Microsoft Defender for Endpoint Reviews

We are using it as the antivirus as well as the malware protection.

We have not had any attacks, in terms of viruses, worms, or ransomware, in the last three years.

The impact of the solution has been minimal. Employees can work with any interruptions.

The folders and files protection are its most valuable features. These have been valuable because of the increase in ransomware attacks. With these two features, I can ensure that no changes have been made to our system or endpoint folders and files without the user being aware.

I wish they would extend the use of the Security Central portal, even for the free option of Defender. Because, as companies grow, it is labor intensive to manage the AV and detection part of it. For companies already subscribed to Office 365, I think this would be a good enhancement.

I have been using it for three years.

It is quite stable. We have not had any cases, i.e., viruses, that would require a reboot, etc. We have never had a situation where we needed to reinstall the tools as a result of the Defender application or a feature being corrupt.

Four IT support technicians are responsible for administrating Microsoft Defender in our organization. They make sure that upgrades and updates are done in a good timeframe.

Its scalability is good enough. As long as you deploy the OS, you will keep on deploying Microsoft Defender automatically. This is a good option.

We have about 375 endpoints.

I have never used their support.

Before Microsoft Defender, we were using Bitdefender. Before Bitdefender, we were using McAfee Symantec.

We switched to Microsoft Defender because there was a change of ownership for the company in 2017.

We went for Microsoft Defender once we were informed that it would be part of our Office 365 package. So, we combined the licensing for the OS with Office 365. Yeah. We thought it was a good bargain.

The initial setup was straightforward.

The deployment takes a maximum of half an hour.

We have seen ROI. Most of the other competing alternatives will cost up to around $30 per user device. We average 400 devices. Therefore, the amount that we save each year is 400 times $30.

We have been using the free version.

Microsoft Defender is good enough as long as you ensure the environment is well-patched and secure, then even the free option will be sufficient to take care of the entire ground.

We are not looking to increase usage at the moment because of the underlying economic situation.

I would rate this solution as nine out of 10.

Our clients use it for antivirus and anti-malware purposes.

It depends on the licensing. Most of the customers have got at least a 365 E3 license, and they can use most of the features of Windows 10 Defender. So, anyone who has got an enterprise license can start using those features. Some of the customers have got E5 licenses, and they can use all advanced features. Customers with E5 licenses use the advanced site protection (ATP) features and web content filtering without going via a proxy, which gives the benefit of replacing the proxy. They can get the benefit of MCAS and integration with Intune and the endpoint manager. It is a kind of single platform for all 365 technologies. It helps customers in managing everything through a unified portal.

Normally, we implement the attack surface reduction (ASR) rules and exploit protections. We also use Microsoft Defender Application Guard and ad blocker. Instead of using the application control list, we use the ad blocker at most of the places.

What I've heard from the customers is that the anti-malware engine is not up to date. So, sometimes, it may not detect such threats. I, however, haven't got any data to show for this.

Its licensing can be better. Currently, customers with the E3 license cannot use many features, and they would like those features to be available. With Windows 10 E5, Microsoft is phasing out all the functionality. They have also made a lot of changes recently where you can also buy add-ons for Defender ATP, but for Office 365, ADT, and other stuff, you still require E5 licensing. If they can improve its licensing, it would definitely be helpful in implementing the features from the security point of view. E5 definitely has more features from the security point of view.

I would like Microsoft to have some kind of direct integration for USB controls. They have GPO and other controls to control the access of the USB drives on devices, but if there is something that can be directly implemented into the portal, it would be good. There should be a way to control via a cloud portal or something like that in a dynamic way. USB control for data exfiltration would be a good feature to implement. Currently, there are ways to do it, but it involves too many different things. You have to implement it via GPOs and other stuff, and then you move or copy those big files via Defender ATP. If there is a simple way of implementing those features, it would be great.

We have been recommending Defender to customers for Windows 10 and helping them in implementing it for two years.

It is okay in terms of stability. I haven't seen any issues. Even if you go for a third-party vendor as your primary anti-malware software, you can get the benefit of Defender in a passive mode. 

I am an Azure engineer, and I work with an architect to design the solutions. I'm not a security person, and I don't know whether it catches all the new malware that comes into the IT world, and how quickly it gets updated because it is not my area of work as I'm not an SEC OP admin. I have read a few articles mentioning that the engine might only be 80% or 90% up to date. Obviously, no engine is 100% up to date, but it is still a little bit behind some of the third-party vendors. 

We haven't used their support much, but one of my colleagues has had some problems, and I think he didn't get good support from Microsoft. So, obviously, it depends on what kind of support engineer you have been assigned. Sometimes, it can be difficult. It is not only applicable to Defender; it could be with any of the products.

While implementing the ASR rules and other things, if you don't put it in the audit mode and don't do proper discovery, then it can definitely break lots of applications. You need to adhere to the implementation guidelines for ASR rules. So, proper analysis definitely needs to be done before implementing those rules because it can affect the business functionality.

Its deployment can take from few weeks to months depending on the size of the organization. In terms of the implementation strategy, we start with the pilot key users, and we deploy those policies. We also deploy ASR rules and other exploit protection rules in the audit mode, instead of directly enabling them. We then monitor the resources in terms of what can be blocked or what can get impacted by those rules. After that, we work with the users to implement it and see whether it breaks anything. If it breaks, then we look at the solutions. After we are happy with all those solutions and we know that enabling it won't break anything on a business side, we just roll it out.

Our clients are definitely seeing an ROI. Some of the clients have already got the licenses, and they can use lots of features of their Defender ATP. They are basically saving the cost of not going with a third-party solution.

Some of the clients who already had another third-party solution are also moving to Defender ATP because they already have the licenses, and they can save the cost on those. One of our clients is using ESET. They have the ESET standard version, so they are not getting any of the other features. They already have an E5 license to use all Defender ATP features. So, obviously, it would be beneficial for them to go with Defender ATP.

We did a little bit of comparison with Sophos. Sophos also offers cloud and network protection, but it would be an extra cost to buy it if you already have a license of Defender ATP. With Sophos, the USB features are a part of the cloud solution. So, you can configure USB restrictions and other things in the Sophos portal. With Defender, you will have to implement the USB security features via GPO or something else.

I would definitely recommend others to go with Defender ATP if they have got the licenses because it can give them a wide range of security controls. It is integrated with Office portals and Microsoft monitoring systems, so they get the sensors from different places. We haven't come across any security threats yet. From the point of view of its theory, implementation, and architecture, Defender ATP and other ATP integrations would definitely help customers in controlling their organization and implementing the best security rules and policies.

It hasn't affected the user experience much for our customers. Customers only see the notification pop up saying that Defender hasn't found anything and things like that.

I would rate Microsoft Defender for Endpoint a seven out of 10.

We are using this product as part of our EDR solution, and we use it in conjunction with CrowdStrike. We are a solution provider and this is one of the products that we deploy for our clients.

This product has features that improve our security posture including good vulnerability detection, maintaining endpoint devices, and unified management. The management feature allows us to manage all of our devices from a single location.

The advanced techniques used by Microsoft Defender are improving our user experience. Our users used to complain that they didn't need certain features, but this was because the legacy antivirus and other EDR solutions were hampering their usage. Nowadays, vulnerability detection is very effective and they are comfortable with the security, as well as the administration, giving them a better overall experience.

The most valuable feature is threat detection. We have been notified of viruses and threats of problems such as ransomware attacks.

The Cloud App Security features are useful.

We apply the DLP policies across a range of endpoints and it is very accurate when reporting vulnerabilities, including those in email attachments.

Microsoft Defender integrates well with Office 365.

Especially these days, with the COVID situation, this product helps us to better reach our users and solve problems. For example, we no longer need to ask them to bring in their laptop to check for and address issues. We can apply policy, automatically define rules, and remedy problems using the central management features. 

It would be helpful if they included XDR features, on top of the EDR functionality. It would improve the capabilities, as XDR solutions are doing better.

I have been working with Microsoft Defender for Endpoint for almost a year, with the E5 licenses.

Stability-wise, it is responsive and I don't see any drawbacks. They have additional features that make it a little more robust.

Scalability-wise, considering the integration that they have, it's good. For example, it can be integrated with Azure Sentinel. We have two or three people who work with managing and deploying this product.

We deploy across Qatar and currently have about 68,000 endpoints protected with Defender. Our usage will increase based on the number of clients we have that buy the product. Ultimately, it depends on the licensing model.

Prior to working with Microsoft Defender, we used CrowdStrike and SentinelOne. We switched because these other products are standalone, and require that we install and maintain them manually. Microsoft Defender is unified and comes as part of Microsoft 365, which makes it easier to set up and manage.

The advantage that these other products have is the XDR features.

The initial setup is straightforward. We deploy this product using Microsoft Intune, which is very helpful. It took us one month to deploy approximately 5,000 users. We had a specific plan that we followed for the implementation. 

I completed the deployment.

This product offers cost-effective threat protection, which integrates with Office 365 and has unified endpoint management features.

We currently use the enterprise-level, E5 licensing scheme. It is a complete bundle that includes the Microsoft 365 products, the Zero Trust solution, and Microsoft Defender.

The E5 license is the one that I recommend because it comes with Cloud App Security, which is a good thing to have on top of Microsoft Defender. It means that you can monitor any threats, sign-in attempts, and other resources whether on the cloud or on-premises.

I would rate this solution an eight out of ten.

We use it to protect computers or endpoints from any malicious software, malware, and other viruses. You have to use this one as part of your overall protection plan.

The deployment of Microsoft Defender for Endpoint is a no-brainer when it comes to Windows. When you provision a new laptop for your environment, it comes with it. We use Intune to be seen on the cloud for centralized management. There's actually a console where you can go in and manage it properly, and we use Intune to deliver the onboarding.

I like that it's easy to deploy because it already comes with Windows 10. Overall, it has all the features that we need. Easy to deploy, comes with updates, and comes with Windows updates. You don't have to really manage or update the signature.

Integration with third-party vendors could be better. It would be better if it integrates with other protection solutions or other products outside of Microsoft. Nowadays, anti-virus protection doesn't really have to be planned as overall protection for your environment in terms of security. There are really different avenues that bad actors can take to wreak havoc on your machine. 

We don't just use anti-virus. That's really like a traditional way of doing it. We have different kinds of protections. We have our advanced threat protection for email, and we have advanced threats analytics for domain controllers for servers. We use all those. 

I have been using Microsoft Defender for Endpoint for three or four years.

It's very reliable and very dependable. I don't see any issues with it. In fact, it's the best product I have used because it's integrated with Windows 10. It doesn't eat up resources while running like other products. It's a really well-thought product.

It can scale as much as you want. It installs a very low footprint on your laptop, but the management is cloud-based.

Technical support is average. We call technical support very rarely for this particular product, but it's actually hit or miss with Microsoft. Sometimes you get a good person on the other line. Sometimes you get someone that's slow in providing support.

I've used many products in the past, and I liked this one because I can't really find that many issues with it. I used McAfee, Symantec, CrowdStrike, and different anti-malware and anti-virus programs, but this seems to be good.

We switched because we're Microsoft partners, and we're actually kind of biased about it. We also implement other products because some of our clients use them. It's very hard to convince them to go with another product. Sometimes because of the existing subscriptions, they are unable to make the switch.

The initial setup is straightforward.

We are a Microsoft partner and consultants. We implement these solutions.

Microsoft Defender for Endpoint comes with Windows 10, and it's free. But for you to be able to manage it in the cloud and use the console, you need to have either an Office 365 E5 subscription or a Microsoft M365 subscription. You need to buy an extra license.

If you're looking for anti-virus software, use the one that comes with Windows 10, and save your money.

On a scale from one to ten, I would give Microsoft Defender for Endpoint a ten.

It is the end defense against anything coming into our computers and through other channels, e.g., we have some other measures. A lot of our users use Microsoft Remote Desktop Services, so all our servers are locked down. The solution handles what nothing else finds along the way. It is a standard endpoint for computers, servers, and tablets.

What the user doesn't see or experience, the user is happy with. Every time our other services go in and put a stop pop-up in front of what they are doing when they want to visit a website, but the browser says, "No," or they are trying to download a link and then says, "Oh, no. This is dangerous," that upsets users because they can't do what they want to do. As long as we don't get any of that, then users are happy. If users don't feel it or know about it, then they are happy. Everything else will make them unhappy.

Our end users expect to be protected and that everything works. When IT doesn't work as they expect, then they get unhappy in some form. We kind of forced this solution upon them, so they don't have a choice. As long as it doesn't meddle with their normal work, they are fine. For example, when GDPR hit us in May of 2018, that was upsetting because they now had to do some of their work a little differently. So, they don't like GDPR because it interferes with their normal workflow. Normally, users come to me if they have issues with anything. However, if everything works as expected, they are happy. In addition, they expect that they are protected.

When you have something fail and you have three or four different vendors where the fail might be located, everyone just says, "Well, it's awful." Then, you have to go and find out where the fault is. That is really annoying and can cost the business money. For that reason, if I can have one single point of contact when I have a problem to help me out, and say, "Let's find the solution." That is much better instead of having me contact multiple companies to track errors down.

The protection will always need improvement:

• From a technical standpoint, I would like better artificial intelligence on how it does its stuff in the background. It will always be behind. However, at some point, it would be nice if it could get better. It is not bad, but it could always be better.
• From an audit point of view, our auditors would like to have more reports on how things are used, if things go wrong, and how they went wrong. For example, if something got a warning, "Why?" So, we would like more versatility for tracing and reporting. That would improve the product, as long as the user interface doesn't get bogged down.

I have been using the current solution since 2014.

We haven't had any issues. I haven't had any bad experiences. I expect it to work, and it works. It is just there. For example, when you have Word or the whole Office package, as long as it works, people are happy. You just have it, and you don't have to say, "Oh, this version is really..." It is just Microsoft. For most users, Microsoft is Windows, Defender, and the Office package. As long as you just use that, then people will say, "Okay, we're just basically using Windows." They don't care about one thing or another, as long as IT works.

As long as things are slowly upgraded, it works, and we don't have any issues, then I am happy.

I let my outsource company handle scalability. I only get involved if there are issues.

We have 50-plus servers with around 125 to 150 endpoints.

Our consultancy has a deal with Microsoft where they can get access to Microsoft directly. We are part of that deal. When we have issues that need some type of Microsoft input, we can get it. However, I will let the consultancy do that. I wouldn't do that myself.

We use different email solutions and web solutions to handle incoming and outgoing traffic. However, we have not previously used another endpoint protection solution.

In 2014, we upgraded from Windows 7. It was a completely new deployment of everything. Every server, every endpoint, and even the old laptops and desktops were upgraded. So, it wasn't just Defender. Microsoft Defender wasn't really the issue, as it worked. We had a lot of other IT that was annoying, but I don't remember that we had any struggles with Defender.

Microsoft Defender is always running. It is doing its job, so it is fine. I don't have any issues with the way it was implemented or how we are running it. We have been upgrading IT throughout the years, but there have been no issues.

We had a migration deadline set by our mother company. We had to stop using Windows 7 and server 2003 by 15th of June, and we started in April. So, it was done in just under two months right before June 1st.

We are part of the aircraft industry. We have been going downhill for some time, and now we are sort of going up again. At the time of purchase, we simply bought the outsourcing with the solution, meaning we would get this many machines and servers using these services. They kind of supplied everything.

We outsourced the deployment to another company at that point in time, who put up all the consultants and stuff. Before that, we had everything internally and on-premises. At that point, we moved it out still on-premises, but not in our own house. So, we built a separate system, then moved users over.

We didn't have Microsoft in to specifically help us.

The administration of this solution is outsourced. We use a consultancy who has 50-plus employees/consultants. They take care of nearly all services: Defender, Teams, SQL, etc. I then only have to talk to one or two people who are specialized in what needs to be done.

I have been very happy with our current IT services provider. We have had them for about a year. They took over from the old consultancy who installed our IT in 2014. Our current consultancy took over in 2020 because I wasn't so happy with the old guys.

It provides peace of mind with really good pricing. It won't be upsetting my budgets or anything like that.

Our outsourcer handled the decision that we were to use Defender, Remote Desktop Services, etc. They just said, "If you choose us, this will be your solution." It came as a package. Unfortunately, that company was bought by another IT services company, who bogged everything up. The service went downhill and stuff didn't get upgraded. So, we switched to another Danish supplier with whom we currently are happy.

Go for it. It is a standard solution. If you use Windows, you might as well go for Defender. With this solution, you have your normal dependencies within Microsoft. This means that you don't have to talk to another company; you talk directly to Microsoft. Some people might go for something else, and that is fine too. However, depending on how big your company is, if you are a small or medium business, you may want to have as many eggs in one basket to have fewer points of contacts.

It is a good endpoint. All the administration is handed over to our outsource partner. So far, it has been good. We have been using it for years, so it is the de facto standard for us right now.

As far as I know, its capabilities are okay. It is up there with the rest of them. Sometimes, this is what Gartner says is the best, the next best, the 10th best, etc. That will always change. As long as we don't get hit, we are fine. If we get hit, then there are questions around what we can expect from it, what we can get out of it, what help did we get, etc., but I would let my outsource partner deal with that. Directly, I don't have my hands on it.

I would rate this solution as an eight out of 10.

We use it for endpoint detection and response.

The agent is installed on the endpoint, on the laptop or desktop, but it's a SaaS solution.

One feature that has proven beneficial is the Threat and Vulnerability Management module of Defender for Endpoint, which provides information on the vulnerability of all the endpoints. We don't have to run active scans via network scanners. It is built-in. That has proven to be helpful, although we're still in the early phases. We have identified vulnerabilities that were in our organization for too long and nobody knew about those machines and the vulnerabilities on them. From a vulnerability remediation point of view, it has been quite helpful to us.

One of the features which differentiates it from other EDR providers is the Automated Investigation and Response, which reduces the workload of SOC analysts or engineers. They don't have to manually investigate each and every alert on the endpoint, since it does so automatically. And you can automate the investigation part.

In addition, there are several features that have helped to improve our security posture at the prevention level, such as the attack surface reduction controls and the exploit prevention control. The attack surface reduction comes with the solution, out-of-the-box. There is Application Control as well, which is kind of difficult to implement, but once you are through the pain of designing and implementing it, it is one of the very good features to have. These tools are some of the things that are missing from other vendors' products, as I have worked with McAfee, Symantec and Carbon Black.

One area for improvement is that, because it comes out-of-the-box, it does not interact well with many applications we have developed in-house. There is no way to exclude them because it interacts with everything on the endpoint. One of the issues is lagging: the in-house-developed applications suffer from this and they become slow. For a big enterprise, it is important that they include a feature so that we can exclude these applications.

Another area where it could be improved is that, while it collects a lot of data, it misses some data, which is important, such as the hardware version of the endpoint and the AV signature version. I think this improvement is in the Microsoft pipeline already but it is not in the solution yet.

I have been using Microsoft Defender for Endpoint for around one and a half years.

It has been quite stable up until now. It does not break. Microsoft is developing on it quite frequently and more and more features are coming in, but overall it is quite stable. It does not break that often.

As we have moved away from Microsoft Defender Antivirus and to the EDR solution, we have seen very few issues so far that users have faced with this. There have been very occasional performance issues for some users, but they have been very rare.

Scalability is one thing which, I think, Microsoft is working on, because it is not yet very scalable. What it provides out-of-the-box is all it has. Any big organization needs customization, but the customization of it and running customized things on top of it are areas where it is lagging. That something Microsoft needs to work on. Examples include running custom playbooks or customizing the events which it is collecting.

We are protecting 100,000 endpoints with this solution. We may increase usage, but there is no plan for that as of yet.

Microsoft technical support is good.

Before Microsoft Defender for Endpoint we had Carbon Black. But when I came onboard, Defender for Endpoint had already been chosen.

The setup process is not very complex, but it is also not very straightforward. It depends what solutions you have. If you have everything set up, which is usually the case for big organizations, then it is pretty smooth. But if there are some things that are not set up properly in the organization, like certain parts of the infra or the cloud onboarding, then it becomes cumbersome, not the installation part, but in setting up the backend which it needs.

Our implementation strategy was that we started with a few pilot machines, to onboard Defender for Endpoint. We noticed that we had around 70 to 80 percent failures. It was a learning phase and we identified the root cause of those failures. There are some settings in Defender AV that need tweaking when you want to onboard Defender for Endpoint. We struggled to tweak those settings, but once that was done, it went pretty smoothly for the next couple of pilots. Then we encountered another roadblock which was related to an OS version dependency.

Overall, it took us about one month to onboard the solution, but we are weak in infra.

We had our consultant from Microsoft for the implementation. The engagement went on for three to four months. But one thing we noticed from this project was that it did not need a consultant. It was not that difficult to do. Maybe we did not get an expert consultant because, for solving issues, he also took time.

In addition to doing onboarding, we wanted our third-party integrations, but that was something they could not do because they were Microsoft. We had to do that ourselves. Over that three or four months, we realized that we didn't need them.

Microsoft consultancy is good and bad. If you get good consultants, they are really good. But sometimes you get consultants who are not expert enough in their domains and you don't get enough from them.

We have not seen ROI yet, but we are hopeful that in the future it will provide that.

One of the differences between other solutions I have used and Microsoft Defender for Endpoint is that the latter is not yet enterprise-ready to the same extent that the other vendors are. Other vendors provide a lot of customization when it comes to integration, which every big organization requires. No big organization depends on one particular tool. Defender lacks that at this point.

Defender for Endpoint is marketed as an endpoint detection and response tool, but for others who are looking at onboarding it, they should take it as a holistic tool that provides AV, EDR, and vulnerability management all in one. However, it does not provide very good integration with third parties.

We are using it only for EDR, but we have a plan to extend it to Microsoft email as well as to the cloud.

Within one month of using Microsoft Defender for Endpoint, we could achieve great insights.

Microsoft Defender for Endpoint is a perfect solution. We have used several EDR products, and Microsoft Defender is the best one that I have worked with. It provides great visibility. It is very transparent. We can get so many details about a particular endpoint. It is a great product. I would rate it a five out of five in terms of visibility.

It helps us to identify process-based threats in our environment, not only the signature-based ones. We are able to identify some of the threats that were not detected previously.

We get severity levels from the solution itself. Based on them, we have developed our action plan to act upon any category of incident. It helps to achieve a better SLA to attend to incidents.

I am quite interested in the vulnerability dashboard. It provides vulnerability data according to the CVE database, which helps us to prioritize vulnerabilities in our environment and address them.

Microsoft Defender for Endpoint works with Windows and Linux, so we could cover them all. It is suitable for servers as well, not only for endpoints, so we could implement it on most devices in the organization. It has probably saved us 20% of the time. 

It has Kusto Query Language (KQL), so we can use our own queries to find anything.

We can get real-time updates. It is not just signature-based. It provides results based on behavior and successors. It analyzes the behavior and the process. With that, we can achieve greater results that other products do not offer.

We need better support to learn about the product. Documentation is available, but we need some kind of training program so that we can get a better understanding of the product.

We switched to Microsoft Defender for Endpoint about one month ago.

I would rate it an eight out of ten in terms of stability.

It is highly scalable. We have around 5,000 users. I would rate it a ten out of ten in terms of scalability.

Previously, we were using a separate EDR product in our environment. We were using Sophos. Our organization moved into Microsoft 365, so we switched to Microsoft Defender for Endpoint. 

We heard that it is one of the best products in the industry. We thought that we would get better results with Microsoft Defender for Endpoint. That is why we moved to Microsoft Defender for Endpoint, and we were able to achieve better results with it.

It is a cloud deployment. It took us a few months to make the switch.

It does not require any maintenance from our end.

Overall, I would rate Microsoft Defender for Endpoint a nine out of ten.

We use this product for our endpoint detection and all the remediation.

The solution provides good security features. The key valuable feature for me is that you can view it in the central console.

I'd like to see more integration in the next release and the solution should be file protected.

I've been using this solution for five years.

The solution is scalable. 

I'd like to see a quicker response time from the company's technical support. 

The initial setup was straightforward. It didn't take long and was part of the deployment of our endpoints, and part of the integration. We currently have around 3,000 users and no plans to expand. We have four people involved with maintenance. 

I recommend this solution and rate it eight out of 10.