Microsoft Defender for Endpoint Reviews

In an enterprise setting, I use the product to protect workstations, and more recently servers, from all sorts of threats, including malware, viruses, trojans, etc.

Defender for Endpoint gives us greater visibility. Cybersecurity professionals always need that because what we don't see can get us into a lot of trouble. We also need visibility to be easily applied across platforms and with an improving ability to gather information from Linux or Mac-based end platforms. AWS and Google Cloud give better visibility, which we need from a security standpoint.

The other Microsoft security products we use are Defender for Cloud Apps, Defender for IoT, and Defender for Cloud.

The integration is pretty straightforward. It depends on a company's licensing and deployment team, and Microsoft makes it simple to integrate multiple solutions. It is easy to integrate into a test environment, though it depends on the infrastructure and networking team because they have to carry it out. Each company has different solutions; whether they are entirely cloud-based, on-prem, or hybrid, there's a lot of flexibility. Depending on the package, Microsoft is usually very helpful and available to assist with implementation and integration.

Coordinated detection and response between the solutions are essential. Depending on the company and its capabilities, it can sometimes be challenging to bring different tool sets to bear. For example, integrating endpoint protection, XDR, theme tools, CASB apps, and security from different companies can be very tricky. What Microsoft is doing in terms of easy integration makes their product an easy sell because it's critical to spend time doing the work of security rather than worrying about and dealing with integration. 

Threat protection is extensive; it covers most of the concerns we face as a company. I have limited experience with the IoT side, although I'll be working with that soon. Microsoft is thinking ahead and looking toward the future of protection, and I think they're on the right path. The comprehensive threat protection is there, and that results in a steep learning curve because an organization may have a whole bag of tools, some of which they may not use or need depending on the size of the enterprise. The extensiveness is impressive, and Microsoft is doing the right thing in attempting to cover all threat avenues. The necessary side effect of trying to cover every threat is not being the best in class at dealing with any one threat; more of a jack of all trades, master of none. It also increases the learning curve for analysts.  

The threat-hunting service is very useful for a security professional.

The ability to fine-tune specific policies to protect our enterprise is also advantageous.

The increasing deployment availability on different platforms and OSs is a good functionality.

Seamless integration with the Microsoft SIEM tool and other tools such as Splunk and Sentinel is excellent.

Defender for Endpoint provides good visibility into threats, and there is always room for improvement.  

The tool allows us to prioritize risk factors and fine-tune those based on our requirements as a company. That's extremely important because different companies face different threats from an enterprise point of view. Everyone is concerned about phishing, but only certain companies deal with personal health information, for example, and those dictate the security priority landscape. This functionality is one of the essential elements in an endpoint solution.

In Defender for Endpoint, we can create a certain alert logic to alert us on either high-value assets or individuals. With Sentinel integration, we can develop playbooks for the tool, which helps us gather the information for an investigation or automate a lot of threat intelligence searching. Endpoint has its standalone functionality in this respect; Microsoft does a good job providing sufficient threat hunting in each tool in case a customer only has one. Overall, the solution's threat-hunting and investigation resources are extensive.  

Eliminating multiple dashboards saves time. It may save between five and 30 seconds, but at the end of the day, if I've done eight investigations, that's minutes saved each month. That adds to hours of work saved by not having to deal with multiple dashboards.   

Our time to detect and respond decreased; even a few minutes saved by not searching through multiple dashboards helps. Threat intelligence also informs the end user if a website or link has a bad reputation. These features help reduce the time we spend investigating an incident or alert.  

My main issue with the tool is that there are too many menus. This causes a steep learning curve for those without training or unfamiliar with Defender for Endpoint. From an end-user perspective, the solution is there on the machine and does its job; it works seamlessly. However, as a security professional dealing with it behind the scenes, the learning curve can be steep, but not too steep. Still, it has taken some of my analysts up to a month to get familiar with the product.

Microsoft is slow to act on improving the threat intelligence elimination of false positives. They have a feed of indicators of compromise, which they are constantly updating, but some of the category intelligence is sometimes off base. Microsoft is working to improve that, but threat intelligence is vital; it's there, usable, and requires some fine-tuning and adjustment. That's good, although automated threat intelligence has room for improvement.

Threat intelligence is an area Microsoft needs to improve on; if a company only has Defender for Endpoint, that's their single point of truth regarding threats. Therefore, the tool must provide as much threat intelligence and automation as possible. Defender and Sentinel offer more options, but companies with only Defender need it to be improved.

A significant area for improvement is better integration with other tool sets in the industry. The solution integrates well with other Microsoft products, but only some environments have those products or the flexibility to adopt them. Microsoft Defender for Endpoint needs to integrate with different systems, for example, Cisco or other firewalls. Better integration with more cloud vendors would also be excellent, as not everyone will have Azure.

I've been using the solution for over 15 years. 

The solution is very stable, and that has improved with time. It used to be hard on the workstations, but we experienced those issues eight years ago. Microsoft always came out with a patch within a week or two, which would fix the problem. Nowadays, the tool is very stable; the only potential issue is if something happens on the cloud end, as the dashboards are cloud-based. That's something I've yet to personally experience, though.

The scalability is there, and there's always room for improvement. I need to incorporate more outliers, but the solution is easy enough to deploy that I can quickly onboard many workstations or servers. The product is an eight out of ten in terms of scalability.

Customer support responds rather quickly; it depends on the service level agreement, but they are pretty good about getting back to us and following up on any issues we may have. 

Positive

Most of the companies I've worked for used Defender for Endpoint. I have used different SIEM tools like Splunk and briefly used QRadar a long time ago.

I was involved in the deployment planning, but different teams did the actual deployment. I understand the deployment to be easy. 

In terms of maintenance, the solution requires updates from time to time, which are handled by the infrastructure team.

I would rate the solution eight out of ten. 

The infrastructure team has bi-directional sync capabilities set up and running well. It's essential when it comes to having hybrid cloud solutions and cloud solutions from different vendors. Various systems need to have seamless communication and shared issue reporting.  

Microsoft is increasing its data connectors, which is very helpful for ingesting data from different feeds, though some elements aren't fully fleshed out yet. How much data needs to be digested depends on the enterprise; every SIEM tool has a price to pay for how much data is ingested. The simple answer is that Sentinel allows us to ingest a ton of data, and that's vital. If we can't see a threat, we can't detect it and protect against it.  

Sentinel enables us to investigate and respond to threats from one place, which is very important for us. This is an area Microsoft has improved because we used to have to go to three different portals for our security picture. Now, everything we need to find can be seen in one pane of glass in Sentinel, whether we are looking at alerts or incidents.  

The comprehensiveness of Sentinel's protection depends on an organization's security program's maturity and capacity to leverage the solution. There's room for growth, but Microsoft is making good strides in the machine learning and AI portion of its product. The setup and fine-tuning of the tool play a significant role in how smoothly SOAR operates and whether it fulfills an organization's specific requirements. The default playbook may not fit with needs precisely, and staff with knowledge of Kusto Query Language are necessary for fine-tuning. A certain level of expertise is required to leverage Sentinel's sort and machine learning capabilities fully. 

I don't know how much Sentinel costs as I don't see the bills, but the biggest standalone SIEM and SOAR competitor is Splunk. Splunk does a better job but is also much more expensive; people often complain about the cost. I can't compare the value and pricing of the two as I need to know precisely how much they cost. Splunk is supposed to have changed its pricing model to become more affordable recently, and I wonder if Microsoft did the same with Sentinel. However, because Sentinel integrates with other solutions an organization may already use if they're a Microsoft shop, it makes it worth the price.

When it comes to a best-of-breed versus a single vendor security suite, it depends on the people higher up in the organization and usually comes down to cost. Everyone wants the best of the best, but only some companies are capable or willing to pay for that because it can be costly. Microsoft is trying to provide a pricing model that encourages customers to use a suite that seamlessly integrates with Windows and server OSs and increases integration with Linux and Mac OSs. That can provide a better ROI than getting the best of the best but having limited visibility and integration with other tools and the network. Microsoft leverages the security suite model as its selling point, and it's working for them. 

I advise potential customers to read up on the community boards and look into their specific needs. Defender for Endpoint is a good competitor for those looking for an EDR solution, and for those looking for a complete security suite, it's one of the better choices. The tool is competitive, but there are other choices if a company wants the best. Microsoft Defender for Endpoint is in the top three, only considering EDR, but for those looking for a line of products to protect their company and thereby make some savings, it's one of the premier choices.

We are an MSP. We've got a lot of clients that use Microsoft Defender for Endpoint as their EDR system. We support that.

A lot of the use cases for Microsoft Defender for Endpoint check the boxes for the EDR solution for that client. We use the endpoint portals to work through any alerts. Mostly, we feed all of the Azure Office 365 security logs into our SIEM and then take those alerts if we have to do more work, and see if we can get more details from that.

The automatic attack disruption feature in Microsoft Defender for Endpoint works great. Microsoft Defender for Endpoint's auto-deployed deception techniques also work great. It hasn't bothered me, so it just does its thing, which helps a lot because we have many things to deal with.

The visibility into the company's attack surface provided by Microsoft Defender for Endpoint is good. It's all in one place, which is great. I can see where things are going and make sure that it's deployed on all the machines that we work on.

Microsoft Defender for Endpoint has affected the security posture of our clients' organizations. It does its job fine. For some clients, we don't have to worry too much. Even if we're not getting tons of alerts from it, it's at least there, doing its job.

Microsoft Defender for Endpoint's coverage in client environments is comprehensive. Every device we support is a Microsoft Windows device. It covers pretty much all the endpoints and workstations for those clients.

Microsoft Defender for Endpoint has helped reduce our mean time to remediation. A lot of the reduction is due to the automatic disruption, so we don't have to sit there. It also gives us another data point to look at where the vulnerability might have been.

It has helped me free our SOC team to work on other projects or tasks. It has saved 5% to 10% of our time.

The features of Microsoft Defender for Endpoint that I prefer most are the detections. It just works. Malware getting on a machine and running is a big deal, so we can trust it to sit there and scan and have real-time protections.

The log searches for Microsoft Defender for Endpoint are pretty difficult to navigate. It needs a better UI or more intuitive search and filter mechanisms to make it easy to get through and filter through all the data logs.

At the company, we've been using it for a long time. I've been here for about three months.

The stability of Microsoft Defender for Endpoint is good. I've never had it be unavailable. It's always available when I need it to be.

It has been able to fulfill our needs. Everyone we work with is pretty small, so it's not usually an issue.

I have never interacted with the customer service of Microsoft Defender for Endpoint, as it just does what I need it to. Based on my other experiences with Microsoft technical support, I would rate them an eight out of ten.

Positive

We use Microsoft Defender for Endpoint along with some other products. Some of our clients choose to stick with Microsoft. There are other EDR products that we support as well.

I've deployed it for a client. It was pretty smooth and simple. They're small shops, so there wasn't a whole lot of craziness to do with it.

The biggest return on investment for me when using Microsoft Defender for Endpoint is the time saving. It's an easy recommendation. If I have clients wanting to dive into more security products for their environments and are hesitant about going with an endpoint solution or a different software vendor, it's an easy recommendation.

It's all pretty easy. For some clients, it's an easier sell because it's just an add-on to their existing Microsoft licensing and Office 365 licensing.

I would rate Microsoft Defender for Endpoint a nine out of ten. The log search features are difficult. If I don't have visibility into another product, the log search functions of Microsoft Defender for Endpoint are pretty difficult to navigate.

Our use cases, and the way we deploy it, depend on the different situations we encounter.

There may be a company that is already using the Endpoint Protection solution and we have to do a migration.

Another scenario is that a company may be migrating away from another endpoint threat protection solution.

And there are some companies that are already using SCCM, and we may have to go through one of two scenarios. One is to co-manage with what they call Microsoft Endpoint Manager and Configuration Manager. If they are already using SCCM, and only SCCM, we will typically have to go through a process where we integrate SCCM into Endpoint Manager and then they'll usually bring some endpoints into Intune and they'll do a PLC. They have to Azure AD-join or register a device into that so it can be managed through Intune. They may even co-manage it for a while until they fully onboard into Intune only. A lot of people are looking to get away from co-management and managing through Endpoint Manager. But there are some prerequisites to accomplish that.

The endgame for most companies is they want to manage things from Intune only. There are different paths to get there, depending on what they already have in place.

Overall, Defender for Endpoint has created a better security posture, particularly in these COVID times where no one is on-premises anymore and they're working remotely.

More than anything, what I find most valuable is the holistic integration with all Defender products and MCAS. You can not deploy this in a vacuum. It's like most Microsoft technology. If you want to do a Zero Trust model and framework, you have to deploy things in a holistic solution.

Among the new features I like is that you can ingest your Defender events directly into your SIEM/SOAR product, particularly Azure Sentinel, although not a lot of people are using that and you don't have to be using it. You can ingest them into any SIEM/SOAR product directly.

There are features that have helped improve a company's security posture, now that remote work has come into play. Microsoft had to come up with a solution because identity is the new security plan. The largest attack surface is going to be your endpoints, so you have to be able to control your endpoints. There is malware that can collect IDs and it doesn't have to be from privileged accounts, it could be from any account. Once they get in, then they can start looking around to see if there are any security holes, move laterally, and get a hold of a privileged account. And if they get a hold of a privileged then they can just turn off all your security controls and get to your data and you've got a ransomware attack. With Defender for Endpoint, it's the combination. Every one of the features in it is equally important, but the most important thing is integrating it with the other Defender products, to create a holistic solution.

The best feature is the fact that for certain mobiles you can control your corporate profiles versus your personal profiles. That is amazingly important. Apple just supported the separation of corporate and personal profiles, whereas Android has been doing that for quite some time. You are better off as an organization, when it comes to BYOD—because Apple just now started supporting separation of corporate and personal profiles—to start with the version that supports that feature. If you go below that level, you don't get that feature, and it makes it very difficult to separate corporate and personal profiles. Because Android supports that, if an Android phone is lost or stolen, I can wipe out all the corporate-related information from that phone and not touch the personal side. I can separate the apps and I can separate the ability to cut and paste between apps. I can cut the ability from sharing files between apps between the personal and corporate profiles. From a data loss prevention standpoint, I can completely segment corporate apps and data from personal apps and data.

Another feature is that it is now supported across multiple platforms, where it was regulated at one time for just Microsoft-supported operating systems. That development is very important.

There are a few caveats, things we have run into. It's not easy to create special allowances for certain groups of users. It can be a little heavy-handed in some areas where Microsoft has decided to lock a feature out, meaning they make it hard to make an exception. I'll give you two examples. One company we work with needed to use about 20 different thumb drives for about 20 users. To make that exception for them was very difficult. In fact, you can't really make an exception. But what you can do is allow them to use it and, while it will still alert, you can actually suppress those alerts. Another example was where a group needed to be able to go in and manipulate their PC ERP settings. To make an exception for them was also a difficult process. A lot of people have suggested that Microsoft should not, by default, make it so difficult by locking your ability to make exceptions.

Another issue is that when you implement this it is not a single solution in and of itself. You have to implement what are called security baselines for each platform. But Microsoft does not have security baselines, other than for its own products. That means that when you want to do a security baseline for say, iOS or Android, you have to depend on other security organizations' recommendations and set the security controls to create those security baselines for other platforms. You would typically use CIS. But when it comes to iOS, it's a real pain. iOS requires you to create a security baseline for every version of iOS. Android does not.

I've been using Microsoft Defender for Endpoint since it first came out. They bundled it into M365 licenses, particularly E5 licenses or the equivalent, around 2019.

Like every other security product out there, the stability of Defender for Endpoint is a work in progress. The solution is trying to address a tough problem and anybody will tell you that cyber security is not a fair fight. It's just incredibly hard to defend against the bad actors. Everybody is scurrying right now to come up with different ways to stop the problem and it's just not there yet.

In terms of scalability, we have run into organizations that are very large and that have said it doesn't scale well. I'm part of MISA, the Microsoft Intelligence Security Association, and we did a review of all their products and they all had scaling problems, including SIEM/SOAR, MCAS, Endpoint Manager, et cetera.

There are two "fronts" for anybody who is using a SIEM/SOAR: one is how fast they can ingest, and the other one is how fast they can make decisions. You want to do this in real-time, or near real-time.

The ingestion problem is that you're ingesting a bunch of stuff from everywhere: from the network, from identity, from all your services, and your apps. It's a crazy amount of data. Some organizations are doing on the order of 5 billion events daily. How do you ingest all that in a timely manner and correlate it? You have to do it in a distributed way. There will be a top-level SIEM/SOAR and several underneath it that are collecting data for a particular location or a set of users. You trim that down and eventually ingest stuff to the top so that you can see things from the holistic viewpoint. Or you decentralize it, where office A and all its users have their own, and office B has its own, and you don't necessarily roll it up into a single, corporate-wide solution.

There are products out there that are addressing this by not storing the events directly onto disk, but into flash drives, so they're super-fast. They never put it on a disk and save it. You can have the option of saving it to disk for long-term retention. But the immediate ingestion of events is happening through flash drives. It sits in fast memory, never gets written to disks, and that's how they're speeding things up. And there are AI/ML engines pulling that stuff in and they can act much faster.

In addition, some AI/ML engines are more mature than others. There is a lot of work being done on that front. When it comes to Endpoint Manager there are a bunch of events coming from a ton of endpoints. It's no different than ingesting events from a thousand database servers. Or they could be from your whole application reference architectures, and your data analytics reference architectures. Everybody sees the problem coming, the problem of big data. That's what we are really talking about. There is a whole lot of stuff coming in and we have to make sense of it, figure out what's relevant, have a scoring system and prioritization system to make decisions fast. For example, the bad guys are able to get into your systems and, within 20 minutes, they've already done an assessment. Usually, if you're lucky, you can respond to that in 30 minutes. And if you're a huge enterprise, you may not even be able to respond that fast.

That's the reason everybody says it's not a fair fight. We don't have the tools right now to react fast enough.

As for how extensively it's being used by our clients, anyone who is going to use it plans to use it as a one-stop solution. They won't be using multiple solutions and they will roll it out to every endpoint. It makes perfect sense to do so because you don't want to have multiple products and require your staff to have knowledge of multiple products.

For big corporations, it takes a little while to get there. It's something that has been evolving for 30 years now. Organizations want to settle on a standard desktop and want to be able to do configuration control that allows them to control the apps and the usability from a security standpoint. It used to be, "Let's make it easily usable." But now the industry is flipping that over to, "It has to be secure." The vendors have finally come to the point where the balance between usability and security is leveling out.

I've used multiple solutions in the past. We switched based on our customers' requests. Some do it for solution architecture reasons and some of them do it for enterprise.

The enterprise customers say, "Oh, we know we need Endpoint Manager, but we need to align a solution with our business requirements first. Before you even select a solution we are going to look at our business requirements, then do a bake-off possibly, and then select a solution." Or they'll just look at industry ratings of the solutions and say, "Oh, this is the best one," not knowing that those ratings don't necessarily look at every new solution out there. There are so many. We are a VAR and we resell hundreds of security and regulatory compliance products. Usually, unless they bring us in at the early stages of the process, our clients have already picked a solution.

The initial setup is very complex. To me, it's one of the more complex solutions because it touches so much. I have to know every platform and every platform version, when I create security baselines. As I mentioned, certain versions of iOS don't support the separation of corporate and personal profiles, and then you run into the scenario where they're already using some other endpoint protection and they want to migrate it to Microsoft Defender for Endpoint.

Or there is the scenario where they are using SCCM and to then use Microsoft Defender for Endpoint you should really require Endpoint Manager, meaning that you have to transition to that. And as I noted, making exceptions is hard. 

And when you integrate it across all the Defender products, and are managing a project like that, you have to get to a point where they're ready to be integrated, which is an issue of timing. So it's one of the more complicated things to roll out, compared to Defender for Identity. Defender for Office 365 is pretty large too, but Endpoint is the hardest of the three.

It even touches identity, because there are Azure Active Directory conditional access policies, and those are connected with Endpoint Manager. You've literally got to look at what policies and what setup within Endpoint Manager can apply to different versions of iOS. You have to dissect so that if you're going to do BYOD, for example, and allow a version of iOS from some early version and up, you have to understand that there may be some options that you can use with one version that you can't with others. It's much easier to do with Android than it is with iOS.

When you start heading down that path, it's a maturation process. You have to roll things out in phases. It's a very complicated product. Like with SIEM/SOAR products, when you start getting events, you could be flooded with them. You have to learn to tune it, so that you can differentiate the trees from the forest. You have to correlate things and automate your responses. That type of tuning process is a long process one to get the clutter out.

A product like Sentinel is pretty cool because it has predetermined workbooks, and predetermined manual and automated responses. It has playlists. They are making it very much easier to trim that clutter and to get to the nitty-gritty, and they have done so with Defender for Endpoint.

The deployment time, with fine-tuning, depends on the size of the organization. If it's a small or medium business, it could take three months to deploy and tune, and it could take longer; up to six months. It depends on many factors that I've mentioned, such as if they're migrating, or if they have an integration between SCCM and Intune. It also depends on the expertise level of the organization, its maturation level, and skill sets. All of that comes into play.

It also depends on their starting point in terms of some of the prerequisite services. You don't generally roll out Defender for Endpoint until you've got identity governance and protection. That's the first thing you do because everything is dependent upon that. After that, the prerequisite is rolling out Endpoint Manager, and then Defender for Endpoint. If it's a hybrid situation, you may roll out Defender for Identity so you can cover your Active Directory controllers and provide threat protection for them, although you can do all the "Defenders" in parallel; you just have to time them correctly so that when you integrate them together they're ready to go.

For large organizations, it could take a year or two. For example, if there are half a million endpoint devices—and that's possible if you have an organization with 200,000 employees and contractors, and each has a laptop and a mobile—it can take some time.

In terms of an implementation strategy, I have developed work-breakdown structures for just about every Azure service and almost every Azure M365 service. They look at working with them holistically, but they are broken down into each individual service and mention the other services within the work-breakdown schedule, and how you integrate them. The first thing I do is a current-state assessment and that gives me an indication of the readiness for deployment. The next steps are plan, design, deploy, manage, secure. There are strict sets of security controls and I have to gather every single one of those per platform. It's quite a long process. It follows the saying, "If you fail to plan you plan to fail."

As for staff required to maintain Defender for Endpoint, once you get it set up and tuned it's not too bad. It depends on the size of the organization again. If a business has 100 people, one person can do it easily. If there are a few thousand people, you may need two or three people. It often depends on your getting all the features rolled out. In IT it often happens that we roll stuff out and we always intend to get to that other piece but we just never get the time to do it. Many organizations are going to a lean staff and bringing in consultants to help roll things out. For us, as a contractor, it's great. Our business is booming.

Most organizations that we have come to want to replace their current endpoint protection solution for Defender. A reason many of them do that is that they aren't pleased with whatever they have. They may not know what features are relevant and just don't know how to roll them out. They realize, "Oh, I bought M365/E5 licenses, and Defender comes with them already. Why not use it?" 

Most people don't realize M365/E5 licenses are an amazing deal. They think "Oh, it's expensive," and I'll ask, "Compared to what?" If you don't have it you will have to buy licenses for multiple products to fill the same security space that you would have gotten with the Microsoft product. Go figure out how much it costs you per product, per user, and then come back and tell me how things add up financially.

If our client brings us into the process at the right time, we evaluate products for them, since we're evaluating products constantly. That's part of what we do. We have to know, through a deep-dive, the pros and cons of each. We are constantly being updated by our vendors about how they're addressing a particular security area.

Is Defender for Endpoint the best product out there? No, it's not. I can think of several others that are pretty amazing. It's still a product that's evolving, but it does a really good job for the most part. It does the best job when it is integrated with the whole Microsoft holistic solution. If you look at Microsoft's site, you will see what capabilities Microsoft has. They will show you how these products integrate and work together to give you a holistic solution to develop a Zero Trust model framework.

And while it's not the best solution overall, some of the pieces are. There are several areas where Microsoft is good or better than most, and then there are some weaknesses when you do Zero Trust. They don't have a secure web gateway product. Their MCAS or CASB product leaves a little bit to be desired. There are other solutions, in those two components of a Zero Trust model, that do a much better job. Zscaler probably has the bulk of the business but I'm a big fan of Netskope. There is Crowdstrike, and Forcepoint may be making some inroads because they just developed a new anti-malware technology. But none of them are going to be perfect because malware is a hard problem to solve.

There is also a new product I just reviewed for M365 Security that is pretty amazing on paper. Although I haven't actually kicked the tires on it yet, it looks really good and it's from one of the fastest-growing companies out there.

Think of it like this: If you don't buy E5 licenses or the equivalent with M365, you don't get Defender for Office 365. People don't realize that product is a kind of a split product. It's a multi-function product. It has some DLP pieces that work with MIP and it has some pieces that work with the Office 365 outlying suite. It's a little bit of a funky product.

But one of the things it has is a part of your Exchange Online protection. Without it, you don't get the features like anti-spam, anti-virus, safe links, and safe attachments. That combination addresses what is called a combined attack. You get an attachment and the attachment may have a link in it, or you get an email that has a link in it. They all look legitimate. If someone clicks on it, it takes them to a malware site, and bam! You just downloaded it into your computer and now endpoint protection comes into play.

Eighty percent of malware is still spread via email today. That's how they attack you. They're trying to penetrate your apps and they're even trying to penetrate your M365 online apps. This product works inline and they've already proven that, even with Defender for Office 365, there are still malicious messages getting through. The bad actors figure out how. They actually buy the product and figure out where its weaknesses are and they attack it. Because it's such a popular product it's the one they're going to target. It has the biggest attack surface. They've been attacking the weaknesses of M365, particularly the Exchange Online protection and all the weaknesses in Defender for Office 365. They've just been clobbering it. We're having a lot of people say to us, "Do a security assessment on our M365". All I can tell them is that it's not their problem as much as it's the product's problem right now.

Microsoft is trying to address things as fast as it can, but it's going to take months to get there. But here is another product you can add on that can help you fill those flaws. What this other company has done is that they've said, "We'll fix those flaws for you and we'll make it an easy process to do so." Usually, the circumstances in which you need an email security gateway is when you don't have an E5 license. But now they're even attacking that. And when that happens you have to change the MX record. With this new product that I've read about, you don't have to do that. It just supplements the weakness of M365, not only in Exchange Online protection but throughout all the other apps, like Sharepoint, Teams, and OneDrive. That's pretty impressive. And it works with all those products easily, without change in administration or training. It installs in minutes. I was floored when I saw that.

The organizations I have worked with that are using Microsoft Defender for Endpoint are mostly small- and medium-sized businesses. Our larger customers are generally not using it.

There was a service built within our organization, a service that is very much hooked in with CrowdStrike. If you've ever seen the CrowdStrike products, you'll understand why. They are pretty impressive products. They do some things that help them see malicious activity in near real-time. Can they react to it in near real-time? No. But like everybody, they are trying to find a way to be able to react faster. They just bought a company called Humio, which is a SIEM/SOAR product I referred to earlier that does not store events directly to disk, so it can act on things much faster.

Used alone, I would rate Defender for Endpoint a seven out of 10. When integrated with other Microsoft products, I would give it an eight. It really depends on other pieces of the solution for Zero trust to work properly. It won't work well if you deploy it by itself. If you're going to use Defender for Endpoint, you should also use Defender for Identity, Defender for Office 365, and the full gamut, including MCAS and MIP, and then you will need your SIEM/SOAR. It's a long journey. And you had better have done your identity very well. If you haven't, it won't really matter what you throw in place, once they breach your identity plane. That's the most important one. I can put every possible safeguard in place, but if someone gets the keys to the kingdom, I might as well just turn them off.

I offer a Security Operation Center (SOC), which is like a person standing and going through the metal detector at the airport. We're like the staff standing there and watching people and then having them send stuff through the conveyor. It is real-time detection and response.

I don't use Microsoft Defender that much. If I come across a client who doesn't want to spend on a different endpoint solution, I just have them use Microsoft Defender that is built into their devices.

The ransomware and some of the other features that are built into it give you more telemetry now. From the security side, I don't look at what an endpoint solution does. I look at what it gives me. I need data. I don't want something to just say, "Oh, I stopped it." That's good, but I need to be able to figure out what did it stop. Was it a good thing or a bad thing that it stopped, and what is it doing. I need to be able to break that down and go deeper into that analysis to figure out what is being stopped. Microsoft Defender is doing that now and is giving more telemetry. It doesn't give nearly as much as Bitdefender does, but it is pretty good.

It is built into Windows 10. So, I don't really have to go out and get an extra or a separate endpoint security solution. It stands on its own. I have some clients who are using Microsoft Defender, and it is perfectly fine because my SOC can actually get the telemetry from Microsoft Defender and use that as well. Microsoft Defender does have the telemetry information, and I can get some of that out of it for my SOC. I can use what's built into it to stop and do more of a response layer. I can use Microsoft Defender to stop something right there.

I like the fact that it has the ransomware solution in there. I'm glad that the ransomware solution is built into it. That's probably the biggest thing that I see in Microsoft Defender.

It is useful when a client does not want to spend extra on getting a new endpoint solution or does not want to get something else installed on their devices.

The biggest thing that I would emphasize to Microsoft is that if they are confident in their solution, they should brag more about it. In other words, they should put more stuff out there to prove that they're just as good as the others. The biggest thing is that people still don't believe in it. When it comes to the IT world, they still don't believe in Microsoft Defender. It has been there for a while, and I know that I used to not trust it because it was free and I didn't know what it was doing and if I could trust it. If you go to comparison sites, you would hardly see it being compared to solutions like Norton, Bitdefender, Webroot, etc. Microsoft can do a better job of promoting it.

They should offer more telemetry or more information coming out of there for Syslog type of scenario so that a SOC could use the data that they have built into it. This would be useful.

It is not very scalable from the eyes of an MSP because there is no dashboard that you can use to see all of your devices that have Windows Defender unless you have your own dashboard or an RMM tool to actually look at it. So, you might not get to know that a particular computer of a client is doing something, and it might have got a virus. That person might know that, but unless you set it up to actually send you the information, you won't get to know that. That's one of the things that is hard with Microsoft Defender. It is not made for the MSP world where you have one pane of glass to see all of your clients with Microsoft Defender on it unless your RMM tool already has that built-in and it can see the telemetry from Microsoft Defender. 

I have been using it off and on for some time.

Its stability is fine. It is a built-in and legacy solution. It can stand up to any other endpoint security solution. 

It is not very scalable from the eyes of an MSP. There is no dashboard that you can use to see all of your devices that have Windows Defender unless you have your own dashboard or an RMM tool to actually look at it. Because it doesn't give you one pane of glass to look at everything, you have to have an RMM tool that can actually see the data coming from Microsoft Defender. If you don't have an RMM tool, you would need one, and that would be an extra cost.

I don't really use an RMM tool. We have a SOC, and I don't really deal with individual computers themselves. In the past, I have used RMM tools, and some of them do well with looking at Microsoft Defender, but my SOC has a really good dashboard that I can use to see what's going on with Microsoft Defender. I can actually control stuff on Microsoft Defender from my SOC.

I have not used their support for Microsoft Defender. Generally, their support is fine. They've definitely improved and gotten better.

I don't use Microsoft Defender that much. It is built into Windows 10, and if you put the antivirus or endpoint security on, it kind of turns itself off automatically. I've been using Bitdefender lately. I used to use Panda Security, but now I use Bitdefender.

I recommend it for clients who don't want to spend on a different endpoint solution, but I don't put all my eggs in one basket. I don't say that a particular antivirus or endpoint security solution is 10 times better than the other one. I just don't look at things that way because I know the process and what hackers actually go through to get past all of them. So, none of them are that much better. The only thing I tell others is to not use the free ones, but to that defense, they all have a level of reachability.

When it comes to performance, Microsoft Defender is much faster because it really doesn't look at all of the things that are Microsoft-focused. It has a better understanding of what Microsoft has made, whereas other solutions are going to look at anything as a potential threat. It is definitely a better option because it knows Windows. You install another antivirus on Windows, it has to try to figure out the software. Microsoft already knows how Word, OneNote, or their other solutions work. So, Microsoft Defender doesn't need to scan specific things, whereas Bitdefender or another solution doesn't know that, and it is going to scan everything, which can slow your system down. 

I offer a SOC, and we do real-time detection and response. I don't put all my eggs in one basket when it comes to endpoint security. I believe endpoint security needs to be there because it is a layer of security, but it is not everything. The reason I use Bitdefender is that it has more telemetry and more information coming out of it to put into my SOC than Microsoft Defender, which doesn't have as much telemetry coming out of it.

For telemetry or forensics, Microsoft Defender doesn't give you reports. It just does what it does. Microsoft Defender will give you information, but you got to go to the individual device. I can't pull much telemetry information into a SOC. So, if you want to see from where the hacker or the hacking software came in, how it got there, and how it moved unilaterally across the system or network, you may not get all of that with Microsoft Defender, but with the telemetry data that comes out of Bitdefender, you will get more of such information and you can follow its path.

It just comes on a device when you buy it. When you buy a laptop, it is built into Windows 10. They have Windows Security, and there are separate pieces of it. When you look into some of it, it is called Defender. They also have a standalone Windows Defender.

It is a full endpoint security solution, and they have a firewall in there. You can go in there and set different things up for your firewall. When it comes to security, not everything is turned on. You actually have to go in and turn the ransomware part on. There are things about ransomware that you got to turn on, and they really depend on what you need in your practice or business. You have to make sure you go in there and look at it. You can't just set it and forget it. It does come automatically, but you got to go in there and set things up because they know that some things can stop certain aspects of your business from running. So, they don't want to turn everything on. They leave it up to you.

The configuration of those extra parts can get complex, but I do believe it is pretty straightforward. It involves more yes or no type of questions. It is just flipping a switch on each individual part that you want to use. It is just like everything else. You have to test and see if it is going to work in your environment.

In terms of maintenance, all the updates come with Microsoft. Every time they update Windows 10, they also update Microsoft Defender. It is pretty simple.

It doesn't really affect my business because the cost goes out to my client either way. If they have 200 devices and they are charged $2 per endpoint for each one of them, that's an extra $400 a month. If they are just using Microsoft Defender built into their systems, that cost goes away for them. My clients are definitely saving money with Microsoft Defender.

It doesn't affect my business because I'm looking at telemetry regardless of the solution. So, it doesn't matter if it is coming from Microsoft Defender or Bitdefender.

It is built into Windows 10. If our clients are using Microsoft Defender, the cost goes away for them.

It is just like anything. You should definitely do your homework and see if it is going to give you the information that you need. You should focus on forensics and the kind of information you are going to get out of Microsoft Defender. Will you get the reporting that you need? Will you get the telemetry and all the data that you need to be able to follow the path of an attack? You need to be able to see that. You need to know this information for your clients because they may need it for the FBI or something else. So, you need as much information as you can. You need to make sure that that you're going to get the information out of there and you have the right setup to be able to see everything with all of your clients. You should have an RMM tool or whatever you're using to be able to see all of your clients, and you need to make sure that you have the setup for that.

Microsoft Defender has been around for many years, and since Windows 10, they've really ramped it up, and it has gotten a lot better. I've seen some of the statistics on it, and it stands up against some of the other solutions out there, such as Norton. They've added things that make it more of an EDR, which is the endpoint detection and response layer. The ransomware was one of the big add-ons, and it is good that they've put that in there. It can stand on its own now.

It has not affected our organization's security posture a lot, but it has given me more options to lower costs for my clients. It has helped my clients and in turn, my business. It has not affected our end-user experience in a negative or a positive way. It is just a tool. I do the monitoring, stopping, blocking, and everything else for clients. 

It can be a good solution, and I hope that they grow with it and do more with it. They can make it simpler for the security and MSP world. If their solution just gets better for the MSP world, it would help everyone.

I would rate Microsoft Defender a seven out of 10 because of its lack of usability for an MSP and its lack of telemetry information, but it is useful, and it does stop ransomware.

Our main use case for Microsoft Defender for Endpoint is as a safety plan because we're in hospitality.

Microsoft Defender for Endpoint benefits my company by saving on labor costs since we don't have to put in extra effort to maintain it. It's self-sufficient.

Microsoft Defender for Endpoint gives us information about attacks and security, and easy access to data, similar to a spreadsheet. It gives us the information we need. It helps provide quick responses.

Microsoft Defender for Endpoint seems safe, which is the main thing we were looking for, and it works reliably in catching the things we used to catch. We see many random hacking attempts and fake emails, and it cuts them off before anything happens.

Microsoft Defender for Endpoint works mainly behind the scenes. We know we are safe and feel we can relay accurate information to customers.

Microsoft Defender for Endpoint's coverage across different platforms in our environment has no issues. Microsoft seems to have it covered, unlike other software that isn't compatible.

I have tried integrating Microsoft Defender for Endpoint with other software products, and it seems compatible with all of them.

Microsoft Defender for Endpoint has helped reduce our mean time to remediation significantly. It is doing all the work for us, so we don't have to spend our own time on it. It has reduced our mean time to remediation by about 75% to 80%.

Microsoft Defender for Endpoint has helped free our SOC team to work on other projects since we don't have to waste time, as this solution does the work for us. We have saved about 70% to 80% of time because we don't have to focus on certain tasks, allowing Microsoft to handle it for us.

It's pretty easy to use, works with compliance issues, and is reliable.

It sends us data, which is clear-cut. We don't have to do anything extra.

Microsoft Defender for Endpoint can have more options and more AI capabilities in the future, because everything keeps changing.

I have been using Microsoft Defender for Endpoint for about six to seven years.

I have no complaints about the stability and reliability of Microsoft Defender for Endpoint; it feels solid.

There is plenty of room to expand, which is not a problem since we have been bringing in different brands over the years. Compatibility is its main feature. 

The technical support for Microsoft Defender for Endpoint is available around the clock, and that's not an issue at all.

Positive

I was using another solution six to seven years ago to address similar needs. It has been a long time, and I'm struggling to remember which one it was.

We have seen a return on investment when using Microsoft Defender for Endpoint, as it saves labor by reducing the need for staff to focus on it.

It isn't cheap, but it's reasonable and fair.

I considered a few other solutions before choosing Microsoft Defender for Endpoint, but that was quite a while ago, and I don't even know if they exist anymore.

I would rate Microsoft Defender for Endpoint a ten out of ten.

We use Microsoft Defender for Endpoint for anti-malware purposes.

Microsoft Defender for Endpoint has good visibility into threats, capturing 95 percent of them.

Microsoft Defender for Endpoint helps us prioritize threats across our organization, which is important.

We have integrated Microsoft Defender and Sentinel. The process of integrating Microsoft Defender for Endpoint and Sentinel was easy.

They work natively together to deliver coordinated detection and response across our environment which is important. Microsoft Defender for Endpoint and Sentinel work together comprehensively to detect and protect against threats. If one solution misses a threat, the other one will pick it up.

Sentinel allows us to gather data from our entire ecosystem, which is crucial for us.

It enables us to investigate threats and respond holistically from one place.

Microsoft Defender for Endpoint is an effective anti-malware solution. Additionally, it offers the capability to isolate a device in case of more significant issues with a workstation or server. Moreover, we can directly connect with the machine through Microsoft Defender itself to access and check files using live response, allowing us to assess the situation accurately.

Microsoft Defender for Endpoint offers a unified XDR dashboard that eliminates the need to view multiple dashboards. However, we are only focusing on incidents and log queries.

The threat intelligence helps us prepare for potential threats before they occur, allowing us to take proactive steps, as long as there are alerts and we have properly configured them.

We were previously using IBM QRadar, but it was not quite effective for generating alerts or for data analytics. Additionally, it created numerous alerts, which only sent us notifications for issues like behavioral concerns. This had a significant impact on the workload for InfoSec Operations. Microsoft Defender for Endpoint has helped to reduce our SecOps team's investigation time.

Once we invest the initial time to create alerts and queries, Microsoft Defender for Endpoint saves us time by sending alerts and logs directly. This eliminates the need to repeatedly create queries to search for specific alerts, incidents, or events.

Microsoft Defender for Endpoint has decreased our time to detection and time to respond.

There are a couple of features, such as isolating the devices or connecting the device and connecting live response. These are very good features of Microsoft Defender for Endpoint because we can directly connect to the machine, access the system, and check if any malicious files that our Defender or Sentinel is detecting are present or not. This allows us to investigate those files further.

Microsoft Defender for Endpoint sometimes fails to detect malware incidents, and when it does manage to stop them, we only receive a notification stating that the issue has been resolved. Unfortunately, we are not provided with any information on how the solution resolved the incident.

Microsoft Defender for Endpoint does not offer default templates for alerts, requiring us to configure everything ourselves to avoid numerous false positives.

The pricing needs to be improved.

I have been using Microsoft Defender for Endpoint for a little over one year.

I give the stability a nine out of ten.

I give the scalability an eight out of ten.

We rarely need technical support, but when we encounter issues with log ingestion, we contact them. Unfortunately, the support isn't very helpful as they suggest trying things we've already attempted, which haven't worked. Consequently, we often find ourselves searching online to resolve the problem on our own.

Neutral

I also use FireEye, which is now called Trellix, along with McAfee. Each tool has its own advantages and disadvantages. FireEye was solely an EDR solution. Microsoft Defender for Endpoint is superior to McAfee due to the higher number of alerts and the ability to isolate and connect to the machine in real-time.

Microsoft Defender for Endpoint is the default solution for Microsoft, but it can be challenging to integrate with Linux environments. Additionally, if we are using any other EDR or anti-malware solutions, Microsoft Defender for Endpoint will only work passively, not actively, and we cannot convert it to function as an active anti-malware solution.

The initial setup of Microsoft Defender for Endpoint may be more complex compared to other solutions that only require pushing agents to workstations or servers. Each device must be compliant and onboarded to Azure in order to be active, and any non-compliant workstations cannot be uploaded to Azure. On the other hand, with McAfee and similar solutions, we only need to push the agent and it starts reporting to the console. Our deployment process lasted six months and involved a group of three to four people and their respective teams. We had one team for field agents, another for SCCM purposes, and an Operations team as well.

Microsoft assisted with the implementation, and they were efficient.

We are required to pay for the data we ingest, and increasing the data amount incurs additional expenses.

I give Microsoft Defender for Endpoint an eight out of ten.

We currently have around 6,000 Microsoft Defender for Endpoint users in our organization.

We have a team called InfoSec Operations that handles maintenance and consists of approximately five people.

I recommend Microsoft Defender for Endpoint for larger organizations, and they should undergo training if they intend to use it in conjunction with Microsoft Sentinel, as it is a complex tool compared to others like QRadar. For smaller organizations, I suggest using Splunk, which is a reliable solution.

Microsoft Defender for Endpoint is a viable solution, but it does have limitations when it comes to other operating systems. I would not recommend this solution for an organization that operates in a Linux-based environment.

Once we enroll devices, the Microsoft scanners scan them in the backend and find vulnerabilities for the devices. For example, if our Office version is outdated, or Chrome is an outdated version, or there are any vulnerabilities or security loopholes, they will be displayed in Defender for Endpoint. We go through those vulnerabilities and we try to fix them by creating group policies or by using Intune. If there are any security recommendations in Defender for Endpoint, we fix those assets.

It's the best solution for vulnerabilities. Most updates will be done by group policies in a big organization and everything will be maintained in that way. But with non-group policies, if it's not a hybrid environment, or they are only using cloud, or they're connected to Azure already, or they don't have AD, a lot of updates will be missed. That is a very difficult situation for handling vulnerabilities. In that situation, once we enroll the devices to Defender for Endpoint, all the vulnerabilities will be displayed on the dashboard and we can review them and fix them. In that way, we can stop most cyberattacks and close all the vulnerabilities and loopholes.

Before enrolling devices to Defender for Endpoint, we don't know what vulnerabilities or security loopholes are on those devices. Once we enroll devices we find a lot of vulnerabilities and we have been able to fix a lot of security-related issues. It has helped us a lot.

It is impacting our security score. Before we enrolled our devices to Defender for Endpoint, our security score was 58. When we enrolled 500-plus devices to Defender for Endpoint, our security score went down to about 42 percent. We then understood we need to maintain it above 50 percent, as recommended by Microsoft. We are trying to increase our security score by fixing those issues.

It shows how to fix a given vulnerability or security issue, providing step-by-step guidance. That saves a lot of time because if we didn't know how to fix a vulnerability, we would need to do some research and find the right document. That would take time. It is saving us 10 to 15 hours per month.

It finds the loopholes and vulnerabilities and shows you some security recommendations as well. Based on the requirements, we fix them. We don't necessarily need to fix all the vulnerabilities. For example, if an organization is using Office 365 and the accounts team wants Excel to be updated to version 16.2.0, some applications or some data will work only with that particular version, but some data will not be supported. In that situation, we don't want to upgrade MS Excel.

Integrating Microsoft solutions with other solutions is not that difficult. Microsoft provides documentation on how to integrate things, which is good. We get a lot of information from the Microsoft pages. Integration is very helpful for finding all the security-related stuff.

Defender for Endpoint has one dashboard with security-related information, vulnerability-related information, and basic recommendations from Microsoft, all in different tabs. That's helpful because if we want to fix only the recommended ones, we can go fix all of them, or if we want to work on the security-related ones, we can go to the security tab and work on all of them.

The solution's threat analytics is another tab and it is helpful for finding vulnerabilities, phishing emails, and spam emails. If we want to release them, we can release them. We will check IP abuse and whether the IP is related to brute force attacks. If we want to improve on something, we will send it to Microsoft to analyze it. Being proactive is important. As specialists, we need to review the recommendations from Microsoft on a day-to-day basis and fix them as much as we can. Day-to-day, we need to upgrade and make sure all the devices are up to date. That should not be done on a weekly or monthly basis.

Right now, the solution provides some recommendations on the dashboard but we don't have any priorities. It's a mix of all the vulnerabilities and all the security recommendations. I would like to see some priority or categorization of high, medium, and low so that we can fix the high ones first.

We have been using Microsoft Defender for Endpoint for one and a half years. 

I haven't seen any downtime. I don't see any issues with the stability. If there is any downtime, Microsoft will send a message on the dashboard and we can see any service issues.

Their tech support is very good. If we raise a ticket, they will respond within 15 to 20 minutes. If they don't know, they will do some research and come back to us. I love working with Microsoft

Positive

We used GFI Vipre. We switched because Vipre was not a Microsoft product, and we trust Microsoft. Between a third party and Microsoft, most people will choose Microsoft because the solution and the support are very good. We also have a client portfolio and we get a discount on the license.

The initial setup is simple. We run a script on the local machine and the device will be enrolled to Defender.

I completely configured Defender for Endpoint to be used in an automated way. We enrolled our devices to Intune and we configured Defender for Endpoint in Intune. Once we add our devices to Intune and to a group, those devices will be enrolled to Defender for Endpoint also. Enrolling takes around 24 to 48 hours.

Maintenance is pretty easy. Once we run that script, there are no complications while enrolling the devices.

The comprehensiveness of the threat-protection that Microsoft security products provide depends upon the license. Right now, we are using E5 licenses which cover every security feature. But if a small or mid-level organization uses an E3 license or Business Basic plan, not all the features are provided. The cost is high for E5 licenses, but if we go with the E3 license, most of the features are not covered.

We did some research and found other solutions. The support is very good for Microsoft. If we raise a ticket, within 15 to 20 minutes, we will get a response from the Microsoft support team regarding the issue. They keep an eye on it; every ticket is tracked. If we want, we can also escalate. With a third-party solution, we cannot get as much support as we can with Microsoft.

There are a lot of cyber security tools, so it depends upon the requirements. I'm not saying that we need to use only Microsoft. But when it comes to support, I don't know how the others do. Using a suite of solutions from Microsoft has benefits. Support is a very good one. The recommendations are also provided in the dashboard, and the SLA is 99.9 percent; we don't expect downtime with Microsoft.

We are not using Microsoft Sentinel. It will create alerts regarding VMs or storage but the cost is very high. Sentinel is not going to help much more when compared with Defender for Endpoint. Sentinel isn't preferable. It only creates alerts. There is not that much impact on the organization if it uses Sentinel also.

Microsoft Defender for Endpoint is a very good solution. I recommend using it.

We are one of the major drug stores in Germany. We are located in 13 European countries such as Austria, Bulgaria, Czech Republic, and Poland. I'm working here as an IT Administrator, and I'm focusing on software deployment and antivirus solutions.

Our use case is that we got to have antivirus. Cyber insurance forces us to have an antivirus solution that meets the requirements the insurance has. 

In terms of deployment, we're using Defender without ATP in the old world. For domain-joined clients and on the Intune-managed clients, we use Defender in combination with ATP. The on-prem clients are usually old-school domain-joined clients.

We have its latest version. We always try to be at the newest version.

In the old world, we have Defender in combination with SCCM. It's not as good as Security Center, but you have all the reporting stuff that tells you whether your clients are up-to-date or not. The ATP Security Center is the mercy dispense of antivirus solutions because it is so much more than just antivirus. Microsoft Security Center comes with the ATP license, and it provides a really compact but whole view of your tenant and the vulnerabilities in your tenant. I feel that my administration got more proactive than just reacting. I can see that my Office is not up-to-date, or a client is using the old version of Firefox or Adobe Reader. So, Security Center tells me all this, and I can proactively update these clients and have a look at the bad guys in my environment. That was the part that McAfee never showed. I could see my clients with old signature files or engines, but McAfee Orchestrator didn't show the actual vulnerability of the client, which is the great benefit of Microsoft Security Center.

The whole bundle of the product, which is similar to other Microsoft products, is valuable. Ten years ago, you had third-party stuff for different things. You had one solution for email archiving and another third-party one for something else. Nowadays, Microsoft Office covers all the stuff that was formerly covered by third-party solutions. It is the same with antivirus. The functionality is just basic. You have the scanning, and then you also have a kind of cloud-based protection and reporting about your environment. With Microsoft Security Center, you have a complete overview of your environment. You know the software inventory, and you have security recommendations. You can not only see that the antivirus is up to date; you can also see where are the vulnerabilities in your system. Microsoft Security Center tells you where you have old, deprecated software and what kind of CVEs are addressed. It's really cool stuff.

We encountered some misbehavior between Microsoft Office Suite and Defender. We had issues of old macros being blocked and some stuff going around the usage of Win32 APIs. There is some improvement between the Office products and Defender, and there is a bunch of stuff that you can configure in your antivirus solutions, but you have several baselines, such as security baselines for Edge, security baselines for Defender, and security baselines for MDM. You have configuration profiles as well. So, there a lot of parts where we can configure our antivirus solution, and we're getting conflicting configurations. This is the major part with which we're struggling in this solution. We are having calls and calls with Microsoft for getting rid of all configuration conflicts that we have. That's really the part that needs to be improved. 

It would be cool to have just one interface or only one or two locations where you configure the stuff. Currently, they have three locations where you can configure your antivirus. Three locations are too much, and there is too much conflict. It is not a one-to-one configuration. There are some configuration settings that you can only do in SCCM. You don't find them in MDM. So, it's not always one-to-one. 

The last point of improvement is related to the quality of service that Microsoft provides. The quality of service that Microsoft provides should be improved.

We have been using Defender for two years. Two years ago, we migrated from McAfee Endpoint Protection to Defender Antivirus. This migration process took us one year to migrate all systems. So, we're now totally on Microsoft Defender on all workstations and servers.

Scalability and deployment always depend on how many of your clients are online. There is no problem with the scalability and deployments of servers because they are online 24/7, but client management is different than server management. We are located in 13 countries, and we have about 9,000 clients. Of course, they are not always online because of which you're always struggling with your client management. 

If you open a call with Microsoft, you're in God's hands. Some of their engineers are top-notch and some are not. We have some strange calls going on for weeks and months, and nothing is happening. There are always the same questions. The quality of service that Microsoft provides should be improved.

We migrated from McAfee Endpoint Protection to Defender Antivirus. I worked with ePolicy Orchestrator from McAfee for almost 20 years. The user interface of McAfee was fine, but the hassle began with Windows 10. Updating McAfee and the endpoint security stuff was always a hassle. We had to update all the McAfee stuff before having a feature update, so we were always in this hassle of the update process of either McAfee or Windows. Defender is a seamless solution for Windows. 

Microsoft has done a lot to improve Defender. There are not so many differences between basic scanners. If you look at the Gartner studies, Defender has really improved a lot. It came out one or one and a half years before we started to migrate our clients to Intune MDM solution, and within this migration to MDM managed clients, we also established advanced threat protection (ATP) with Defender. It met our requirements perfectly, and we did penetration testing for the solution, and it turned out to be perfect. 

The deployment process is okay. Of course, you always struggle at several points, but overall, the deployment is fine for Defender.

We evaluated a lot of different scanners, such as Passkey. McAfee ePolicy Orchestrator now comes with the option to integrate within Microsoft Security Center, but McAfee came up with its solution a little bit too late. 

In the on-prem world, we are using Microsoft Defender in combination with the endpoint manager to SCCM, and it is fine. I really prefer the interface of McAfee ePolicy Orchestrator, but it doesn't have as many benefits as Microsoft Defender in combination with SCCM.

In terms of the end-user experience, end-users don't like to be bothered with the virus scan. A virus scan is always annoying for the end-user. An end-user cannot actually configure the antivirus and only gets a notification if something is wrong or some malware is found. That's it. There is not really an end-user experience.

The performance of the client is fine with Defender. We are not encountering many performance issues or any serious issues with Defender. When we turned over to Defender, some of the applications that were functioning absolutely flawlessly with McAfee started to have serious performance issues. So, we had to define an exclusion list for some of the processes or applications, but there are always some applications that needed exclusions for McAfee or Defender.

I would rate Microsoft Defender for Endpoint an eight out of 10.