Microsoft Defender for Endpoint Reviews

I lead a delivery team. I have a team of about 20 technology specialists and we do the deployment for Microsoft Defender.

Instead of having a third-party antivirus, then you can have a Microsoft ecosystem for your entire endpoint protection. 

This solution has its own sensors, which is its best feature. It senses the behavior of your endpoints, whether it is logged in from a particular location or external of that location. 

It captures data through machine learning, which is built-in on the back-end. It also provides built-in analytics and a threat intelligence feature. It is a one-stop solution that doesn't require an antivirus because it comes prebuilt into Windows 10.

Sometimes, there are different skews. In a basic skew, they should have basic log analysis without the need to integrate with any third-party or SIEM solutions, like Sentinel. This would make it so much easier for users who don't have log collection or log analysis.

We have been using it for a year.

This solution is very much stable.

This solution is scalable. It is a cloud solution.

If you have the Microsoft Azure ecosystem, you can collect logs and view them through Sentinel. You can also onboard your devices within Intune. 

You can integrate Microsoft Defender for Endpoint with different Microsoft solutions, e.g., Defender for Cloud, Sentinel, Endpoint Manager for onboarding of Intune, and Defender for Office 365.

We have a large number of customers.

Premium support is okay. Professional support is not as good because it is free. You must wait because you are not paying.

The initial setup was straightforward. There was nothing rocket science to it. It didn't take much time as we just enrolled the device and assigned the licenses, then it was done.

You just prepare it, doing a license evaluation licensing and some network configuration, then you can onboard your device.

We do the implementation ourselves. We find it easy to deploy. We help customers adopt the solution and get better ROI.

They have to pay for the Defender license. There are different licenses and skews, such as Plan 1, Plan 2, or the trial.

You do not need to pay any additional costs for antivirus and anti-malware solutions for endpoint protection. 

Anyone on Windows 10 Enterprise should choose this solution.

It really depends on the volume. You need one senior architect who can just define the entire thing: the device, network configuration, etc. You will also need some Level 1 engineers who need to keep on monitoring the devices and do onboarding. If they are using the latest version of Windows 10, then you can do the onboarding via Intune, Endpoint, etc. 

My rating for this solution is an eight out of 10.

We call the solution MDATP - Microsoft Defender Advanced Persistent Threat Protection. At the same time, we're using it more from an EDR point of view, as an Endpoint Detection Response. It can detect any threats, malware, or processor, which are illegitimate and being executed by the end-users or malicious actors. When it sees this, it detects and reports to us. 

Not only that, at the same time, it's detection, prevention, and response. Mostly what we were working on is detection. When I refer to detection, I mean that it can, with pinpoint accuracy, detect something and expose the threat. It can also map those threats with a MITRE, which is one of the great things that I love about it, on top of the accuracy and the threat description it provides.

There are a few different use cases. We return with a query language, which is provided by Microsoft. We are able to create some threat hunting queries. We can pinpoint, accurately detect, and run pain testing. When there’s a threat or issue, I am able to find it and track it with great accuracy in MDATP. MDATP is able to tell me that, for example, in my organization, if there was a guy who was doing pain testing, which is black listed, and if there was an attempt to exploit something or install some malicious code or try to hack into the system. I am able to find this and pinpoint its occurrence. Not only that, I’m able to map them onto a MITRE framework and tell which stage of the attack it was, where the attacker came from, et cetera. I can see if it was something that was planned in the organization. 

I can both detect internally and externally. I have full faith that the MDATP will detect behaviors and warn us of issues.

When you go to do a deep-dive or investigation as a SOC analyst or any security analyst, it gives three structures or processes, as well as the execution that it performs. I am able to perform a very deep-level investigation with MDATP - more than I can with any other tool.

It did increase our security posture. While we had an antivirus before, it would only detect or prevent certain types of attacks. However, based on that capability, you cannot respond to the threat directly. For example, if there was ransomware on a system, the antivirus will be able to identify, detect, and mitigate it. However, at the same time, even if the antivirus detects that and tries to prevent it, you need to contain that machine, or you need to isolate that machine from the network. You don't want that machine to be talking to anybody in the network. Antivirus solutions can’t exactly do that.

With respect to prevention, it has an auto-remediation feature, which is a good feature that I love with respect to prevention. It does auto-remediation as well as manual remediation, which is pretty good.

With respect to response, we were able to contain, block, and respond to threats faster with MDATP. When we analyze the incidents or the threats it gives us a very good view of everything.

With this product, before containing or responding, we get the information and can see what exactly is happening and when that malicious file was installed. After that, we have an event timeline. The visibility is not that much when you only have an antivirus. Now, we see the full picture. When we adopted this tool, we got the detect, prevent, and response functionalities. Overall, our security posture looks much better and our attack surfaces are limited. Endpoints are also most vulnerable today and we can efficiently protect them now. Since we have reduced the attack surface our security posture has improved dramatically. On top of that, we have the capability to respond and to go deeper on a forensic level.

The product doesn’t affect our end-users. I do not see any major issues. There are exceptions where approvals may be necessary. However, the user acceptance is good. This is something that organizations pre-plan and there is nothing the user really has to worry about or act on.

Defender’s GUI can be optimized. The console needs to be more refined. After you have been using it for some time, you get used to it, and it is manageable. However, it should be a little bit more refined.

They should come up with pre-built inner workflows. I would really like to see this. There need to be workflows with respect to notifications, remediations, or any actions that people want to take. They should come up with predefined or prebuilt hunting capabilities. Right now, we have to manually write queries. I would prefer if they could come up with something more automated.

This is with respect to a SOC analyst perspective. Other users, other administrators, other different roles might have different issues. For me, there are no major concerns. It is a good tool, out of the box.

I've used the solution for about a year and a half, and have also done training on it.

The stability is good. It's a stable platform. I don't see any issues right now. However, I did see something in the past. I can't quite remember the exact situation. It's resolved and right now there are no issues. 

The solution is highly scalable.

You can onboard as many end systems as you want. If you bring more, for example, 100 users or 100 endpoints, you can integrate them with no issue. It's not a problem with MDATP.

We have somewhere around 2,000 to 3,000 users who are using it. We have an endpoint team and they manage the antiviruses and security tools and all those things. We manage the product partially from a policies perspective, and the endpoint team manages the platform and maintenance of it, including any upgrades, as necessary.

I've dealt with technical support in the past. It's good, not excellent. That said, it's okay.

Before using this solution, the company mostly dealt with antivirus solutions.

We moved to this solution to strengthen and report, detect and prevent, et cetera, which antivirus solutions don't offer. We wanted forensics and capabilities that were missing. Antiviruses simply cannot protect you from advanced persistent threats, and they cannot protect you from ransomware and they don't respond to things faster. Response capabilities were something that was missing. Basically, we just needed more.

I'm usually not part of the entire setup, however, I do manage it. We have to do certain policies within our organization. However, from what I've seen, it's not a complex setup. It is pretty straightforward.

In terms of how long the deployment takes, I don't remember the length of time. If you have a CCM centralized, you can push the policies within hours. 

The licensing is something that management decides on. I don't deal with the pricing or licensing.

We didn't really evaluate other options. We provided support for one of our clients, and it was a decision they made. 

We're a consulting company. We are not partners with Microsoft.

We use the solution as a SaaS.

I'd advise other companies to use this solution. It's an ideal choice, however, I'm not sure about the pricing. Maybe it's on the higher end of other competitors' pricing. That said, if you have an opportunity to use it, it will solve a lot of problems with respect to pain point detecting and doing investigations. At the same time, with Microsoft, if 80% of your organization is using Windows systems, it's going to be compatible. Specifically, with its platform, Microsoft understands what is right and what is wrong. Therefore, if the money is not a concern, or the budget is not a concern, opt for this. At the same time, as a generic statement, if not this solution, go for an EDR tool that suits your organization's needs best.

I'd rate the solution at a seven out of ten simply due to the fact that I have not fully optimized it. 

I use it mostly to detect threats or viruses. I am using its latest version.

It is stable and easy to use. Everything is okay, and there are no performance issues.

Its detection is not as quick. There should also be more frequent updates.

I have been using this solution for maybe five years.

It is stable.

We have about 20 users.

I have not contacted Microsoft's technical support.

I didn't use or evaluate other solutions.

Its installation is very easy. It came with Windows.

I can install it myself. We have three teams for deployment and maintenance.

It came with Windows.

I would recommend this solution. I would rate it a seven out of 10.

Microsoft Defender for Endpoint is integrated into Microsoft Windows and is used for system protection.

Microsoft Defender for Endpoint has been secure and there is zero maintenance required because it updates with Microsoft Windows.

The solution can be more user-friendly.

I have been using Microsoft Defender for Endpoint for a few years.

Microsoft Defender for Endpoint is stable.

The solution is scalable.

We have 30 users using the solution in my organization.

The solution has no installation as it comes with Microsoft Windows.

I do not have to purchase antivirus solutions anymore because Microsoft Defender for Endpoint is integrated into Windows and comes free.

I would recommend this solution to others.

I rate Microsoft Defender for Endpoint a ten out of ten.

Defender's endpoint protection is good.

I've been using Defender for less than one year. Defender is free for one year. Once that year is over, we will switch to Kaspersky.

Defender is stable. The performance is good.

In terms of scalability, I rate Defender 10 out of 10. 

I haven't dealt with Microsoft support for this product.

It's easy. Defender came pre-loaded on our computers.

I rate Microsoft Defender for Endpoint eight out 10. I would recommend it to others.

We primarily used the solution as Endpoint Detection and protection (EDR, EPP) with secondary benefits of threats and vulnerability management, security incident response, automated query and real-time device monitoring, and with the capability of email security, identity management (DFI), and task automation (Power automate). We used respective licenses where required.

The solution was also used for an endpoint antivirus for workstations in a multi-OS environment, including Windows and Mac OS. We had file, device, and user trajectory monitoring for the security operations team.

The solution benefited the company via:

• OS-level/Tool compatibility for endpoints running Windows (since both are Microsoft products and Defender core files are included in Win10 or later delivery).
• Heuristic capability. Consistent usage of MDE indicates that the tools are continuously learning new prevention techniques by pulling real-time up-to-date cloud resources.

• Alert chaining. The solution makes security Incidents, events, and alerts less tedious from a Security Operation Center standpoint. This can result in false negatives or detriment for small to medium-scale firms running no or semi-automated threat response features.

The most valuable aspects of the solution include:

• Advanced hunting. The product offers flexibility, visibility, and automation capability using a user-friendly query language (KQL).
• Reporting. Clear and concisely plotted graphics show real-time data representation - which is valuable to upper management.

• Scalability/API. We are able to productively integrate with existing on-prem, hybrid, or cloud applications. 
• Great OOB features. The solution comes with SIEM-ingestion-ready features for extensive visibility, automation, and integration, including advanced hunting, threats and vulnerability management, embedded simulation for end-to-end testing, ransomware prevention (Controlled Folder Access), and Attack Surface Reduction (ASR) rules.

Improvements could be made via:

• Clicks. There's a poor user experience with lots of optimizable opportunities of user interface particularly on the newly improved portal (https://security.microsoft.com/). Features like device inventory continue to lack essential workstation drill-downs showing the entire device information with the least effort.

• De-centralized console features. Discrepancies with enabling core features at the click of a button within the MDE portal is mostly due to prerequisites that are tied to the functionality or partial enforcement requirements from other Microsoft tools (Group policy, Azure, Sentinel, SCCM, Intune). EDR in block mode requires Intune security baselines and tamper protection requires MAPS enabled. Web content filtering also has security baseline dependencies

• No single pane of glass. There are too many loose ends with tiny bits and pieces to enforce essential security policies compared to other EDR solutions within the same caliber. A typical example is having to create exclusions in different locations for entirely different functionalities, such as: automation folder exclusion, group policy exclusions (per tenant), Controlled Folder Access (ASR) Allowed application, and Attack Surface Reduction (ASR).

• Service Requests. Noncritical cases with MDE technical support teams tend to be queued for over a week before the first customer engagement. Most of these tickets also end up in the hands of temporary or contracted non-Microsoft employees who are scripted and offer little attention to unique incidents.

Suggested additional features that should be included in the next release include:

• Digestible interface/filter for crown-jewel capabilities like ASR, CFA and Exploit mitigation occurrences.
• Restoration of an always visible search bar from the previous console view (https://securitycenter.windows.com).
• A definitive action plan for Secure Score recommendations and deduplicate of controls.

We were using Microsoft Defender for Endpoint prior to its change of name from Defender ATP. We experienced a plethora of GA changes including, but not limited to, IOS/multiple OS support, device discovery, web content filtering, API updates, and continuous integrations with existing security tools.

Usually, the solution is used in relation to keys management. We implemented a program for it, for the lifecycle of the keys. We've also used it for certificate management.

The initial setup is very straightforward.

The stability is very good.

Technical support is good.

The solution is in good condition and offers good functionality.

There are likely some technical improvements or features that could be added, however, I cannot say, off the top of my head, what they would be.

I used the solution in relation to scoping a project. I was doing business analysis.

The solution was very stable.

The solution is scalable.

The technical support for Microsoft is very good.

The initial setup is not difficult or complex. It's very simple and straightforward. 

I do not know how much it costs per month. I cannot say how it compares against the rates of the competition.

We are a Microsoft Customer.

I'm not sure if I would recommend the solution to others. It depends on their requirements. It needs to fit a company's use cases.

I would rate the solution at an eight out of ten.

We use it at home on some personal machines at home, and there are a few machines inside of the Enterprise that has it.

We use this solution for general antivirus protection.

We like that it has a free version available.

The frequency of the patching, and the frequency of the updates, are not included with the free version. 

The platform I used in the past would check every hour and deploy every two hours down to the client, every patch that came through. 

It was actively looking for updates, the latest threats, which is something that the Microsoft Defender product did not have in the free version.

The Enterprise version that we had, didn't have visibility. If somebody were to uninstall it or turn it off, I'd have trouble seeing that easily. There are tools that I can install, but from a reporting standpoint who has it on and off is included with the Enterprise package that you pay for, or it comes included with Office 365 Enterprise, but not in the free version.

We have been using Microsoft Defender for Endpoint for two and a half years.

We are using the latest version. It is always up-to-date.

We had absolutely no issues with the stability of Microsoft Defender for Endpoint. We did not experience any bugs or glitches.

It is pretty easy to scale. it was basically one click to agree that you wanted to use it.

We did not contact technical support.

Previously, we were using another solution and were forced to uninstall it to patch Windows. It was an annoyance to reinstall it.

The initial setup was straightforward. It was extremely simple.

We are using the free version.

When you are centrally managing it, you can't get there without a much more expensive Microsoft solution to control the rollout and to make sure that it is up-to-date.

We didn't research that, it was a stop-gap measure until we figured out what we're going to do in the long term.

We are looking into a product that gets into the EDR, XDR, the fully managed patching, and everything else, versus just the anti-virus that package includes.

I would rate Microsoft Defender for Endpoint and eight out of ten.