. If there is a simple way of implementing those features, it would be great.

We have been recommending Defender to customers for Windows 10 and helping them in implementing it for two years.

It is okay in terms of stability. I haven't seen any issues. Even if you go for a third-party vendor as your primary anti-malware software, you can get the benefit of Defender in a passive mode. 

I am an Azure engineer, and I work with an architect to design the solutions. I'm not a security person, and I don't know whether it catches all the new malware that comes into the IT world, and how quickly it gets updated because it is not my area of work as I'm not an SEC OP admin. I have read a few articles mentioning that the engine might only be 80% or 90% up to date. Obviously, no engine is 100% up to date, but it is still a little bit behind some of the third-party vendors. 

We haven't used their support much, but one of my colleagues has had some problems, and I think he didn't get good support from Microsoft. So, obviously, it depends on what kind of support engineer you have been assigned. Sometimes, it can be difficult. It is not only applicable to Defender; it could be with any of the products.

While implementing the ASR rules and other things, if you don't put it in the audit mode and don't do proper discovery, then it can definitely break lots of applications. You need to adhere to the implementation guidelines for ASR rules. So, proper analysis definitely needs to be done before implementing those rules because it can affect the business functionality.

Its deployment can take from few weeks to months depending on the size of the organization. In terms of the implementation strategy, we start with the pilot key users, and we deploy those policies. We also deploy ASR rules and other exploit protection rules in the audit mode, instead of directly enabling them. We then monitor the resources in terms of what can be blocked or what can get impacted by those rules. After that, we work with the users to implement it and see whether it breaks anything. If it breaks, then we look at the solutions. After we are happy with all those solutions and we know that enabling it won't break anything on a business side, we just roll it out.

Our clients are definitely seeing an ROI. Some of the clients have already got the licenses, and they can use lots of features of their Defender ATP. They are basically saving the cost of not going with a third-party solution.

Some of the clients who already had another third-party solution are also moving to Defender ATP because they already have the licenses, and they can save the cost on those. One of our clients is using ESET. They have the ESET standard version, so they are not getting any of the other features. They already have an E5 license to use all Defender ATP features. So, obviously, it would be beneficial for them to go with Defender ATP.

We did a little bit of comparison with Sophos. Sophos also offers cloud and network protection, but it would be an extra cost to buy it if you already have a license of Defender ATP. With Sophos, the USB features are a part of the cloud solution. So, you can configure USB restrictions and other things in the Sophos portal. With Defender, you will have to implement the USB security features via GPO or something else.

I would definitely recommend others to go with Defender ATP if they have got the licenses because it can give them a wide range of security controls. It is integrated with Office portals and Microsoft monitoring systems, so they get the sensors from different places. We haven't come across any security threats yet. From the point of view of its theory, implementation, and architecture, Defender ATP and other ATP integrations would definitely help customers in controlling their organization and implementing the best security rules and policies.

It hasn't affected the user experience much for our customers. Customers only see the notification pop up saying that Defender hasn't found anything and things like that.

I would rate Microsoft Defender for Endpoint a seven out of 10.

We are using this product as part of our EDR solution, and we use it in conjunction with CrowdStrike. We are a solution provider and this is one of the products that we deploy for our clients.

This product has features that improve our security posture including good vulnerability detection, maintaining endpoint devices, and unified management. The management feature allows us to manage all of our devices from a single location.

The advanced techniques used by Microsoft Defender are improving our user experience. Our users used to complain that they didn't need certain features, but this was because the legacy antivirus and other EDR solutions were hampering their usage. Nowadays, vulnerability detection is very effective and they are comfortable with the security, as well as the administration, giving them a better overall experience.

The most valuable feature is threat detection. We have been notified of viruses and threats of problems such as ransomware attacks.

The Cloud App Security features are useful.

We apply the DLP policies across a range of endpoints and it is very accurate when reporting vulnerabilities, including those in email attachments.

Microsoft Defender integrates well with Office 365.

Especially these days, with the COVID situation, this product helps us to better reach our users and solve problems. For example, we no longer need to ask them to bring in their laptop to check for and address issues. We can apply policy, automatically define rules, and remedy problems using the central management features. 

It would be helpful if they included XDR features, on top of the EDR functionality. It would improve the capabilities, as XDR solutions are doing better.

I have been working with Microsoft Defender for Endpoint for almost a year, with the E5 licenses.

Stability-wise, it is responsive and I don't see any drawbacks. They have additional features that make it a little more robust.

Scalability-wise, considering the integration that they have, it's good. For example, it can be integrated with Azure Sentinel. We have two or three people who work with managing and deploying this product.

We deploy across Qatar and currently have about 68,000 endpoints protected with Defender. Our usage will increase based on the number of clients we have that buy the product. Ultimately, it depends on the licensing model.

Prior to working with Microsoft Defender, we used CrowdStrike and SentinelOne. We switched because these other products are standalone, and require that we install and maintain them manually. Microsoft Defender is unified and comes as part of Microsoft 365, which makes it easier to set up and manage.

The advantage that these other products have is the XDR features.

The initial setup is straightforward. We deploy this product using Microsoft Intune, which is very helpful. It took us one month to deploy approximately 5,000 users. We had a specific plan that we followed for the implementation. 

I completed the deployment.

This product offers cost-effective threat protection, which integrates with Office 365 and has unified endpoint management features.

We currently use the enterprise-level, E5 licensing scheme. It is a complete bundle that includes the Microsoft 365 products, the Zero Trust solution, and Microsoft Defender.

The E5 license is the one that I recommend because it comes with Cloud App Security, which is a good thing to have on top of Microsoft Defender. It means that you can monitor any threats, sign-in attempts, and other resources whether on the cloud or on-premises.

I would rate this solution an eight out of ten.

We combine Microsoft Defender with Advanced Threat Protection to manage, isolate, and scan our laptops and workstations for security threats. We have a dashboard that is embedded into Office 365 and it allows us to remotely scan for viruses and malware, so we don’t have to have the laptop present.

Using this product helps with device inventory. This is not an inventory solution, but it helps you take count of how many workstations you have, as well as what software is installed on each of them. It is important because any software installed on a workstation may be vulnerable to parts of the internet.

Microsoft Defender has features that have helped to add layers to our security posture. The most important of these features is visibility and the provision of detailed alerts. It correlates the data and using this information, I can identify a threat and see if any other workstation in the environment has been affected by it.

Using this product has not negatively affected our user experience. It is just like using Windows 10.

The GUI is very nice.

The reporting capabilities are fantastic.

In the future, I would like to have the ability to patch using this product. Specifically, in an enterprise environment, it would be very good if you could patch the workstations remotely.

The alerting is something that needs to be improved. Alerts need to be sent immediately because as it is now, you see some of them without delay and others arrive perhaps 30 minutes later, and it leaves important gaps in terms of information gathering.

I have been working with Microsoft Defender Antivirus since it first came out, at least seven or eight years ago.

With respect to the stability of the product line, Microsoft has many products that do almost the same thing. The question becomes which one you want to use. This is a good product but at the same time, after a while, you don't know if it is the next one that Microsoft is going to stop releasing because of other products that practically do the same thing.

Microsoft Defender is very scalable and there is a lot of room to expand and add extra layers. We have 2,500 endpoints and we plan to expand; however, we are thinking about using the Microsoft Endpoint Manager in place of it.

Once the decision is made to stay with this product or instead adopt Endpoint Manager, we will expand to cover 6,000 endpoints.

I have not been in contact with technical support.

Prior to Microsoft Defender, we tried quite a few different products from vendors such as Kaspersky and McAfee. One of the major reasons that we adopted Defender is because of the advantage that Microsoft owns the platform, Windows 10. As they have developed the operating system, it is believed that they understand how to guard it much better against a third party. An attacker has to learn a lot about Windows 10.

Another reason we selected Defender is the frequency of updates. Every other time that Windows is updated, Defender is updated. Again, this is because it is owned by Microsoft and exists on its platform.

We also use Microsoft ATP and we are currently looking at Microsoft Endpoint Manager.

The initial setup is straightforward. Basically, once you have the competency with the product, it is straightforward and there are no surprises. It is not rocket science.

This product is built into the Windows 10 image that we install. As you roll out Windows 10, it is already set up and pre-configured, so there is no additional work required.

We saw a return on our investment within the first two years.

If I quantify the effort used for the setup and compare it with the pricing of the previous solution, value for the money was realized during the second year.

We have an enterprise agreement so from my perspective, this is a product that ships with Windows and it is not priced standalone. It comes together with the other Microsoft products that we buy.

When we evaluated Kaspersky and McAfee, we found the scalability was better for Microsoft. You can do in-place upgrades of the endpoints with Defender but for the others, you would have to re-install the upgraded agents on the workstation. This takes a lot of time and it is not productive.

We are currently evaluating Microsoft Endpoint Manager by comparing the differences between it and Microsoft Defender. This is being done in advance of expanding our usage.

My advice for anybody who is implementing this product is to first analyze their critical assets to have an understanding of what they are. Then, decide if they want a scalable solution. New threats are coming in every month and the way this is going, Microsoft is learning lessons from networks that have been compromised. With this information, they give updates and patches to everybody. In support of this product, you have to consider the patching, consider the visibility that it gives, and then consider the critical assets it is protecting.

I would rate this solution a seven out of ten.

We use Microsoft Defender Antivirus to scan for malicious payloads that may come in files, emails, a USB drive, or another type of external drive. It helps us to identify any malicious load that could compromise the security of any of our systems.

We are in a decentralized environment. We have multiple offices but they are not connected physically. The offices are directly managed from the internet.

We have a mixed environment with Linux and Windows machines.

We operate in the educational sector.

We have not fully considered how this product affects our overall security posture, although this is because we have not yet explored all of the features. Once we have all of our offices connected, it is something that we will be looking into. At this point, it does not affect all of our machines. On a scale from one to five, I would rate our security posture a four.

The most valuable feature is ransomware protection, which can detect malicious activity from IPs or a malicious payload in DLLs, or other things that can corrupt the system.

The performance is good. Usually, end-users complain that whenever background or real-time scanning is done, the effects are felt as there is a slowdown in the system. This is not the case with Microsoft Defender.

The file scanning has room for improvement. Many people use macros within their files, so there should be a mechanism that helps us to scan them for malicious payloads.

If there is a Word file then it is able to scan it, but if there is a malicious payload within its signature then it will not be detected. Deep packet scanning must be used to improve the overall product.

We have been using Microsoft Defender Antivirus since we upgraded to Windows 10 from Windows 8.

This is a stable product. We have been using the standard version for a long time and it hasn't negatively affected our environment. Generally speaking, it is reliable.

Microsoft is actively working on this product and I think that it is becoming more scalable, day by day. For example, prior to Windows 10, there was no ransomware support. Now, it comes with Windows 20S2 and Windows 20H1.

With our decentralized environment, I don't know the exact number of users or devices that we have. However, I can say that there are more than 500 devices being protected by this solution.

Most of the machines in our environment are in areas that don't have internet access. This is because they are stationed in remote areas of the country. This means that we need to use USB drives to update the machines manually. Given the number of devices and that the management is done manually at this time, it is pretty painful for our IT people.

We have not purchased support for this product, although, for most products, we usually do have it. To this point, it hasn't been required.

When we were running older operating systems including Windows XP and Windows Vista, we had a Symantec Endpoint solution. We had that for a long time but we opted out. After that, we used McAfee and other antivirus products. However, since Windows 10 was released, and with Microsoft Defender included by default, we felt that it was the solution for us.

As I recall, we stopped using McAfee and Symantec once we moved to Windows 8.

This product came pre-installed with Windows 10 on the machines that we procured from the vendor. It is straightforward and easy to configure, as well. Once Windows is installed, setting up the antivirus and scheduling scans just involves clicking the Next button several times. It is pretty easy for anyone and if the user is non-technical, we guide them through the process.

It takes a maximum of 10 to 15 minutes to install and configure on a PC. Whenever a new configuration is required, you need to configure it on each individual machine that you have. This is why we are investigating a centralization solution. It will help us out in applying things on a global level. For example, we can apply settings based on what is in Active Directory or other policies.

One person, in-house, is all that is required to set it up.

There is not much maintenance required, as our environment is pretty standard. Also, all of the updates come from the Microsoft update center and they are automatically installed on the machines.

It is difficult to determine ROI at this point. Once all of our PCs are joined together, we will have a better idea.

As we operate in the educational sector, we are eligible for an educational discount.

We are currently looking into other solutions that will give us centralized control over Microsoft Defender. However, we are still strictly in the research phase.

Once we decide on a product and a solution is proposed, it is a long process that involves budgetary considerations. Once a PoC is completed, the budget constraints are considered, and this is part of a very long chain of processes that take place before final adoption.

Since we started using this product, we have not had any breaches. When we were using the products by McAfee and Symantec, there were issues with viruses and malicious payloads. Now, it is better because we haven't had any major issues with the systems.

My advice for anybody who is implementing this product is to let the IT staff manage it, and not allow end-users to configure it or modify their own settings.

I would rate this solution an eight out of ten.

We use it to protect computers or endpoints from any malicious software, malware, and other viruses. You have to use this one as part of your overall protection plan.

The deployment of Microsoft Defender for Endpoint is a no-brainer when it comes to Windows. When you provision a new laptop for your environment, it comes with it. We use Intune to be seen on the cloud for centralized management. There's actually a console where you can go in and manage it properly, and we use Intune to deliver the onboarding.

I like that it's easy to deploy because it already comes with Windows 10. Overall, it has all the features that we need. Easy to deploy, comes with updates, and comes with Windows updates. You don't have to really manage or update the signature.

Integration with third-party vendors could be better. It would be better if it integrates with other protection solutions or other products outside of Microsoft. Nowadays, anti-virus protection doesn't really have to be planned as overall protection for your environment in terms of security. There are really different avenues that bad actors can take to wreak havoc on your machine. 

We don't just use anti-virus. That's really like a traditional way of doing it. We have different kinds of protections. We have our advanced threat protection for email, and we have advanced threats analytics for domain controllers for servers. We use all those. 

I have been using Microsoft Defender for Endpoint for three or four years.

It's very reliable and very dependable. I don't see any issues with it. In fact, it's the best product I have used because it's integrated with Windows 10. It doesn't eat up resources while running like other products. It's a really well-thought product.

It can scale as much as you want. It installs a very low footprint on your laptop, but the management is cloud-based.

Technical support is average. We call technical support very rarely for this particular product, but it's actually hit or miss with Microsoft. Sometimes you get a good person on the other line. Sometimes you get someone that's slow in providing support.

I've used many products in the past, and I liked this one because I can't really find that many issues with it. I used McAfee, Symantec, CrowdStrike, and different anti-malware and anti-virus programs, but this seems to be good.

We switched because we're Microsoft partners, and we're actually kind of biased about it. We also implement other products because some of our clients use them. It's very hard to convince them to go with another product. Sometimes because of the existing subscriptions, they are unable to make the switch.

The initial setup is straightforward.

We are a Microsoft partner and consultants. We implement these solutions.

Microsoft Defender for Endpoint comes with Windows 10, and it's free. But for you to be able to manage it in the cloud and use the console, you need to have either an Office 365 E5 subscription or a Microsoft M365 subscription. You need to buy an extra license.

If you're looking for anti-virus software, use the one that comes with Windows 10, and save your money.

On a scale from one to ten, I would give Microsoft Defender for Endpoint a ten.

We use it for endpoint detection and response.

The agent is installed on the endpoint, on the laptop or desktop, but it's a SaaS solution.

One feature that has proven beneficial is the Threat and Vulnerability Management module of Defender for Endpoint, which provides information on the vulnerability of all the endpoints. We don't have to run active scans via network scanners. It is built-in. That has proven to be helpful, although we're still in the early phases. We have identified vulnerabilities that were in our organization for too long and nobody knew about those machines and the vulnerabilities on them. From a vulnerability remediation point of view, it has been quite helpful to us.

One of the features which differentiates it from other EDR providers is the Automated Investigation and Response, which reduces the workload of SOC analysts or engineers. They don't have to manually investigate each and every alert on the endpoint, since it does so automatically. And you can automate the investigation part.

In addition, there are several features that have helped to improve our security posture at the prevention level, such as the attack surface reduction controls and the exploit prevention control. The attack surface reduction comes with the solution, out-of-the-box. There is Application Control as well, which is kind of difficult to implement, but once you are through the pain of designing and implementing it, it is one of the very good features to have. These tools are some of the things that are missing from other vendors' products, as I have worked with McAfee, Symantec and Carbon Black.

One area for improvement is that, because it comes out-of-the-box, it does not interact well with many applications we have developed in-house. There is no way to exclude them because it interacts with everything on the endpoint. One of the issues is lagging: the in-house-developed applications suffer from this and they become slow. For a big enterprise, it is important that they include a feature so that we can exclude these applications.

Another area where it could be improved is that, while it collects a lot of data, it misses some data, which is important, such as the hardware version of the endpoint and the AV signature version. I think this improvement is in the Microsoft pipeline already but it is not in the solution yet.

I have been using Microsoft Defender for Endpoint for around one and a half years.

It has been quite stable up until now. It does not break. Microsoft is developing on it quite frequently and more and more features are coming in, but overall it is quite stable. It does not break that often.

As we have moved away from Microsoft Defender Antivirus and to the EDR solution, we have seen very few issues so far that users have faced with this. There have been very occasional performance issues for some users, but they have been very rare.

Scalability is one thing which, I think, Microsoft is working on, because it is not yet very scalable. What it provides out-of-the-box is all it has. Any big organization needs customization, but the customization of it and running customized things on top of it are areas where it is lagging. That something Microsoft needs to work on. Examples include running custom playbooks or customizing the events which it is collecting.

We are protecting 100,000 endpoints with this solution. We may increase usage, but there is no plan for that as of yet.

Microsoft technical support is good.

Before Microsoft Defender for Endpoint we had Carbon Black. But when I came onboard, Defender for Endpoint had already been chosen.

The setup process is not very complex, but it is also not very straightforward. It depends what solutions you have. If you have everything set up, which is usually the case for big organizations, then it is pretty smooth. But if there are some things that are not set up properly in the organization, like certain parts of the infra or the cloud onboarding, then it becomes cumbersome, not the installation part, but in setting up the backend which it needs.

Our implementation strategy was that we started with a few pilot machines, to onboard Defender for Endpoint. We noticed that we had around 70 to 80 percent failures. It was a learning phase and we identified the root cause of those failures. There are some settings in Defender AV that need tweaking when you want to onboard Defender for Endpoint. We struggled to tweak those settings, but once that was done, it went pretty smoothly for the next couple of pilots. Then we encountered another roadblock which was related to an OS version dependency.

Overall, it took us about one month to onboard the solution, but we are weak in infra.

We had our consultant from Microsoft for the implementation. The engagement went on for three to four months. But one thing we noticed from this project was that it did not need a consultant. It was not that difficult to do. Maybe we did not get an expert consultant because, for solving issues, he also took time.

In addition to doing onboarding, we wanted our third-party integrations, but that was something they could not do because they were Microsoft. We had to do that ourselves. Over that three or four months, we realized that we didn't need them.

Microsoft consultancy is good and bad. If you get good consultants, they are really good. But sometimes you get consultants who are not expert enough in their domains and you don't get enough from them.

We have not seen ROI yet, but we are hopeful that in the future it will provide that.

One of the differences between other solutions I have used and Microsoft Defender for Endpoint is that the latter is not yet enterprise-ready to the same extent that the other vendors are. Other vendors provide a lot of customization when it comes to integration, which every big organization requires. No big organization depends on one particular tool. Defender lacks that at this point.

Defender for Endpoint is marketed as an endpoint detection and response tool, but for others who are looking at onboarding it, they should take it as a holistic tool that provides AV, EDR, and vulnerability management all in one. However, it does not provide very good integration with third parties.

We are using it only for EDR, but we have a plan to extend it to Microsoft email as well as to the cloud.

Within one month of using Microsoft Defender for Endpoint, we could achieve great insights.

Microsoft Defender for Endpoint is a perfect solution. We have used several EDR products, and Microsoft Defender is the best one that I have worked with. It provides great visibility. It is very transparent. We can get so many details about a particular endpoint. It is a great product. I would rate it a five out of five in terms of visibility.

It helps us to identify process-based threats in our environment, not only the signature-based ones. We are able to identify some of the threats that were not detected previously.

We get severity levels from the solution itself. Based on them, we have developed our action plan to act upon any category of incident. It helps to achieve a better SLA to attend to incidents.

I am quite interested in the vulnerability dashboard. It provides vulnerability data according to the CVE database, which helps us to prioritize vulnerabilities in our environment and address them.

Microsoft Defender for Endpoint works with Windows and Linux, so we could cover them all. It is suitable for servers as well, not only for endpoints, so we could implement it on most devices in the organization. It has probably saved us 20% of the time. 

It has Kusto Query Language (KQL), so we can use our own queries to find anything.

We can get real-time updates. It is not just signature-based. It provides results based on behavior and successors. It analyzes the behavior and the process. With that, we can achieve greater results that other products do not offer.

We need better support to learn about the product. Documentation is available, but we need some kind of training program so that we can get a better understanding of the product.

We switched to Microsoft Defender for Endpoint about one month ago.

I would rate it an eight out of ten in terms of stability.

It is highly scalable. We have around 5,000 users. I would rate it a ten out of ten in terms of scalability.

Previously, we were using a separate EDR product in our environment. We were using Sophos. Our organization moved into Microsoft 365, so we switched to Microsoft Defender for Endpoint. 

We heard that it is one of the best products in the industry. We thought that we would get better results with Microsoft Defender for Endpoint. That is why we moved to Microsoft Defender for Endpoint, and we were able to achieve better results with it.

It is a cloud deployment. It took us a few months to make the switch.

It does not require any maintenance from our end.

Overall, I would rate Microsoft Defender for Endpoint a nine out of ten.

We use this product for our endpoint detection and all the remediation.

The solution provides good security features. The key valuable feature for me is that you can view it in the central console.

I'd like to see more integration in the next release and the solution should be file protected.

I've been using this solution for five years.

The solution is scalable. 

I'd like to see a quicker response time from the company's technical support. 

The initial setup was straightforward. It didn't take long and was part of the deployment of our endpoints, and part of the integration. We currently have around 3,000 users and no plans to expand. We have four people involved with maintenance. 

I recommend this solution and rate it eight out of 10.