IT Central Station is now PeerSpot: Here's why

Microsoft Defender for Endpoint OverviewUNIXBusinessApplication

Microsoft Defender for Endpoint is #2 ranked solution in top Anti-Malware Tools, #3 ranked solution in endpoint security software, and #3 ranked solution in EDR tools. PeerSpot users give Microsoft Defender for Endpoint an average rating of 8.0 out of 10. Microsoft Defender for Endpoint is most commonly compared to CrowdStrike Falcon: Microsoft Defender for Endpoint vs CrowdStrike Falcon. Microsoft Defender for Endpoint is popular among the large enterprise segment, accounting for 57% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 22% of all views.
Microsoft Defender for Endpoint Buyer's Guide

Download the Microsoft Defender for Endpoint Buyer's Guide including reviews and more. Updated: July 2022

What is Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint is a complete endpoint security solution that delivers preventative protection, post-breach detection, automated investigation, and response. With Defender for Endpoint, you have: 

Agentless, cloud powered - No additional deployment or infrastructure. No delays or update compatibility issues. Always up to date. 

Unparalleled optics - Built on the industry’s deepest insight into Windows threats and shared signals across devices, identities, and information. 

Automated security - Take your security to a new level by going from alert to remediation in minutes—at scale. 

To learn more about our solution, ask questions, and share feedback, join our Microsoft Security, Compliance and Identity Community.

Microsoft Defender for Endpoint was previously known as Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, MS Defender for Endpoint, Microsoft Defender Antivirus.

Microsoft Defender for Endpoint Customers

Petrofrac, Metro CSG, Christus Health

Microsoft Defender for Endpoint Video

Microsoft Defender for Endpoint Pricing Advice

What users are saying about Microsoft Defender for Endpoint pricing:
  • "Most people don't realize M365/E5 licenses are an amazing deal. They think "Oh, it's expensive," and I'll ask, "Compared to what?" If you don't have it you will have to buy licenses for multiple products to fill the same security space that you would have gotten with the Microsoft product. Go figure out how much it costs you per product, per user, and then come back and tell me how things add up financially."
  • "Even if you are not registered as a not-for-profit, the offering that they have is definitely worth consideration. This is in the sense that the E5 stack just gives you so many benefits. You get your entire productivity suite through Microsoft 365 apps. You get all your security and identity protection. You get the Defender for Endpoint and Defender for Identity. You get the cloud access security broker as well. You get Azure Active Directory Premium P2, which gives you so many good things that you can configure and deploy. You don't have to configure them on day one, but you have access to so many different tools that will protect your data, security, endpoints, and identities that you could build out a security strategy 18 months long, and slowly work your way through it, based on what you have available to you through your license."
  • "Licenses depend upon what you are looking for and what kind of security do you want to implement. There are costs in addition to the standard licensing fees. When we used to buy Symantec, we used to spend on 100 licenses. We used to spend approximately $2,700 for those many licenses, and they came in packs. To add one more license, I had to buy a pack with a minimum of 10 licenses. I had to spend on nine extra licenses because I can't get a single license, whereas when we go for Microsoft, we can get as many licenses as we want. If I have 100 users today, and tomorrow, I have 90 users, I can release my 10 licenses next month. With any other software vendor, you buy licenses for one year, and you have to stick with that. If today you have 100 licenses, and tomorrow, you have 50, you have already paid for one year's license. You can't go back and tell them that I don't require these 50 licenses because I have lost my 50 users, but with Microsoft Defender, licensing is on a monthly basis. It gives you both options. You can go yearly and save on it, or you can go monthly. You will, again, save on it. It is very fair everywhere."
  • "The licensing fee is a function of your Office 365 license. The feature set you get is a function of the license as well. There is probably an E2 version, an E3 version, and an E5 version. There are several versions, and not all features are the same. So, you might want to check what features you're expecting because you might get shocked. If you only have an E3 license, the capability isn't the same."
  • "It is built into Windows 10. If our clients are using Microsoft Defender, the cost goes away for them."
  • "Its price at the moment is very good because you get a lot of value for your money, especially with the subscriptions. If you have the E1, E3, or E5 enterprise subscription, you pay per month per user, and you get almost an infinite number of solutions. If you compare the price to the number of solutions that you get, it is a very good deal."
  • Microsoft Defender for Endpoint Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Principal Consultant at a tech services company with 201-500 employees
    Real User
    Top 5Leaderboard
    Enables ingestion of events directly into your SIEM/SOAR, but requires integration with all Defender products to work optimally
    Pros and Cons
    • "The best feature is the fact that for certain mobiles you can control your corporate profiles versus your personal profiles. That is amazingly important. Apple just supported the separation of corporate and personal profiles, whereas Android has been doing that for quite some time... Because Android supports that, if an Android phone is lost or stolen, I can wipe out all the corporate-related information from that phone and not touch the personal side. I can separate the apps and I can separate the ability to cut and paste between apps."
    • "It's not easy to create special allowances for certain groups of users. It can be a little heavy-handed in some areas where Microsoft has decided to lock a feature out, meaning they make it hard to make an exception... One company we work with needed to use about 20 different thumb drives for about 20 users. To make that exception for them was very difficult. In fact, you can't really make an exception. But what you can do is allow them to use it and, while it will still alert, you can actually suppress those alerts."

    What is our primary use case?

    Our use cases, and the way we deploy it, depend on the different situations we encounter.

    There may be a company that is already using the Endpoint Protection solution and we have to do a migration.

    Another scenario is that a company may be migrating away from another endpoint threat protection solution.

    And there are some companies that are already using SCCM, and we may have to go through one of two scenarios. One is to co-manage with what they call Microsoft Endpoint Manager and Configuration Manager. If they are already using SCCM, and only SCCM, we will typically have to go through a process where we integrate SCCM into Endpoint Manager and then they'll usually bring some endpoints into Intune and they'll do a PLC. They have to Azure AD-join or register a device into that so it can be managed through Intune. They may even co-manage it for a while until they fully onboard into Intune only. A lot of people are looking to get away from co-management and managing through Endpoint Manager. But there are some prerequisites to accomplish that.

    The endgame for most companies is they want to manage things from Intune only. There are different paths to get there, depending on what they already have in place.

    How has it helped my organization?

    Overall, Defender for Endpoint has created a better security posture, particularly in these COVID times where no one is on-premises anymore and they're working remotely.

    What is most valuable?

    More than anything, what I find most valuable is the holistic integration with all Defender products and MCAS. You can not deploy this in a vacuum. It's like most Microsoft technology. If you want to do a Zero Trust model and framework, you have to deploy things in a holistic solution.

    Among the new features I like is that you can ingest your Defender events directly into your SIEM/SOAR product, particularly Azure Sentinel, although not a lot of people are using that and you don't have to be using it. You can ingest them into any SIEM/SOAR product directly.

    There are features that have helped improve a company's security posture, now that remote work has come into play. Microsoft had to come up with a solution because identity is the new security plan. The largest attack surface is going to be your endpoints, so you have to be able to control your endpoints. There is malware that can collect IDs and it doesn't have to be from privileged accounts, it could be from any account. Once they get in, then they can start looking around to see if there are any security holes, move laterally, and get a hold of a privileged account. And if they get a hold of a privileged then they can just turn off all your security controls and get to your data and you've got a ransomware attack. With Defender for Endpoint, it's the combination. Every one of the features in it is equally important, but the most important thing is integrating it with the other Defender products, to create a holistic solution.

    The best feature is the fact that for certain mobiles you can control your corporate profiles versus your personal profiles. That is amazingly important. Apple just supported the separation of corporate and personal profiles, whereas Android has been doing that for quite some time. You are better off as an organization, when it comes to BYOD—because Apple just now started supporting separation of corporate and personal profiles—to start with the version that supports that feature. If you go below that level, you don't get that feature, and it makes it very difficult to separate corporate and personal profiles. Because Android supports that, if an Android phone is lost or stolen, I can wipe out all the corporate-related information from that phone and not touch the personal side. I can separate the apps and I can separate the ability to cut and paste between apps. I can cut the ability from sharing files between apps between the personal and corporate profiles. From a data loss prevention standpoint, I can completely segment corporate apps and data from personal apps and data.

    Another feature is that it is now supported across multiple platforms, where it was regulated at one time for just Microsoft-supported operating systems. That development is very important.

    What needs improvement?

    There are a few caveats, things we have run into. It's not easy to create special allowances for certain groups of users. It can be a little heavy-handed in some areas where Microsoft has decided to lock a feature out, meaning they make it hard to make an exception. I'll give you two examples. One company we work with needed to use about 20 different thumb drives for about 20 users. To make that exception for them was very difficult. In fact, you can't really make an exception. But what you can do is allow them to use it and, while it will still alert, you can actually suppress those alerts. Another example was where a group needed to be able to go in and manipulate their PC ERP settings. To make an exception for them was also a difficult process. A lot of people have suggested that Microsoft should not, by default, make it so difficult by locking your ability to make exceptions.

    Another issue is that when you implement this it is not a single solution in and of itself. You have to implement what are called security baselines for each platform. But Microsoft does not have security baselines, other than for its own products. That means that when you want to do a security baseline for say, iOS or Android, you have to depend on other security organizations' recommendations and set the security controls to create those security baselines for other platforms. You would typically use CIS. But when it comes to iOS, it's a real pain. iOS requires you to create a security baseline for every version of iOS. Android does not.

    Buyer's Guide
    Microsoft Defender for Endpoint
    July 2022
    Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
    622,358 professionals have used our research since 2012.

    For how long have I used the solution?

    I've been using Microsoft Defender for Endpoint since it first came out. They bundled it into M365 licenses, particularly E5 licenses or the equivalent, around 2019.

    What do I think about the stability of the solution?

    Like every other security product out there, the stability of Defender for Endpoint is a work in progress. The solution is trying to address a tough problem and anybody will tell you that cyber security is not a fair fight. It's just incredibly hard to defend against the bad actors. Everybody is scurrying right now to come up with different ways to stop the problem and it's just not there yet.

    What do I think about the scalability of the solution?

    In terms of scalability, we have run into organizations that are very large and that have said it doesn't scale well. I'm part of MISA, the Microsoft Intelligence Security Association, and we did a review of all their products and they all had scaling problems, including SIEM/SOAR, MCAS, Endpoint Manager, et cetera.

    There are two "fronts" for anybody who is using a SIEM/SOAR: one is how fast they can ingest, and the other one is how fast they can make decisions. You want to do this in real-time, or near real-time.

    The ingestion problem is that you're ingesting a bunch of stuff from everywhere: from the network, from identity, from all your services, and your apps. It's a crazy amount of data. Some organizations are doing on the order of 5 billion events daily. How do you ingest all that in a timely manner and correlate it? You have to do it in a distributed way. There will be a top-level SIEM/SOAR and several underneath it that are collecting data for a particular location or a set of users. You trim that down and eventually ingest stuff to the top so that you can see things from the holistic viewpoint. Or you decentralize it, where office A and all its users have their own, and office B has its own, and you don't necessarily roll it up into a single, corporate-wide solution.

    There are products out there that are addressing this by not storing the events directly onto disk, but into flash drives, so they're super-fast. They never put it on a disk and save it. You can have the option of saving it to disk for long-term retention. But the immediate ingestion of events is happening through flash drives. It sits in fast memory, never gets written to disks, and that's how they're speeding things up. And there are AI/ML engines pulling that stuff in and they can act much faster.

    In addition, some AI/ML engines are more mature than others. There is a lot of work being done on that front. When it comes to Endpoint Manager there are a bunch of events coming from a ton of endpoints. It's no different than ingesting events from a thousand database servers. Or they could be from your whole application reference architectures, and your data analytics reference architectures. Everybody sees the problem coming, the problem of big data. That's what we are really talking about. There is a whole lot of stuff coming in and we have to make sense of it, figure out what's relevant, have a scoring system and prioritization system to make decisions fast. For example, the bad guys are able to get into your systems and, within 20 minutes, they've already done an assessment. Usually, if you're lucky, you can respond to that in 30 minutes. And if you're a huge enterprise, you may not even be able to respond that fast.

    That's the reason everybody says it's not a fair fight. We don't have the tools right now to react fast enough.

    As for how extensively it's being used by our clients, anyone who is going to use it plans to use it as a one-stop solution. They won't be using multiple solutions and they will roll it out to every endpoint. It makes perfect sense to do so because you don't want to have multiple products and require your staff to have knowledge of multiple products.

    For big corporations, it takes a little while to get there. It's something that has been evolving for 30 years now. Organizations want to settle on a standard desktop and want to be able to do configuration control that allows them to control the apps and the usability from a security standpoint. It used to be, "Let's make it easily usable." But now the industry is flipping that over to, "It has to be secure." The vendors have finally come to the point where the balance between usability and security is leveling out.

    Which solution did I use previously and why did I switch?

    I've used multiple solutions in the past. We switched based on our customers' requests. Some do it for solution architecture reasons and some of them do it for enterprise.

    The enterprise customers say, "Oh, we know we need Endpoint Manager, but we need to align a solution with our business requirements first. Before you even select a solution we are going to look at our business requirements, then do a bake-off possibly, and then select a solution." Or they'll just look at industry ratings of the solutions and say, "Oh, this is the best one," not knowing that those ratings don't necessarily look at every new solution out there. There are so many. We are a VAR and we resell hundreds of security and regulatory compliance products. Usually, unless they bring us in at the early stages of the process, our clients have already picked a solution.

    How was the initial setup?

    The initial setup is very complex. To me, it's one of the more complex solutions because it touches so much. I have to know every platform and every platform version, when I create security baselines. As I mentioned, certain versions of iOS don't support the separation of corporate and personal profiles, and then you run into the scenario where they're already using some other endpoint protection and they want to migrate it to Microsoft Defender for Endpoint.

    Or there is the scenario where they are using SCCM and to then use Microsoft Defender for Endpoint you should really require Endpoint Manager, meaning that you have to transition to that. And as I noted, making exceptions is hard. 

    And when you integrate it across all the Defender products, and are managing a project like that, you have to get to a point where they're ready to be integrated, which is an issue of timing. So it's one of the more complicated things to roll out, compared to Defender for Identity. Defender for Office 365 is pretty large too, but Endpoint is the hardest of the three.

    It even touches identity, because there are Azure Active Directory conditional access policies, and those are connected with Endpoint Manager. You've literally got to look at what policies and what setup within Endpoint Manager can apply to different versions of iOS. You have to dissect so that if you're going to do BYOD, for example, and allow a version of iOS from some early version and up, you have to understand that there may be some options that you can use with one version that you can't with others. It's much easier to do with Android than it is with iOS.

    When you start heading down that path, it's a maturation process. You have to roll things out in phases. It's a very complicated product. Like with SIEM/SOAR products, when you start getting events, you could be flooded with them. You have to learn to tune it, so that you can differentiate the trees from the forest. You have to correlate things and automate your responses. That type of tuning process is a long process one to get the clutter out.

    A product like Sentinel is pretty cool because it has predetermined workbooks, and predetermined manual and automated responses. It has playlists. They are making it very much easier to trim that clutter and to get to the nitty-gritty, and they have done so with Defender for Endpoint.

    The deployment time, with fine-tuning, depends on the size of the organization. If it's a small or medium business, it could take three months to deploy and tune, and it could take longer; up to six months. It depends on many factors that I've mentioned, such as if they're migrating, or if they have an integration between SCCM and Intune. It also depends on the expertise level of the organization, its maturation level, and skill sets. All of that comes into play.

    It also depends on their starting point in terms of some of the prerequisite services. You don't generally roll out Defender for Endpoint until you've got identity governance and protection. That's the first thing you do because everything is dependent upon that. After that, the prerequisite is rolling out Endpoint Manager, and then Defender for Endpoint. If it's a hybrid situation, you may roll out Defender for Identity so you can cover your Active Directory controllers and provide threat protection for them, although you can do all the "Defenders" in parallel; you just have to time them correctly so that when you integrate them together they're ready to go.

    For large organizations, it could take a year or two. For example, if there are half a million endpoint devices—and that's possible if you have an organization with 200,000 employees and contractors, and each has a laptop and a mobile—it can take some time.

    In terms of an implementation strategy, I have developed work-breakdown structures for just about every Azure service and almost every Azure M365 service. They look at working with them holistically, but they are broken down into each individual service and mention the other services within the work-breakdown schedule, and how you integrate them. The first thing I do is a current-state assessment and that gives me an indication of the readiness for deployment. The next steps are plan, design, deploy, manage, secure. There are strict sets of security controls and I have to gather every single one of those per platform. It's quite a long process. It follows the saying, "If you fail to plan you plan to fail."

    As for staff required to maintain Defender for Endpoint, once you get it set up and tuned it's not too bad. It depends on the size of the organization again. If a business has 100 people, one person can do it easily. If there are a few thousand people, you may need two or three people. It often depends on your getting all the features rolled out. In IT it often happens that we roll stuff out and we always intend to get to that other piece but we just never get the time to do it. Many organizations are going to a lean staff and bringing in consultants to help roll things out. For us, as a contractor, it's great. Our business is booming.

    What's my experience with pricing, setup cost, and licensing?

    Most organizations that we have come to want to replace their current endpoint protection solution for Defender. A reason many of them do that is that they aren't pleased with whatever they have. They may not know what features are relevant and just don't know how to roll them out. They realize, "Oh, I bought M365/E5 licenses, and Defender comes with them already. Why not use it?" 

    Most people don't realize M365/E5 licenses are an amazing deal. They think "Oh, it's expensive," and I'll ask, "Compared to what?" If you don't have it you will have to buy licenses for multiple products to fill the same security space that you would have gotten with the Microsoft product. Go figure out how much it costs you per product, per user, and then come back and tell me how things add up financially.

    Which other solutions did I evaluate?

    If our client brings us into the process at the right time, we evaluate products for them, since we're evaluating products constantly. That's part of what we do. We have to know, through a deep-dive, the pros and cons of each. We are constantly being updated by our vendors about how they're addressing a particular security area.

    Is Defender for Endpoint the best product out there? No, it's not. I can think of several others that are pretty amazing. It's still a product that's evolving, but it does a really good job for the most part. It does the best job when it is integrated with the whole Microsoft holistic solution. If you look at Microsoft's site, you will see what capabilities Microsoft has. They will show you how these products integrate and work together to give you a holistic solution to develop a Zero Trust model framework.

    And while it's not the best solution overall, some of the pieces are. There are several areas where Microsoft is good or better than most, and then there are some weaknesses when you do Zero Trust. They don't have a secure web gateway product. Their MCAS or CASB product leaves a little bit to be desired. There are other solutions, in those two components of a Zero Trust model, that do a much better job. Zscaler probably has the bulk of the business but I'm a big fan of Netskope. There is Crowdstrike, and Forcepoint may be making some inroads because they just developed a new anti-malware technology. But none of them are going to be perfect because malware is a hard problem to solve.

    There is also a new product I just reviewed for M365 Security that is pretty amazing on paper. Although I haven't actually kicked the tires on it yet, it looks really good and it's from one of the fastest-growing companies out there.

    Think of it like this: If you don't buy E5 licenses or the equivalent with M365, you don't get Defender for Office 365. People don't realize that product is a kind of a split product. It's a multi-function product. It has some DLP pieces that work with MIP and it has some pieces that work with the Office 365 outlying suite. It's a little bit of a funky product.

    But one of the things it has is a part of your Exchange Online protection. Without it, you don't get the features like anti-spam, anti-virus, safe links, and safe attachments. That combination addresses what is called a combined attack. You get an attachment and the attachment may have a link in it, or you get an email that has a link in it. They all look legitimate. If someone clicks on it, it takes them to a malware site, and bam! You just downloaded it into your computer and now endpoint protection comes into play.

    Eighty percent of malware is still spread via email today. That's how they attack you. They're trying to penetrate your apps and they're even trying to penetrate your M365 online apps. This product works inline and they've already proven that, even with Defender for Office 365, there are still malicious messages getting through. The bad actors figure out how. They actually buy the product and figure out where its weaknesses are and they attack it. Because it's such a popular product it's the one they're going to target. It has the biggest attack surface. They've been attacking the weaknesses of M365, particularly the Exchange Online protection and all the weaknesses in Defender for Office 365. They've just been clobbering it. We're having a lot of people say to us, "Do a security assessment on our M365". All I can tell them is that it's not their problem as much as it's the product's problem right now.

    Microsoft is trying to address things as fast as it can, but it's going to take months to get there. But here is another product you can add on that can help you fill those flaws. What this other company has done is that they've said, "We'll fix those flaws for you and we'll make it an easy process to do so." Usually, the circumstances in which you need an email security gateway is when you don't have an E5 license. But now they're even attacking that. And when that happens you have to change the MX record. With this new product that I've read about, you don't have to do that. It just supplements the weakness of M365, not only in Exchange Online protection but throughout all the other apps, like Sharepoint, Teams, and OneDrive. That's pretty impressive. And it works with all those products easily, without change in administration or training. It installs in minutes. I was floored when I saw that.

    What other advice do I have?

    The organizations I have worked with that are using Microsoft Defender for Endpoint are mostly small- and medium-sized businesses. Our larger customers are generally not using it.

    There was a service built within our organization, a service that is very much hooked in with CrowdStrike. If you've ever seen the CrowdStrike products, you'll understand why. They are pretty impressive products. They do some things that help them see malicious activity in near real-time. Can they react to it in near real-time? No. But like everybody, they are trying to find a way to be able to react faster. They just bought a company called Humio, which is a SIEM/SOAR product I referred to earlier that does not store events directly to disk, so it can act on things much faster.

    Used alone, I would rate Defender for Endpoint a seven out of 10. When integrated with other Microsoft products, I would give it an eight. It really depends on other pieces of the solution for Zero trust to work properly. It won't work well if you deploy it by itself. If you're going to use Defender for Endpoint, you should also use Defender for Identity, Defender for Office 365, and the full gamut, including MCAS and MIP, and then you will need your SIEM/SOAR. It's a long journey. And you had better have done your identity very well. If you haven't, it won't really matter what you throw in place, once they breach your identity plane. That's the most important one. I can put every possible safeguard in place, but if someone gets the keys to the kingdom, I might as well just turn them off.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Infrastructure and Security Manager at a sports company with 11-50 employees
    Real User
    You can access all your security data and telemetry from a single pane of glass
    Pros and Cons
    • "This solution definitely increases our security posture. When you are reviewing your existing fleet or endpoints and based on the configuration that you put out of your Defender for Endpoint, you then receive a security score from Microsoft. Depending on what rules you have configured, what policies you have deployed, and what attack surface reduction rules that you have set up and deployed, it is almost gamifying information security in the sense that you are always trying to achieve a higher score. The more hardening you perform on your endpoints, the better score you receive. This generally tends to give you a better peace of mind, but also makes you secure at the same time."
    • "On the Mac OS platform, there is no parity between Windows and Mac OS. The solution is very feature-rich and very well-integrated into Windows, and I guess baked into Windows 10 and Windows 11. Whereas, on the Mac OS platform, there is still some work there to give it a more feature-reach platform."

    What is our primary use case?

    We use it as an antivirus and EDR solution. We also use it for vulnerability scanning and threat hunting.

    It is cloud-based. We have a cloud-first strategy when it comes to our organization.

    We are a very small, lightweight start-up organization who has only been around for a couple of years. We have 17 endpoints. 

    We have it deployed on our endpoints and virtual servers. We have a few Windows Servers 2019, and we have onboarded those both onto Defender for Endpoint as well. Those servers are not managed by MDM because they are Server 2019, but we have onboarded them so they are being managed by Defender for Endpoint as well.

    How has it helped my organization?

    This solution definitely increases our security posture. When you are reviewing your existing fleet or endpoints and based on the configuration that you put out of your Defender for Endpoint, you then receive a security score from Microsoft. Depending on what rules you have configured, what policies you have deployed, and what attack surface reduction rules that you have set up and deployed, it is almost gamifying information security in the sense that you are always trying to achieve a higher score. The more hardening you perform on your endpoints, the better score you receive. This generally tends to give you a better peace of mind, but also makes you secure at the same time.

    What is most valuable?

    I like the fact that it is baked into the Microsoft platform. 

    Since we have deployed it, we have been really impressed with the way that everything just stitches together really well. You can access all your security data and telemetry from a single pane of glass on the Microsoft Security admin console. You can access all your endpoints, see how your antivirus is running, and get all your vulnerability scans and reports. In the software inventories, you can review your known vulnerabilities and understand whether those are zero days or if there are active threats out in the wild. Essentially, you don't need to jump into different admin consoles. You have everything built into Windows Defender Security Center, which we find really useful.

    What needs improvement?

    If you consider our organization, we are a fairly Mac-heavy organization. At the moment, around 80% of our fleet are Mac OSs. We made a conscious decision to roll out Defender for Endpoint against all our endpoints, whether it is Windows or Mac OS. However, one thing that we have noticed is that there is definitely no parity on the platform between the two operating systems. When you are configuring, deploying, and onboarding machines, you can get very granular with your security configuration when you are deploying it to a Windows's endpoint. For Mac OS, it is a lot more straightforward. You don't have the ability to apply as much configuration as you would on Windows. That is definitely something that has room for improvement. 

    I am also not sure how well the EDR functionality works on the Mac OS platform. It just provides an antivirus and the full EDR capability is not there on a Mac OS. 

    The web filtering needs a little bit of work. We are actually in the market at the moment for a third-party web filter or cloud secure web gateway to try and plug that hole since it is a bit of a pain point for us. I don't think we will use the baked in version from Defender for Endpoint.

    On the Mac OS platform, there is no parity between Windows and Mac OS. The solution is very feature-rich and very well-integrated into Windows, and I guess baked into Windows 10 and Windows 11. Whereas, on the Mac OS platform, there is still some work there to give it a more feature-reach platform.

    For how long have I used the solution?

    I have been using it for about a year.

    What do I think about the stability of the solution?

    With Windows, we have been very happy. We have had no issues or problems whatsoever. We had one issue on the Mac OS platform when an update to Mac OS was deployed. It wasn't a major update, like Monterey. It was a point update. So I think it might have been 12.2.1 where the Defender icon was starting to display across, which means I found a threat or it's not working properly. We had that across a handful of machines. I did a bunch of Google searches and sort of realized this was happening to a lot of other organizations, so it was probably a false positive.

    I contacted Microsoft support who confirmed that it was just a visual glitch. I guess Apple is well-known for this. When they do push out their updates, they attempt to break the occasional third-party system. That was the only issue that we have encountered, which was more a visual glitch than an actual threat.

    It is pretty much zero-touch because the definitions sort of update themselves. The application updates itself because it is deployed through Microsoft Intune. Therefore, the maintenance is pretty straightforward.

    What do I think about the scalability of the solution?

    It is very scalable. Because it is cloud-based, it is elastic in its nature. You can onboard machines en masse. Whether you are onboarding 15 machines or 1500 machines, it is very straightforward.

    As we scale up, this is now our AV and EDR of choice. Every new machine will be rolled out or onboarded to Defender for Endpoint. We will be sticking with it in the long-term. We have also the logs and telemetry from Defender for Endpoint being ingested into our MDRC platform.

    How are customer service and support?

    The technical support is very good. Wherever I have worked with them, we have always been enterprise customers. Whenever I have raised a ticket for support, you generally receive a phone call anywhere from 10 minutes to three hours after raising your ticket. Even if it is not a P1, but a P2 or P3 ticket or just a request for information that you have generated in the form of a ticket, they will respond back to you quickly.

    They have good levels of escalation. So, if their first line support is unable to help, they can quickly escalate to the second or third line. I have never really had any problems with Microsoft support. That is across Defender for Endpoint and Microsoft Endpoint Manager as well as for the productivity throughout Office 365 and Azure Active Directory.

    I would rate them as eight out of 10.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We currently have an MSP in place, which is a managed service provider, who manages all our IT support, service desk, and desktop support functions. They had already purchased an antivirus subscription for the organization when I joined the organization, and it was a fairly basic one. Our biggest problem was that it does not have any SIEM integration. 

    When we decided to go down the route of having a SOC or MDR service, we couldn't ingest the logs from the antivirus platform into their SIEM. That is when the hunt started for a new AV service.

    I wouldn't say the user impact has changed on top of the AV product that we had before.

    How was the initial setup?

    The initial setup was very straightforward. Microsoft, as an organization, is quite well-incentivized to get you to use their own products. There are hoards of material out there via their social media channel, through their own documentation, or the Microsoft Learn platform. There are reams and reams of user guides for you to go through, all of which are fairly straightforward. They are regularly updated as well.

    It is all cloud-delivered so there isn't any on-premise infrastructure that I need to maintain, patch, or configure. It is literally all configured in the cloud. So, it was a very easy setup process for me.

    It took days to get a proof of concept together on a handful of machines. Over the next few weeks, once we got the go ahead and thought, "You know what? We are going to go with this." It was just a matter of weeks and that was more down to team availability. We needed to sit down and offboard the existing AV, which we weren't particularly happy with, then onboard Defender for Endpoint. So, we tied that project with our MDM rollout. Therefore, while we were deploying our MDM solution and enrolling the device, we were onboarding the machine to Defender for Endpoint as well.

    What about the implementation team?

    I actually set it all up myself. I am the only technical person at the organization. I have worked with Microsoft quite extensively in the past, and I have used their fast track consultancy services in other organizations that I have worked with as well. Therefore, I am quite confident and familiar with Microsoft technologies. 

    We then signed up with an MDR supplier who does managed detection and response. Essentially, that is a team of cybersecurity experts who connect to our infrastructure and all the data telemetry from our endpoints feed up to their platform. If they see any threats, anomalies, or events, they will then jump in, reviewing and remediating as required.

    We had a consultancy session with one of their Microsoft consultants around a month ago, where they reviewed the setup that I configured. They put in two or three recommendations to harden the setup a little bit more, but they were overall pretty happy with it. Thus, if I can do it, then it can't be that difficult.

    What was our ROI?

    There is less overhead in terms of having the system administrator or information security manager jumping around different systems and trying to actively keep a handle on our security posture across the organization. Instead, everything is right in front of me.

    What's my experience with pricing, setup cost, and licensing?

    One of the first things that I did when I came onboard in the organization was scrapping our reseller agreement. I registered us as a not-for-profit with Microsoft, and we now get subsidized licensing at effectively half price. It just sort of makes sense for us. Now, we buy our licenses directly from Microsoft rather than our formal license reseller.

    Even if you are not registered as a not-for-profit, the offering that they have is definitely worth consideration. This is in the sense that the E5 stack just gives you so many benefits. You get your entire productivity suite through Microsoft 365 apps. You get all your security and identity protection. You get the Defender for Endpoint and Defender for Identity. You get the cloud access security broker as well. You get Azure Active Directory Premium P2, which gives you so many good things that you can configure and deploy. You don't have to configure them on day one, but you have access to so many different tools that will protect your data, security, endpoints, and identities that you could build out a security strategy 18 months long, and slowly work your way through it, based on what you have available to you through your license.

    You can purchase some add-ons, like Microsoft Threat Expert team. I have not read too much into that, but my understanding is that comes at an additional cost. Since we have a dedicated MDR and SOC sitting on top of our Defender for Endpoint, it is not something that applies to us anyway.

    Which other solutions did I evaluate?

    We are E5 customers. Essentially, we have the flagship license. We looked at a lot of different organizations and vendors for our antivirus needs. We spoke to the usual suspects: CrowdStrike, Sophos, and Darktrace

    Because we also have a Gartner subscription, we reached out to our Gartner analyst, and said to them, "Look, we have the E5 license and know that Microsoft doesn't have the greatest reputation when it comes to their antivirus products, but we understand they have come on a lot over the last few years. This is the direction that we proceed. We want to deploy Microsoft Defender for Endpoint. We then want to layer an external managed detection response service on top of it that will essentially provide 24/7/365 monitoring for alerts and anomalies." Gartner advised us that it has improved to the point where they are now considered one of the leaders on their magic quadrant, so we should be absolutely fine with it. 

    Originally, Microsoft wasn't in mind for us at all. We sort of had our heart set on CrowdStrike because we were really impressed with them. We got quite deep into advanced discussions with them and Darktrace as well.

    The deciding factor for going with Microsoft was the budget. We were already paying for the E5 licensing. So, we were allowed to use Defender without any extra costs. We could just enable and configure it. We thought that we would use the budget left over to purchase a dedicated MDR service who would maintain an overall ability for all the endpoints to connect with it. We could also expand that to our Google Cloud Platform as well as our AWS and Azure Cloud environments. We could also extend that service onto our physical appliances, e.g., the logs from our on-premise firewalls, security appliances, and routers.

    We felt that in terms of scaling up to get to the security posture that we needed, this might be a better solution for us. Whereas, CrowdStrike and Darktrace, at the time, were more focused on the endpoints. For example, if there was some suspicious behavior happening on our Azure Active Directory and our CEO's user account was under a brute-force attack, then CrowdStrike wouldn't necessarily pick up on such an attack because they are more focused on the endpoint rather than the cloud instances. Thus, we thought Microsoft gave us better coverage overall as well as the fact that we were already licensed for it.

    It just made sense for us to go down that direction. We just felt we would have a more well-rounded approach if we went with Defender for Endpoint supported by the MDR service, who would then provide monitoring over all our cloud instances, endpoints, and on-premise infrastructure and appliances.

    One of the main benefits is cost. Being an E5 subscriber, we are essentially already paying for Defender for Endpoint. However, it wasn't on our initial list of antivirus solutions when we were going out to market. We really felt that we were going to go for a managed service, such as CrowdStrike or Darktrace. When we decided to go for Defender for Endpoint, we created a cost savings. So, it was easier for us to prove the business case to our senior management.

    What other advice do I have?

    A good antivirus is something that sort of happily sits in the background and just pretty much does its job until it is needed. It is just sitting there constantly watching and monitoring. Then, if it does need to intervene or remediate against the threat, that is when you know, "My antivirus is happily working." We haven't had many incidents to deal with. To be honest, we have had a couple of false positives. 

    Definitely shortlist them in your list when you are out looking for a new vendor. What tends to happen with a lot of IT professionals is that they overlook the Microsoft offering because of the reputation that Microsoft Defender has had in the past, when it came to its consumer version. However, they have spent the last few years completely revamping their security stack. I think it offers a really well-rounded, holistic approach to cybersecurity now. They are definitely worth considering next to CrowdStrike, Sophos, and Darktrace.

    A lot of organizations are probably like, "Oh, no, we don't want to get Microsoft. We don't want to get Defender. We want to get an established name," but I think Microsoft has put a lot of effort, budget, and development time into their security stack. It is a great suite. 

    As their Azure platform grows, they leverage that to power and drive their Defender for Endpoint. A lot of the protections that they deploy are cloud-delivered platforms. So, they are picking up telemetry from millions of different signals and endpoints. They have so much data and can see trends really quickly.

    I would rate them as eight out of 10.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Microsoft Defender for Endpoint
    July 2022
    Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
    622,358 professionals have used our research since 2012.
    IT Manager at SAI Systems
    Real User
    Reduces admin overhead and allows us to define and roll out policies from a central console
    Pros and Cons
    • "The best part is that it is built into Windows, whether it is a server base or a desktop base, which gives more control over the operating system. Because Defender, the operating system, and the Office solution are by Microsoft, everything is working like hand-in-glove. Its administrative overhead is less because a desktop user has already got some experience of how to handle a Microsoft Defender notification or administer it."
    • "Its user interface (UI) can be improved. Currently, in the console, you have to dig down for certain things. They've got many different layers to get to things instead of having it all on the surface. You have to go three folds lower to get to specific functionality or click a particular option. It would be good if we can manage the console through menus and instead of three clicks, we can do things in one click. They need to change the UI and work on it in terms of a better user experience."

    What is our primary use case?

    It comes inbuilt with Windows Server and Windows 10, so we are using its latest version. It is deployed centrally on all the platforms, whether it is a virtual environment, a BYOD device, or an office device. It is deployed everywhere. 

    All of our users are on Office 365. By default, every user is getting Office 365, and we are also incorporating this into data leak prevention. We have also enabled Azure Active Directory, so policies are deployed directly from our active directory. 

    How has it helped my organization?

    It has reduced admin overhead. Because it comes inbuilt with Windows, we don't have to deal with the complication of using a third-party solution. We stopped using Symantec Antivirus three years ago. Previously, we had to find a person who knew how to manage Symantec Antivirus. Now, we don't have that overhead. It is also less taxing on the admins because they don't need to license an extra software every year and then deploy and manage those licenses. Everything is seamlessly managed from a central application.

    Our full backup is on OneDrive. We had deployed separate storage area networks to back up important data for off-site users, not on-site users. In the current scenario of work from home, users need to establish a VPN connection to run our backup system. When they are at home, we cannot back up their systems if they don't have good connectivity. We also can't tax their broadband connections. Incorporating OneDrive as a backup solution with Windows Defender and Windows 10 has helped us immensely. We were not prepared for having people working from home because we always worked from the office, and 100% office attendance was required, but due to the pandemic, people moved to their hometowns, and we could no longer manage those systems. It became a headache for us when people used to report that their Windows got corrupted. Because they were working from home and there is a big problem of electricity in India, if electricity is not there, the systems suddenly shut down, and the registry gets corrupted. All these things are difficult to handle when you're at a remote location and you don't have your eyes and hands on that particular location. In such times, Windows Defender became a very big helping hand in managing the recoveries of such systems. The backups managed from OneDrive were very helpful. It has saved hundreds of hours of restoring the system in case something goes wrong. There was an instance where a user opened a spam message, and a ransomware attack was done on that system. Because the backup is managed by OneDrive, within 17 hours, this user's whole laptop was recovered without physically working on that laptop. Because of slow connectivity, it took time, but we were able to recover. This is the best feature of having OneDrive backup on the fly and recovery on the fly. These 17 hours were peanuts as compared to the data that we were able to save. This is the best selling point of having OneDrive as a backup with Windows Defender and Office 365.

    What is most valuable?

    The best part is that it is built into Windows, whether it is a server base or a desktop base, which gives more control over the operating system. Because Defender, the operating system, and the Office solution are by Microsoft, everything is working like hand-in-glove. Its administrative overhead is less because a desktop user has already got some experience of how to handle a Microsoft Defender notification or administer it. While working on Windows 10, every now and then, users might have seen it popping up, and they know how to do certain things. So, it is not too taxing from an administration point of view where we have to tell users what to do. 

    Centralizing policies and rolling everything out is done only from one console. We are able to provide restrictions based on what we want to filter, such as certain apps should not run and certain things should run. Because we are also into website development and code development, sometimes, users need to run certain software or their own build application, which is not possible to specify with an antivirus solution. With Defender, we can centrally deploy a policy where certain parts are excluded, and they can run their code in those particular parts. This is a very nice feature where we don't have to micromanage developers' PCs or exceptions.

    Data leak prevention is something that our company requires, and it is incorporated in this solution. Because we are using Microsoft OneDrive, and it is easy to take the backup to OneDrive via Microsoft Defender.

    It has helped in improving our security posture.

    What needs improvement?

    Its user interface (UI) can be improved. Currently, in the console, you have to dig down for certain things. They've got many different layers to get to things instead of having it all on the surface. You have to go three folds lower to get to specific functionality or click a particular option. It would be good if we can manage the console through menus and instead of three clicks, we can do things in one click. They need to change the UI and work on it in terms of a better user experience. For example, user management should be in one menu, license management should be in one menu, and backup management should be in one menu. Currently, if you click on a user, you will get some devices there, and some devices will be on the other menu. Its UI is complicated. In terms of functionality, everything is okay. We don't want anything to be changed in it.

    For how long have I used the solution?

    We have been using this solution for three years.

    What do I think about the stability of the solution?

    It is highly stable. We don't even have to look into it to see if it has stopped working, or whether it is doing its job well or not. We have around 500 devices in our organization, and all devices do the regular login with the logs. It is immensely stable.

    What do I think about the scalability of the solution?

    Its scalability is immense. There is no device, user, or policy limit. You install a device, and it is automatically configured because the policy is deployed from the centralized policy server or active directory.

    We have around 500 devices in our organization, and all devices are using it. We have all kinds of devices such as laptops, desktops, notebooks, surface devices, etc. We also have in-house virtual servers on the AWS cloud and in-house physical servers. We also recommend enabling it for our client servers, and we configure policies for them.

    Every person in our organization is using this solution. We have approximately 380 users. Its users include everyone from a new joiner to our management president. Last year, our strength was 260, and this year we have 380 users. We are growing, and by 2022, we should have more than 600 users. We are growing in a very good manner, and a group target is there. We are definitely going to grow.

    How are customer service and technical support?

    We have been using Microsoft products since the commencement of Windows 95. We have rarely used their support because they make their products in a way that makes them easy to use. Sometimes, there are flaws and issues, and because we are also a Microsoft Partner, we get support on priority. They take a case at the level where they think it will be resolved, and if someone is not able to resolve it, it automatically gets escalated. 

    We mostly use our in-house support. In the past 20 years, we have used their support twice. When I used their support last time around four to five years ago, they were really very helpful. They were good and very professional. I cannot comment on how their support is now with the current pandemic and people not working from the office. 

    Which solution did I use previously and why did I switch?

    We were using Symantec Antivirus three years ago. When we were using Symantec Antivirus, users used to report that certain popups are there, and what should they do with them. They used to ask, "Is my system infected?" They used to panic on seeing those pop-ups. Most of them were unnecessary and would say that they need to have admin access or a particular software is trying to open a port. Because we are into development, it is a requirement of a developer to open certain ports and to make that application listen on certain ports. Such requirements were very difficult to configure in Symantec. It was difficult to make it understand that these ports are going to be used by developers, and they are going to be opened, and it is not a virus activity. Sometimes, the temporary folder of users used to get infected, and it used to give hundreds and hundreds of pop-ups. We didn't know how to close all those pop-ups in one go because they were not in a group. Imagine sitting and closing a hundred pop-ups. We had to click the Close button on each and every pop-up.

    With Microsoft Defender, we can control notifications. We can tell which notifications should go to the users and which shouldn't go to the users and should be forwarded to the admin central console. In terms of user experience, users are happier with less annoyance of pop-ups that they used to get with Symantec Antivirus. They do not need to know each and everything that is going at the backend. Only the admins need to know certain things, and they should know them. With Microsoft Defender, users don't even get to know that they have an antivirus solution on their system because they never get any irritating pop-ups or notifications or slowness of the system. We configure everything from the backend, and we are managing their systems from one console, which is the biggest plus point of Microsoft Defender.

    How was the initial setup?

    Its initial setup is very easy. It took us just a couple of hours to deploy it on remote devices.

    Our implementation strategy was to deploy group policies and manage the DLP policies from the central console.

    What about the implementation team?

    We did our own research, and because it was a lockdown, we had resources on our hands. We asked one of our system admins to look into the options and the policies that we need to deploy and what we need to do. He went over it for a month and trained the rest of the team. Within one and a half months, it was fully operational on each device, and my whole team was trained on it.

    The whole job of its deployment was done by one person, and for maintenance, we have got a five-person team because we have 380 users across the clock and across the globe.

    What was our ROI?

    We have very much seen an ROI.

    What's my experience with pricing, setup cost, and licensing?

    Licenses depend upon what you are looking for and what kind of security do you want to implement. There are costs in addition to the standard licensing fees.

    When we used to buy Symantec, we used to spend on 100 licenses. We used to spend approximately $2,700 for those many licenses, and they came in packs. To add one more license, I had to buy a pack with a minimum of 10 licenses. I had to spend on nine extra licenses because I can't get a single license, whereas when we go for Microsoft, we can get as many licenses as we want.

    If I have 100 users today, and tomorrow, I have 90 users, I can release my 10 licenses next month. With any other software vendor, you buy licenses for one year, and you have to stick with that. If today you have 100 licenses, and tomorrow, you have 50, you have already paid for one year's license. You can't go back and tell them that I don't require these 50 licenses because I have lost my 50 users, but with Microsoft Defender, licensing is on a monthly basis. It gives you both options. You can go yearly and save on it, or you can go monthly. You will, again, save on it. It is very fair everywhere.

    What other advice do I have?

    My advice is, "Try it, and you will love it." If you go for any other product, you will have to manage everything separately, which becomes an overhead. You will have a separate console, separate licensing, and a separate vendor. You will also get a piece of software that is going to have a layer in between the operating system and your applications, whereas Defender incorporates itself onto the layer where the operating system is sitting. So, you don't tax your resources to manage a product that is already incorporated into all systems. Everybody knows how to use Windows and Defender, so the learning curve is also not there. It is very easy, and it offloads a lot of things such as tech requirements, separate licensing requirements, and separate vendor management. 

    I am not advising you to go ahead and discard whatever you are using. You should implement it in a test environment and see what your requirements are because the requirements will definitely impact the licensing. If your requirements are met, and then compare the time required to manage Defender versus the current solution that you are using. You should compare how many hours are you putting in managing both solutions with a different skill set. Only after such evaluation, you should deploy it. 

    The biggest lesson that I have learned from using this solution is to always keep it simple. Don't complicate.

    I would rate Microsoft Defender Antivirus a nine out of 10. If they can make the UI more systematic, I can give it a 10 out of 10.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    SimonThornton - PeerSpot reviewer
    Cyber Security Services Operations Manager at a aerospace/defense firm with 201-500 employees
    Real User
    Top 5
    Provides good visibility and is fairly easy to set up within one tenant, but doesn't support multitenancy and is not as capable as other solutions
    Pros and Cons
    • "I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible."
    • "A challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy."

    What is our primary use case?

    Microsoft Defender that you get by default on Windows is an unmanaged solution. It detects, but it is conventional EDR in the sense that it can detect malicious code on the machine, but it is not good from an enterprise point of view because you can't see what is being detected. The difference between Defender and Defender ATP is that you get what's called the execution chain, which is its classic use case. 

    When I try to open an attachment to an email, Defender tells me that this is malicious, but when you are in an enterprise and you do receive an alert that the file is malicious, the problem usually for the analyst is that they don't know what the person clicked on. They know there was a malicious file but was it an attachment? Was it something on the USB stick? Did they download it from the internet? That's not clear. Defender ATP gives you the execution chain. In this particular example, you can see that it was outlook.exe that launched the suspicious file which then launched or tried to download various components. You can see the whole execution tree because very often, the initial thing you get is a dropper, which then downloads subsequent components, and very often, the subsequent components get missed.

    It essentially gives you visibility into the execution chain. So, you are better able to do a risk assessment. For instance, if something came from Outlook, then you know that you need to go and look in exchange or look in the mail system. If the trigger came from winword.exe, then you know that it was a document, and the person had opened a document from the email. You might see Internet Explorer, when it was still there, spawn PowerShell or a command shell, which is unusual, or you might see calc.exe open a command shell. All of this detection is invaluable for identifying whether something is suspicious or not. Your EDR might not detect any of this, but ATP would see this suspicious sequence of opening and flag it. So, essentially it is the visibility and the ability to detect unusual behavior that conventional EDR would not necessarily do for you.

    Its version is usually up to date. It is a cloud solution. 

    How has it helped my organization?

    Its visibility is the most useful part of it, and it also increases the effectiveness of your response. You spend less time asking the users the standard question of what did they click on. To which, they usually say that they didn't click on anything. You can go in ATP, and you can see that they opened an email and then clicked on a link, and the link is this. There is no hiding this. Users do lie.

    You can detect threats that are not necessarily known because of a behavior. If you have Internet Explorer opening a command shell, that is not normal. That does not happen unless there is some kind of malicious activity. It is also very good for visibility into what PowerShell scripts do. PowerShell is a double-edged sword. It is very powerful, but in a lot of cases, there is no visibility on what it is doing. With ATP, we generally have that ability.

    What is most valuable?

    I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible.

    The other feature that I like in Defender is that because it is up in the cloud, when you're trying to do any kind of managed service, it is fairly easy to set up if you're just within one tenant, but there are a lot of things wrong with the way Microsoft does it as compared to other products like Palo Alto Cortex, SentinelOne, or CrowdStrike.

    What needs improvement?

    The catch with ATP is you have to have the right Microsoft license. The licensing of ATP is linked to the licensing of Office 365. You have to have an E3 or an E5 license. If you have a small office license, it is not possible for you.

    Another challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy. So, the licensing and the privacy aspect makes it problematic in some situations.

    It is also very complicated. If you decide to outsource your monitoring through an MSSP, the model for allowing the MSSP to connect to your Defender cloud is very complicated. In Office 365, it is relatively simple, but because of the way it has been done in Defender—because Defender is not part of the same cloud—it is a mess. It is possible, and it is workable, but it is probably one of the most complicated integrations we do.

    It is still clunky as compared to products like Cisco AMP, SentinelOne, and CrowdStrike. Microsoft took the Defender product, and they bolted on the extra features, but you can see that there are different development teams working on it. Some features are well integrated, and some features are not. They keep on improving it, and it is better than it was. It is better than an unmanaged solution, but it is far from perfect.

    For how long have I used the solution?

    I have been using it for about two years. I've got a couple of customers today with it.

    What do I think about the stability of the solution?

    Its stability is lesser than some of the competition. I've seen machines having a blue screen. I've seen machines block, but it is usually a problem related to the lack of resources. I wouldn't deploy it on a machine with less than 16 gigs of memory. All the issues that we had on the laptops were essentially related to memory because it does all the analysis in memory, and it eats a lot of memory to do that. So, stability is more a function of making sure that your endpoint farm has what's available. If you've got less than 16 gigs, I would not recommend it. You need to either change your endpoints or consider using another solution because although it'll work, it can be very slow.

    What do I think about the scalability of the solution?

    It is like Microsoft Office. Its scalability is good, but I don't know how manageable it would be on a big scale. The biggest deployment I've worked on was about 5,000 endpoints, and it seemed to be okay.

    How are customer service and support?

    It is Microsoft support. It can be very good, and it can be very bad. It depends on who you get on the phone. I would rate them a five out of ten.

    How would you rate customer service and support?

    Neutral

    How was the initial setup?

    It is very simple. You can deploy it through the normal tools that you use, such as SCCM. The deployment for it is linked back to your tenant. 

    We use it as a headless install. It is pushed out onto all the machines. Our normal rollout process rolls out about 50 to 100 machines in no time. They can pull the agents from the internet, or they can pull the agents internally, deploy them, and turn them on. For an antivirus, it is quite quick.

    In terms of maintenance, it is pretty much like other Microsoft solutions. If you are able to do the auto-update functions, that's good. The downside to it is that it is fairly heavy on network traffic. On one of the large deployments, we found we had problems with the internet gateway because the console and all the telemetry and everything else is in the cloud. It was problematic.

    It runs in the background. It is like any other antivirus solution. Sometimes, it needs tuning. An example would be that we have developers who do a lot of source code compiling. They might have tens of thousands of files that get touched or accessed when they do a compile. We have to make sure that those particular file types and certain directories are not scanned on read when they're opened. Otherwise, what normally might take an hour to compile can take more than 12 hours. That's not a problem specific to Defender. It is a problem in general, but it is fairly easy to create profiles to say that for those particular groups of machines or those particular groups of users, these file directories are exceptions to the scanning.

    What's my experience with pricing, setup cost, and licensing?

    The licensing fee is a function of your Office 365 license. The feature set you get is a function of the license as well. There is probably an E2 version, an E3 version, and an E5 version. There are several versions, and not all features are the same. So, you might want to check what features you're expecting because you might get shocked. If you only have an E3 license, the capability isn't the same.

    You have to look at the total cost of ownership (TCO) because the license component is only one aspect of the block. So, if your internal IT teams know well about IBM cloud solutions, then Defender is very easy because there is nothing new. What hurts the projects is integration. It is a hidden cost because it is beyond licensing. It can be problematic if you don't have some of the other integration tools from Microsoft. So, if you don't have the package deployment platforms and all the cloud equivalents, then there is a lot of manual work involved.

    The other aspect that comes into the cost is that there is an option to store. You can make the agents report a lot more information, but if you increase the storage, then you increase your Azure storage costs, which can be painfully expensive. You typically have about 7 to 30 days of basic detection data included, but if you want to keep a more detailed log so that your IT guys can go back and figure out what was going on, it would increase your storage requirements, and that can get expensive. I know customers who turned on some of the features to increase the detection rate, and they got a huge bill from Microsoft.

    What other advice do I have?

    A weakness, as well as an advantage, of Defender is that it is always on the cloud. There is no on-prem. You deploy additional agents into the customer infrastructure, but the console and the feedback are through the cloud.

    Customers often say that Microsoft has included it in their license. So, it is license-cost neutral, but just because it is included in the license and appears to be cheap, it isn't necessarily a good reason for doing it. It isn't equivalent to other EDR or XDR solutions, but to an extent, you get what you pay for. ATP is a work in progress. To me, it is not a complete product.

    Customers also go for it because it gives them visibility, and it means it is one less system to manage. They have the license for it, and they just want everything in the same ecosystem. There isn't much that we can do about that. As an MSSP, we're agnostic from a technology point of view. If the customer says, "This is what we want to do," we'll take it over.

    I would advise asking yourself:

    • What do your endpoints consist of?
    • Which operating systems, such as Windows, Linux, iOS, or Android, will you have to support? The functionality that you get depends on your license.
    • What is it that you're trying to achieve by taking Defender? 
    • Are there more capable XDR-type solutions out there? 

    If I was comparing them, from most effective to least effective or least integrated, I would put SentinelOne, Palo Alto Cortex, Cybereason, Microsoft Defender, and Cisco AMP.

    If you want to get into the advantages of XDR solutions, which is about the detection capability coupled with artificial intelligence (AI) and data leaking, then it may not be the solution that you want. If you also want to be able to do threat intelligence, it is not the solution for you. That's because essentially the threat intelligence features are not there. You can get some threat intelligence from Azure, Microsoft Sentinel, etc, but it is not in the product like with Palo Alto Cortex, SentinelOne, or Cybereason.

    I'd give it a cautious six out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: MSSP
    Flag as inappropriate
    PeerSpot user
    Kevin Mabry - PeerSpot reviewer
    CEO at Sentree Systems, Corp.
    Real User
    Top 5
    Lowers costs for my clients and has the ransomware solution built into it, but there should be more telemetry information and more promotion
    Pros and Cons
    • "I like the fact that it has the ransomware solution in there. I'm glad that the ransomware solution is built into it. That's probably the biggest thing that I see in Microsoft Defender."
    • "It is not very scalable from the eyes of an MSP because there is no dashboard that you can use to see all of your devices that have Windows Defender unless you have your own dashboard or an RMM tool to actually look at it. So, you might not get to know that a particular computer of a client is doing something, and it might have got a virus. That person might know that, but unless you set it up to actually send you the information, you won't get to know that. That's one of the things that is hard with Microsoft Defender. It is not made for the MSP world where you have one pane of glass to see all of your clients with Microsoft Defender on it unless your RMM tool already has that built-in and it can see the telemetry from Microsoft Defender."

    What is our primary use case?

    I offer a Security Operation Center (SOC), which is like a person standing and going through the metal detector at the airport. We're like the staff standing there and watching people and then having them send stuff through the conveyor. It is real-time detection and response.

    I don't use Microsoft Defender that much. If I come across a client who doesn't want to spend on a different endpoint solution, I just have them use Microsoft Defender that is built into their devices.

    How has it helped my organization?

    The ransomware and some of the other features that are built into it give you more telemetry now. From the security side, I don't look at what an endpoint solution does. I look at what it gives me. I need data. I don't want something to just say, "Oh, I stopped it." That's good, but I need to be able to figure out what did it stop. Was it a good thing or a bad thing that it stopped, and what is it doing. I need to be able to break that down and go deeper into that analysis to figure out what is being stopped. Microsoft Defender is doing that now and is giving more telemetry. It doesn't give nearly as much as Bitdefender does, but it is pretty good.

    It is built into Windows 10. So, I don't really have to go out and get an extra or a separate endpoint security solution. It stands on its own. I have some clients who are using Microsoft Defender, and it is perfectly fine because my SOC can actually get the telemetry from Microsoft Defender and use that as well. Microsoft Defender does have the telemetry information, and I can get some of that out of it for my SOC. I can use what's built into it to stop and do more of a response layer. I can use Microsoft Defender to stop something right there.

    What is most valuable?

    I like the fact that it has the ransomware solution in there. I'm glad that the ransomware solution is built into it. That's probably the biggest thing that I see in Microsoft Defender.

    It is useful when a client does not want to spend extra on getting a new endpoint solution or does not want to get something else installed on their devices.

    What needs improvement?

    The biggest thing that I would emphasize to Microsoft is that if they are confident in their solution, they should brag more about it. In other words, they should put more stuff out there to prove that they're just as good as the others. The biggest thing is that people still don't believe in it. When it comes to the IT world, they still don't believe in Microsoft Defender. It has been there for a while, and I know that I used to not trust it because it was free and I didn't know what it was doing and if I could trust it. If you go to comparison sites, you would hardly see it being compared to solutions like Norton, Bitdefender, Webroot, etc. Microsoft can do a better job of promoting it.

    They should offer more telemetry or more information coming out of there for Syslog type of scenario so that a SOC could use the data that they have built into it. This would be useful.

    It is not very scalable from the eyes of an MSP because there is no dashboard that you can use to see all of your devices that have Windows Defender unless you have your own dashboard or an RMM tool to actually look at it. So, you might not get to know that a particular computer of a client is doing something, and it might have got a virus. That person might know that, but unless you set it up to actually send you the information, you won't get to know that. That's one of the things that is hard with Microsoft Defender. It is not made for the MSP world where you have one pane of glass to see all of your clients with Microsoft Defender on it unless your RMM tool already has that built-in and it can see the telemetry from Microsoft Defender. 

    For how long have I used the solution?

    I have been using it off and on for some time.

    What do I think about the stability of the solution?

    Its stability is fine. It is a built-in and legacy solution. It can stand up to any other endpoint security solution. 

    What do I think about the scalability of the solution?

    It is not very scalable from the eyes of an MSP. There is no dashboard that you can use to see all of your devices that have Windows Defender unless you have your own dashboard or an RMM tool to actually look at it. Because it doesn't give you one pane of glass to look at everything, you have to have an RMM tool that can actually see the data coming from Microsoft Defender. If you don't have an RMM tool, you would need one, and that would be an extra cost.

    I don't really use an RMM tool. We have a SOC, and I don't really deal with individual computers themselves. In the past, I have used RMM tools, and some of them do well with looking at Microsoft Defender, but my SOC has a really good dashboard that I can use to see what's going on with Microsoft Defender. I can actually control stuff on Microsoft Defender from my SOC.

    How are customer service and technical support?

    I have not used their support for Microsoft Defender. Generally, their support is fine. They've definitely improved and gotten better.

    Which solution did I use previously and why did I switch?

    I don't use Microsoft Defender that much. It is built into Windows 10, and if you put the antivirus or endpoint security on, it kind of turns itself off automatically. I've been using Bitdefender lately. I used to use Panda Security, but now I use Bitdefender.

    I recommend it for clients who don't want to spend on a different endpoint solution, but I don't put all my eggs in one basket. I don't say that a particular antivirus or endpoint security solution is 10 times better than the other one. I just don't look at things that way because I know the process and what hackers actually go through to get past all of them. So, none of them are that much better. The only thing I tell others is to not use the free ones, but to that defense, they all have a level of reachability.

    When it comes to performance, Microsoft Defender is much faster because it really doesn't look at all of the things that are Microsoft-focused. It has a better understanding of what Microsoft has made, whereas other solutions are going to look at anything as a potential threat. It is definitely a better option because it knows Windows. You install another antivirus on Windows, it has to try to figure out the software. Microsoft already knows how Word, OneNote, or their other solutions work. So, Microsoft Defender doesn't need to scan specific things, whereas Bitdefender or another solution doesn't know that, and it is going to scan everything, which can slow your system down. 

    I offer a SOC, and we do real-time detection and response. I don't put all my eggs in one basket when it comes to endpoint security. I believe endpoint security needs to be there because it is a layer of security, but it is not everything. The reason I use Bitdefender is that it has more telemetry and more information coming out of it to put into my SOC than Microsoft Defender, which doesn't have as much telemetry coming out of it.

    For telemetry or forensics, Microsoft Defender doesn't give you reports. It just does what it does. Microsoft Defender will give you information, but you got to go to the individual device. I can't pull much telemetry information into a SOC. So, if you want to see from where the hacker or the hacking software came in, how it got there, and how it moved unilaterally across the system or network, you may not get all of that with Microsoft Defender, but with the telemetry data that comes out of Bitdefender, you will get more of such information and you can follow its path.

    How was the initial setup?

    It just comes on a device when you buy it. When you buy a laptop, it is built into Windows 10. They have Windows Security, and there are separate pieces of it. When you look into some of it, it is called Defender. They also have a standalone Windows Defender.

    It is a full endpoint security solution, and they have a firewall in there. You can go in there and set different things up for your firewall. When it comes to security, not everything is turned on. You actually have to go in and turn the ransomware part on. There are things about ransomware that you got to turn on, and they really depend on what you need in your practice or business. You have to make sure you go in there and look at it. You can't just set it and forget it. It does come automatically, but you got to go in there and set things up because they know that some things can stop certain aspects of your business from running. So, they don't want to turn everything on. They leave it up to you.

    The configuration of those extra parts can get complex, but I do believe it is pretty straightforward. It involves more yes or no type of questions. It is just flipping a switch on each individual part that you want to use. It is just like everything else. You have to test and see if it is going to work in your environment.

    In terms of maintenance, all the updates come with Microsoft. Every time they update Windows 10, they also update Microsoft Defender. It is pretty simple.

    What was our ROI?

    It doesn't really affect my business because the cost goes out to my client either way. If they have 200 devices and they are charged $2 per endpoint for each one of them, that's an extra $400 a month. If they are just using Microsoft Defender built into their systems, that cost goes away for them. My clients are definitely saving money with Microsoft Defender.

    It doesn't affect my business because I'm looking at telemetry regardless of the solution. So, it doesn't matter if it is coming from Microsoft Defender or Bitdefender.

    What's my experience with pricing, setup cost, and licensing?

    It is built into Windows 10. If our clients are using Microsoft Defender, the cost goes away for them.

    What other advice do I have?

    It is just like anything. You should definitely do your homework and see if it is going to give you the information that you need. You should focus on forensics and the kind of information you are going to get out of Microsoft Defender. Will you get the reporting that you need? Will you get the telemetry and all the data that you need to be able to follow the path of an attack? You need to be able to see that. You need to know this information for your clients because they may need it for the FBI or something else. So, you need as much information as you can. You need to make sure that that you're going to get the information out of there and you have the right setup to be able to see everything with all of your clients. You should have an RMM tool or whatever you're using to be able to see all of your clients, and you need to make sure that you have the setup for that.

    Microsoft Defender has been around for many years, and since Windows 10, they've really ramped it up, and it has gotten a lot better. I've seen some of the statistics on it, and it stands up against some of the other solutions out there, such as Norton. They've added things that make it more of an EDR, which is the endpoint detection and response layer. The ransomware was one of the big add-ons, and it is good that they've put that in there. It can stand on its own now.

    It has not affected our organization's security posture a lot, but it has given me more options to lower costs for my clients. It has helped my clients and in turn, my business. It has not affected our end-user experience in a negative or a positive way. It is just a tool. I do the monitoring, stopping, blocking, and everything else for clients. 

    It can be a good solution, and I hope that they grow with it and do more with it. They can make it simpler for the security and MSP world. If their solution just gets better for the MSP world, it would help everyone.

    I would rate Microsoft Defender a seven out of 10 because of its lack of usability for an MSP and its lack of telemetry information, but it is useful, and it does stop ransomware.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Network Engineer at a real estate/law firm with 51-200 employees
    Real User
    Top 20
    Covers everything that we want from our security platform, integrates with all enterprise services, and is infinitely scalable
    Pros and Cons
    • "It is a very advanced system based on AI. It has a very large database of places or sites on the internet where you should not go. It is continuously online."
    • "It makes your Surface devices hot. It is resource-intensive. It strains your CPU, not more than other file scanners around, but it also does a lot more. When you are transmitting files or data, it is continuously scanning the traffic and analyzing it bit by bit to see what's going on, and that, of course, is costly in terms of CPU. It is CPU intensive, and if you are on battery, it drains your battery fast. That's the only drawback that it has."

    What is our primary use case?

    We are a property investment company, and people here use Microsoft Surface devices for their daily job. We are a Microsoft-oriented company, and we use it for our basic endpoint security implementation. 

    Our entire security is based on this endpoint solution. Sometimes you have centralized security where you scan all traffic going through a central firewall and you also check through several types of solutions. You also check HTTPS connections. Basically, for all the traffic going inside and outside the company, you use a security firewall, and this endpoint solution is actually a firewall solution or security solution that is distributed. So, all the traffic coming from and going into the end-user device is basically submitted for scanning. If you download an ISO on a website or an email, everything is scanned for security to check whether it contains any malicious data. 

    We are using Microsoft Defender for Endpoint Plan 2, which is the enterprise version of Microsoft Defender for Endpoint. We are using the most recent version of it.

    We deploy it via Intune. The feature is called Microsoft Intune Autopilot. We have a hardware hash. A colleague of mine prepares the configuration and then based on the hardware hash and Autopilot, the devices are completely installed and joined to Azure AD and then to our enterprise. Intune is a Microsoft device management platform that comes with Microsoft solutions. When you buy a new device, based on the hardware hash, it can automatically find that device through Autopilot and do the specific deployment for your company. So, the users can use any type of device, start it, and then it will automatically be joined to our environment.

    How has it helped my organization?

    It is a completely integrated platform with advanced threat analysis, SIEM features, updated inventory, and so on. It is an all-in-one solution. Microsoft is taking over lots of companies to provide more and better services to its clients. This is one of the best solutions around at the moment.

    It protects our organization from all kinds of attacks, such as ransomware attacks and any malware downloads. It is like an oracle who knows everything about:

    • What is around at the moment?
    • From where the attacks are coming?
    • What is currently going on security-wise?

    It knows about all the software that you have installed on the laptop, and whether they are not patched or have security issues. It covers everything you want from your security platform.

    What is most valuable?

    It is a very advanced system based on AI. It has a very large database of places or sites on the internet where you should not go. It is continuously online. 

    It is completely self-sufficient. You don't have to install anything. It is completely integrated into the operating system, and it also has a centralized information dashboard where you can immediately see:

    • Are all your devices up to date?
    • Are there any threats?
    • Are the devices having problems with updates?
    • Are they infected with anything?
    • Was something blocked?

    You can immediately see what is going on in your enterprise, in different networks, and also in people's homes in terms of endpoint security.

    It is a zero-trust platform, and it integrates with all types of enterprise services that we run. It also integrates with the Office 365 environment where you can securely connect from anywhere.

    What needs improvement?

    It makes your Surface devices hot. It is resource-intensive. It strains your CPU, not more than other file scanners around, but it also does a lot more. When you are transmitting files or data, it is continuously scanning the traffic and analyzing it bit by bit to see what's going on, and that, of course, is costly in terms of CPU. It is CPU intensive, and if you are on battery, it drains your battery fast. That's the only drawback that it has.

    They're continuously improving it. You can compare it with Teams. About a year ago, the codex and the presentation of the Teams application were not very well optimized, and if you were using the Teams application, it used to drain your battery. It still drains your battery, but they have improved it a lot, and it is a lot less CPU intensive after one year. They're working on Defender for Endpoint to make it less CPU intensive.

    For how long have I used the solution?

    We have been using Microsoft Defender for Endpoint for more than six months.

    What do I think about the stability of the solution?

    Its stability is quite good, especially with Windows 11, which is a very stable operating system. Of course, you can run into some issues. We have some issues with docking stations for Surface and screens, but generally, the operating system together with the endpoint security solution is very stable.

    What do I think about the scalability of the solution?

    It is the most scalable solution around. You can create an Azure tenant, and with a script, you can deploy 1,000 user accounts. There is no actual limit to it, so the scalability is infinite.

    How are customer service and support?

    Their support has improved. They're quite good. I would rate them an eight out of ten.

    How would you rate customer service and support?

    Positive

    How was the initial setup?

    It has the easiest setup that I've ever seen. It's completely integrated with Microsoft. When you deploy your machine through Autopilot and Intune and assign the license, everything is done automatically. Of course, you have a lot of possibilities and a lot of freedom for detailed configuration, but out of the box, it comes completely self-sustained. You don't have to do anything. This is one of the easiest solutions that I've seen.

    You just apply for the plan in Office 365, and you set up your very basic Autopilot template where you would specify the types of software that have to be installed. For instance, you want Office or other types of software. The very basic template is enough to roll it out fully automatically.

    It takes a couple of hours. If you apply for a tenant on Azure, you pay for the licenses, and you can roll out with a click on 200 to 1,000 endpoint devices within the hour. This cloud is really amazing.

    What about the implementation team?

    We are a small company with a few technical engineers, and we provide services for our clients. We provide all kinds of services such as maintaining endpoints and Azure cloud solutions with virtualized services and SaaS services.

    Its implementation is more or less handled by my colleague. I do a little bit of configuration but not so much. My colleague knows about all the technical details. He does the complete installation and the complete central management of policies and templates. However, a basic part with basic software is very quickly implemented. You just create a tenant on microsoft.com, and then you can very easily roll out to as many workstations as you would like the necessary configuration for Defender for Endpoint.

    What's my experience with pricing, setup cost, and licensing?

    Its price at the moment is very good because you get a lot of value for your money, especially with the subscriptions. If you have the E1, E3, or E5 enterprise subscription, you pay per month per user, and you get almost an infinite number of solutions. If you compare the price to the number of solutions that you get, it is a very good deal. 

    I'm only concerned about the future because Microsoft is taking over one company after another. In the end, there will be no alternative and then they can do whatever they like, but for now, in terms of price, Microsoft is one of the best performers.

    What other advice do I have?

    At the moment, it is one of the best security platforms for endpoint security in the market. It is comparable to SentinelOne in terms of features and functions.

    It is part of Microsoft's ecosystem. If you need a reliable and secure work environment, and you are bound by GDPR and other standards where you have to take care of your data and prevent breaches and unauthorized access, it is a great solution. 

    The E1, E3, or E5 license contains Defender for Endpoint along with many other solutions. Having just the scanner is not enough these days. You need an overview of your whole environment. You need to make sure that your endpoints are encrypted, they are up to date, and they are correctly using zero-trust relationships for your central services. All these things that you need these days are perfectly implemented in the solutions that Microsoft provides. This is the only way for a company that takes data seriously and has to give a guarantee to customers that data is protected.

    It is resource-intensive, but you have to take into account that it is not only a file scanner. It is continuously scanning every connection you make on the internet. It is deeply investigating the data that you transport and the connections that you make. It is scanning your files, and it is scanning your software against all kinds of knowledge bases to identify whether there are vulnerabilities in the software that you use. It is a solution that integrates almost everything. It is doing what a central firewall did before, but it is doing that in a distributed way on your device. So, it does so much more than you expect. If you are providing it to your users, you have to take its CPU consumption into account, and you need to provide sufficient CPU power for this.

    I would rate it an eight out of ten.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Head of IT at a manufacturing company with 51-200 employees
    Real User
    Provides users protection without impacting their experience
    Pros and Cons
    • "Microsoft Defender is always running. It is doing its job, so it is fine. I don't have any issues with the way it was implemented or how we are running it. We have been upgrading IT throughout the years, but there have been no issues."
    • "From an audit point of view, our auditors would like to have more reports on how things are used, if things go wrong, and how they went wrong. For example, if something got a warning, "Why?" So, we would like more versatility for tracing and reporting. That would improve the product, as long as the user interface doesn't get bogged down."

    What is our primary use case?

    It is the end defense against anything coming into our computers and through other channels, e.g., we have some other measures. A lot of our users use Microsoft Remote Desktop Services, so all our servers are locked down. The solution handles what nothing else finds along the way. It is a standard endpoint for computers, servers, and tablets.

    How has it helped my organization?

    What the user doesn't see or experience, the user is happy with. Every time our other services go in and put a stop pop-up in front of what they are doing when they want to visit a website, but the browser says, "No," or they are trying to download a link and then says, "Oh, no. This is dangerous," that upsets users because they can't do what they want to do. As long as we don't get any of that, then users are happy. If users don't feel it or know about it, then they are happy. Everything else will make them unhappy.

    Our end users expect to be protected and that everything works. When IT doesn't work as they expect, then they get unhappy in some form. We kind of forced this solution upon them, so they don't have a choice. As long as it doesn't meddle with their normal work, they are fine. For example, when GDPR hit us in May of 2018, that was upsetting because they now had to do some of their work a little differently. So, they don't like GDPR because it interferes with their normal workflow. Normally, users come to me if they have issues with anything. However, if everything works as expected, they are happy. In addition, they expect that they are protected.

    What is most valuable?

    When you have something fail and you have three or four different vendors where the fail might be located, everyone just says, "Well, it's awful." Then, you have to go and find out where the fault is. That is really annoying and can cost the business money. For that reason, if I can have one single point of contact when I have a problem to help me out, and say, "Let's find the solution." That is much better instead of having me contact multiple companies to track errors down.

    What needs improvement?

    The protection will always need improvement:

    • From a technical standpoint, I would like better artificial intelligence on how it does its stuff in the background. It will always be behind. However, at some point, it would be nice if it could get better. It is not bad, but it could always be better.
    • From an audit point of view, our auditors would like to have more reports on how things are used, if things go wrong, and how they went wrong. For example, if something got a warning, "Why?" So, we would like more versatility for tracing and reporting. That would improve the product, as long as the user interface doesn't get bogged down.

    For how long have I used the solution?

    I have been using the current solution since 2014.

    What do I think about the stability of the solution?

    We haven't had any issues. I haven't had any bad experiences. I expect it to work, and it works. It is just there. For example, when you have Word or the whole Office package, as long as it works, people are happy. You just have it, and you don't have to say, "Oh, this version is really..." It is just Microsoft. For most users, Microsoft is Windows, Defender, and the Office package. As long as you just use that, then people will say, "Okay, we're just basically using Windows." They don't care about one thing or another, as long as IT works.

    As long as things are slowly upgraded, it works, and we don't have any issues, then I am happy.

    What do I think about the scalability of the solution?

    I let my outsource company handle scalability. I only get involved if there are issues.

    We have 50-plus servers with around 125 to 150 endpoints.

    How are customer service and technical support?

    Our consultancy has a deal with Microsoft where they can get access to Microsoft directly. We are part of that deal. When we have issues that need some type of Microsoft input, we can get it. However, I will let the consultancy do that. I wouldn't do that myself.

    Which solution did I use previously and why did I switch?

    We use different email solutions and web solutions to handle incoming and outgoing traffic. However, we have not previously used another endpoint protection solution.

    How was the initial setup?

    In 2014, we upgraded from Windows 7. It was a completely new deployment of everything. Every server, every endpoint, and even the old laptops and desktops were upgraded. So, it wasn't just Defender. Microsoft Defender wasn't really the issue, as it worked. We had a lot of other IT that was annoying, but I don't remember that we had any struggles with Defender.

    Microsoft Defender is always running. It is doing its job, so it is fine. I don't have any issues with the way it was implemented or how we are running it. We have been upgrading IT throughout the years, but there have been no issues.

    We had a migration deadline set by our mother company. We had to stop using Windows 7 and server 2003 by 15th of June, and we started in April. So, it was done in just under two months right before June 1st.

    What about the implementation team?

    We are part of the aircraft industry. We have been going downhill for some time, and now we are sort of going up again. At the time of purchase, we simply bought the outsourcing with the solution, meaning we would get this many machines and servers using these services. They kind of supplied everything.

    We outsourced the deployment to another company at that point in time, who put up all the consultants and stuff. Before that, we had everything internally and on-premises. At that point, we moved it out still on-premises, but not in our own house. So, we built a separate system, then moved users over.

    We didn't have Microsoft in to specifically help us.

    The administration of this solution is outsourced. We use a consultancy who has 50-plus employees/consultants. They take care of nearly all services: Defender, Teams, SQL, etc. I then only have to talk to one or two people who are specialized in what needs to be done.

    I have been very happy with our current IT services provider. We have had them for about a year. They took over from the old consultancy who installed our IT in 2014. Our current consultancy took over in 2020 because I wasn't so happy with the old guys.

    What's my experience with pricing, setup cost, and licensing?

    It provides peace of mind with really good pricing. It won't be upsetting my budgets or anything like that.

    Which other solutions did I evaluate?

    Our outsourcer handled the decision that we were to use Defender, Remote Desktop Services, etc. They just said, "If you choose us, this will be your solution." It came as a package. Unfortunately, that company was bought by another IT services company, who bogged everything up. The service went downhill and stuff didn't get upgraded. So, we switched to another Danish supplier with whom we currently are happy.

    What other advice do I have?

    Go for it. It is a standard solution. If you use Windows, you might as well go for Defender. With this solution, you have your normal dependencies within Microsoft. This means that you don't have to talk to another company; you talk directly to Microsoft. Some people might go for something else, and that is fine too. However, depending on how big your company is, if you are a small or medium business, you may want to have as many eggs in one basket to have fewer points of contacts.

    It is a good endpoint. All the administration is handed over to our outsource partner. So far, it has been good. We have been using it for years, so it is the de facto standard for us right now.

    As far as I know, its capabilities are okay. It is up there with the rest of them. Sometimes, this is what Gartner says is the best, the next best, the 10th best, etc. That will always change. As long as we don't get hit, we are fine. If we get hit, then there are questions around what we can expect from it, what we can get out of it, what help did we get, etc., but I would let my outsource partner deal with that. Directly, I don't have my hands on it.

    I would rate this solution as an eight out of 10.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Avinash Shet - PeerSpot reviewer
    Sr SOC Analyst at a security firm with 201-500 employees
    Real User
    Great prevention and response capabilities but requires an updated GUI
    Pros and Cons
    • "The solution is highly scalable."
    • "They should come up with pre-built inner workflows."

    What is our primary use case?

    We call the solution MDATP - Microsoft Defender Advanced Persistent Threat Protection. At the same time, we're using it more from an EDR point of view, as an Endpoint Detection Response. It can detect any threats, malware, or processor, which are illegitimate and being executed by the end-users or malicious actors. When it sees this, it detects and reports to us. 

    Not only that, at the same time, it's detection, prevention, and response. Mostly what we were working on is detection. When I refer to detection, I mean that it can, with pinpoint accuracy, detect something and expose the threat. It can also map those threats with a MITRE, which is one of the great things that I love about it, on top of the accuracy and the threat description it provides.

    There are a few different use cases. We return with a query language, which is provided by Microsoft. We are able to create some threat hunting queries. We can pinpoint, accurately detect, and run pain testing. When there’s a threat or issue, I am able to find it and track it with great accuracy in MDATP. MDATP is able to tell me that, for example, in my organization, if there was a guy who was doing pain testing, which is black listed, and if there was an attempt to exploit something or install some malicious code or try to hack into the system. I am able to find this and pinpoint its occurrence. Not only that, I’m able to map them onto a MITRE framework and tell which stage of the attack it was, where the attacker came from, et cetera. I can see if it was something that was planned in the organization. 

    I can both detect internally and externally. I have full faith that the MDATP will detect behaviors and warn us of issues.

    What is most valuable?

    When you go to do a deep-dive or investigation as a SOC analyst or any security analyst, it gives three structures or processes, as well as the execution that it performs. I am able to perform a very deep-level investigation with MDATP - more than I can with any other tool.

    It did increase our security posture. While we had an antivirus before, it would only detect or prevent certain types of attacks. However, based on that capability, you cannot respond to the threat directly. For example, if there was ransomware on a system, the antivirus will be able to identify, detect, and mitigate it. However, at the same time, even if the antivirus detects that and tries to prevent it, you need to contain that machine, or you need to isolate that machine from the network. You don't want that machine to be talking to anybody in the network. Antivirus solutions can’t exactly do that.

    With respect to prevention, it has an auto-remediation feature, which is a good feature that I love with respect to prevention. It does auto-remediation as well as manual remediation, which is pretty good.

    With respect to response, we were able to contain, block, and respond to threats faster with MDATP. When we analyze the incidents or the threats it gives us a very good view of everything.

    With this product, before containing or responding, we get the information and can see what exactly is happening and when that malicious file was installed. After that, we have an event timeline. The visibility is not that much when you only have an antivirus. Now, we see the full picture. When we adopted this tool, we got the detect, prevent, and response functionalities. Overall, our security posture looks much better and our attack surfaces are limited. Endpoints are also most vulnerable today and we can efficiently protect them now. Since we have reduced the attack surface our security posture has improved dramatically. On top of that, we have the capability to respond and to go deeper on a forensic level.

    The product doesn’t affect our end-users. I do not see any major issues. There are exceptions where approvals may be necessary. However, the user acceptance is good. This is something that organizations pre-plan and there is nothing the user really has to worry about or act on.

    What needs improvement?

    Defender’s GUI can be optimized. The console needs to be more refined. After you have been using it for some time, you get used to it, and it is manageable. However, it should be a little bit more refined.

    They should come up with pre-built inner workflows. I would really like to see this. There need to be workflows with respect to notifications, remediations, or any actions that people want to take. They should come up with predefined or prebuilt hunting capabilities. Right now, we have to manually write queries. I would prefer if they could come up with something more automated.

    This is with respect to a SOC analyst perspective. Other users, other administrators, other different roles might have different issues. For me, there are no major concerns. It is a good tool, out of the box.

    For how long have I used the solution?

    I've used the solution for about a year and a half, and have also done training on it.

    What do I think about the stability of the solution?

    The stability is good. It's a stable platform. I don't see any issues right now. However, I did see something in the past. I can't quite remember the exact situation. It's resolved and right now there are no issues. 

    What do I think about the scalability of the solution?

    The solution is highly scalable.

    You can onboard as many end systems as you want. If you bring more, for example, 100 users or 100 endpoints, you can integrate them with no issue. It's not a problem with MDATP.

    We have somewhere around 2,000 to 3,000 users who are using it. We have an endpoint team and they manage the antiviruses and security tools and all those things. We manage the product partially from a policies perspective, and the endpoint team manages the platform and maintenance of it, including any upgrades, as necessary.

    How are customer service and support?

    I've dealt with technical support in the past. It's good, not excellent. That said, it's okay.

    Which solution did I use previously and why did I switch?

    Before using this solution, the company mostly dealt with antivirus solutions.

    We moved to this solution to strengthen and report, detect and prevent, et cetera, which antivirus solutions don't offer. We wanted forensics and capabilities that were missing. Antiviruses simply cannot protect you from advanced persistent threats, and they cannot protect you from ransomware and they don't respond to things faster. Response capabilities were something that was missing. Basically, we just needed more.

    How was the initial setup?

    I'm usually not part of the entire setup, however, I do manage it. We have to do certain policies within our organization. However, from what I've seen, it's not a complex setup. It is pretty straightforward.

    In terms of how long the deployment takes, I don't remember the length of time. If you have a CCM centralized, you can push the policies within hours. 

    What's my experience with pricing, setup cost, and licensing?

    The licensing is something that management decides on. I don't deal with the pricing or licensing.

    Which other solutions did I evaluate?

    We didn't really evaluate other options. We provided support for one of our clients, and it was a decision they made. 

    What other advice do I have?

    We're a consulting company. We are not partners with Microsoft.

    We use the solution as a SaaS.

    I'd advise other companies to use this solution. It's an ideal choice, however, I'm not sure about the pricing. Maybe it's on the higher end of other competitors' pricing. That said, if you have an opportunity to use it, it will solve a lot of problems with respect to pain point detecting and doing investigations. At the same time, with Microsoft, if 80% of your organization is using Windows systems, it's going to be compatible. Specifically, with its platform, Microsoft understands what is right and what is wrong. Therefore, if the money is not a concern, or the budget is not a concern, opt for this. At the same time, as a generic statement, if not this solution, go for an EDR tool that suits your organization's needs best.

    I'd rate the solution at a seven out of ten simply due to the fact that I have not fully optimized it. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros sharing their opinions.
    Updated: July 2022
    Buyer's Guide
    Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros sharing their opinions.