Microsoft Defender for Endpoint Reviews

What I found most valuable in Microsoft Defender for Endpoint is that it's out-of-the-box, which brings more value to the customer. The technical support for the product is also one of the best parts, because it's good, in terms of the product knowledge of the technical engineers.

In Microsoft Defender for Endpoint, the devices still need to mature a little more when compared to other AV solutions. Microsoft Defender for Endpoint is not as robust, and you cannot customize it much, so that's a challenge. These are the rooms for improvement in the product.

Microsoft Defender for Endpoint is still being improved. I would say it's still in the development stage. Daily, Microsoft is getting feedback from the customers, so they are modifying the product based on the feedback and requirements of the customers. It's an ongoing process, and as a consultant, I'm in a much better shape, from a consultant point of view, in terms of speaking with customers.

What I'd like to see in the next release of Microsoft Defender for Endpoint is a single console where you can manage all the policies, Intune, and the EDR capability that can be managed through Intune. There should be a single portal for that to make it more convenient for the security consultant engineer to work with. Right now, I have to hop between different controls. Even the tenant attach feature needs to become more mature in Microsoft Defender for Endpoint because it's just very basic. The concept is good, but it's very basic, so it requires more effort for the engineer to configure.

I've been dealing with Microsoft Defender for Endpoint since 2018.

Microsoft Defender for Endpoint is a stable product.

Microsoft Defender for Endpoint is a cloud solution, so it's always scalable.

Technical support for Microsoft Defender for Endpoint is good, and it's the best part. Microsoft knows that the product needs some development, so they're working on improvements, but all the technical engineers I've worked with so far are very technically sound and they know the product.

The initial setup for Microsoft Defender for Endpoint is straightforward, if you are aware or have knowledge of it. For example, it's easy if you have gone through all the phases of setting up Microsoft Defender for Endpoint when it started as a manual deployment, manual configuration, then it came through GTO, then SSCM, then Intune, and now SMM. If you have gone through all the phases of deployment, then you know where you need to go and where to change the settings.

If you just started with Intune, or you're dealing with a combination of Intune and a firewall, the initial setup won't be as easy. It could be challenging for a newcomer, because you do not have much experience with Microsoft Defender for Endpoint, but they'll give you good support, and they'll try to resolve the challenges that come up when setting up the solution.

Pricing for Microsoft Defender for Endpoint is competitive. Out of the bundle, you will get a lot of security, if I talk about Microsoft E5, for example, and get a lot of benefits. If the customer goes and purchases a different solution, it will cost more, so pricing for Microsoft Defender for Endpoint is quite reasonable at the moment. There isn't any challenge in terms of pricing, for example, I didn't see a customer who pulled back because of the price. Some prices could be negotiable, and sometimes, as a sales point, the two become negotiable, but they don't bill one and pull back because of the pricing. If you have an E5 license, you get everything.

Customers don't worry about the prices too much, because what they're a little bit worried about is the complete capability of Microsoft Defender for Endpoint in the endpoint security space when compared to other legacy solutions such as McAfee Endpoint Security and Symantec End-User Endpoint Security that are quite mature enough in this market, as seen on Gartner. Sometimes the customer is reluctant to move to Microsoft Defender for Endpoint, but not because of its price. I didn't have customers who questioned the pricing for the solution.

I'm currently working with all these solutions: McAfee Endpoint Security, Symantec End-User Endpoint Security, and Microsoft Defender for Endpoint, because I'm a consultant. I'm not a customer. I do use it, and the organization I'm in uses it, but I'm a consultant to the customer. I do pre-sales and look into any of the technical aspects of Microsoft Defender for Endpoint.

In terms of comparing Symantec End-User Endpoint Security with Microsoft Defender for Endpoint, they both work, but in different ways and they have different approaches. Microsoft Defender for Endpoint doesn't have HIPS, while Symantec End-User Endpoint Security has HIPS. Microsoft Defender for Endpoint has ASR rules which are compulsory, but there are some activities that Microsoft Defender for Endpoint can't do in an environment, particularly if it is an air-gapped network. In an air-gapped network, which is very secure, my team can't open the internet, and Microsoft Defender for Endpoint fails in that, despite being an EDR solution, because it's cloud-based and it doesn't work there. Microsoft still doesn't have any solution for mitigating the air-gapped network.

My advice to people looking into implementing Microsoft Defender for Endpoint is to do it very fast because the tool is changing very rapidly, so if you are a novice and you are just learning, what you learn might get changed in the next quarter. Some of the functionality might get changed, so you need to keep up with the changes, and you need to learn quickly and implement Microsoft Defender for Endpoint fast.

My rating for Microsoft Defender for Endpoint is seven out of ten.

We have a dedicated team that handles all security-related aspects of the solution, however, my understanding is that the solution helps guard the endpoints in our organization. 

Along with security, there are certain IT policies in terms of accessibility of different sites, which are there in the organization. With everything put together, there haven't been any instances where I have seen any kind of issues such as malware or other malicious event getting through on my laptop. From that perspective, everything is fine. 

The patch updates and version updates are very good. Those happen on an automated basis whenever I'm connecting to the organization network, either through LAN or through the VPN. I never have to worry about anything being out-of-date.

The solution scales well.

I have found the stability to be good.

From a general user perspective, I don't see any further improvements needed. 

The price, in general, could always be a little bit cheaper.

I've used the solution for two years or so. It's not much more than that.

The stability of the product is good. I have not dealt with bugs or glitches. It doesn't crash or freeze. the performance is good. It's reliable. 

The solution scales well. If a company needs to expand it, it can.

We have 1,000 to 2,000 people on the solution currently.

I've never directly dealt with technical support for issues related to Defender. Many years ago I had reached out to Microsoft support for an issue related to Visio, a different product.

The initial setup is straightforward. There are certain automatic patches as well that keep on updating and those automatically install.

I don't recall how long the product took to deploy. When any new laptop or anything is assigned in an organization, all these things are installed prior to coming to us. Therefore, I wasn't actually a part of the installation process. 

We have a few contractors working with the in-house team. There may be around five to ten people. Any maintenance that is needed would be done by them.

The pricing could be lower. That said, I cannot speak to the exact costs involved as I do not directly deal with that aspect of the product. I'm unsure if the company is set up with a monthly or yearly subscription package. 

I'm just a customer and an end-user.

I'd rate the solution at an eight out of ten. I've been very pleased with how it has worked for me over the last two years. 

I would recommend the solution to others, however, I'm just a passive end-users and not as technically involved as those deploying the solution in our company. However, from my perspective, there has never been an issue on my machine with malware and therefore it seems to be doing what it's designed to do.

Microsoft Defender for Endpoint can be used for protecting personal information and file in my organization.

The solution has saved us time by not having to install separate third-party antivirus solutions.

Microsoft Defender for Endpoint is beneficial because we are using Microsoft Windows and all the core solutions are made by Microsoft, such as the authentic platform, operating system, and antivirus protection. It is a heterogeneous environment. We had to use third-party solutions before and update everything separately. For example, the policy for antivirus. With Microsoft Defender for Endpoint, when Microsoft Windows receives updates it will update with it. This is one main advantage of this solution.

Microsoft Defender for Endpoint can improve by making the reporting faster. It takes some time to reflect back to the administration portal of what has been updated. For example, out of 100 Computers, approximately 90 computers received updates, but when you check the administration portal over one or two days, you will only see 75, even though 90 were updated.

I have been using Microsoft Defender for Endpoint for approximately one year.

The solution is stable.

Microsoft Defender for Endpoint has been scalable.

We have more than 200 users using this solution in my organization.

Previously we used McAfee and Symantec Endpoint. Every five years we change the solution. However, this time we changed to Microsoft Defender for Endpoint because we wanted a unified platform.

When you install Microsoft Windows 10, Microsoft Defender for Endpoint comes with it. There is no installation of the solution other than installing Windows 10. It saves time because you do not have to use any new kind of policy or deployment.

We have a team of three that do the management of the solution.

The solution comes free with Microsoft Windows 10.

I rate Microsoft Defender for Endpoint a ten out of ten.

We primarily used the solution as Endpoint Detection and protection (EDR, EPP) with secondary benefits of threats and vulnerability management, security incident response, automated query and real-time device monitoring, and with the capability of email security, identity management (DFI), and task automation (Power automate). We used respective licenses where required.

The solution was also used for an endpoint antivirus for workstations in a multi-OS environment, including Windows and Mac OS. We had file, device, and user trajectory monitoring for the security operations team.

The solution benefited the company via:

• OS-level/Tool compatibility for endpoints running Windows (since both are Microsoft products and Defender core files are included in Win10 or later delivery).
• Heuristic capability. Consistent usage of MDE indicates that the tools are continuously learning new prevention techniques by pulling real-time up-to-date cloud resources.

• Alert chaining. The solution makes security Incidents, events, and alerts less tedious from a Security Operation Center standpoint. This can result in false negatives or detriment for small to medium-scale firms running no or semi-automated threat response features.

The most valuable aspects of the solution include:

• Advanced hunting. The product offers flexibility, visibility, and automation capability using a user-friendly query language (KQL).
• Reporting. Clear and concisely plotted graphics show real-time data representation - which is valuable to upper management.

• Scalability/API. We are able to productively integrate with existing on-prem, hybrid, or cloud applications. 
• Great OOB features. The solution comes with SIEM-ingestion-ready features for extensive visibility, automation, and integration, including advanced hunting, threats and vulnerability management, embedded simulation for end-to-end testing, ransomware prevention (Controlled Folder Access), and Attack Surface Reduction (ASR) rules.

Improvements could be made via:

• Clicks. There's a poor user experience with lots of optimizable opportunities of user interface particularly on the newly improved portal (https://security.microsoft.com/). Features like device inventory continue to lack essential workstation drill-downs showing the entire device information with the least effort.

• De-centralized console features. Discrepancies with enabling core features at the click of a button within the MDE portal is mostly due to prerequisites that are tied to the functionality or partial enforcement requirements from other Microsoft tools (Group policy, Azure, Sentinel, SCCM, Intune). EDR in block mode requires Intune security baselines and tamper protection requires MAPS enabled. Web content filtering also has security baseline dependencies

• No single pane of glass. There are too many loose ends with tiny bits and pieces to enforce essential security policies compared to other EDR solutions within the same caliber. A typical example is having to create exclusions in different locations for entirely different functionalities, such as: automation folder exclusion, group policy exclusions (per tenant), Controlled Folder Access (ASR) Allowed application, and Attack Surface Reduction (ASR).

• Service Requests. Noncritical cases with MDE technical support teams tend to be queued for over a week before the first customer engagement. Most of these tickets also end up in the hands of temporary or contracted non-Microsoft employees who are scripted and offer little attention to unique incidents.

Suggested additional features that should be included in the next release include:

• Digestible interface/filter for crown-jewel capabilities like ASR, CFA and Exploit mitigation occurrences.
• Restoration of an always visible search bar from the previous console view (https://securitycenter.windows.com).
• A definitive action plan for Secure Score recommendations and deduplicate of controls.

We were using Microsoft Defender for Endpoint prior to its change of name from Defender ATP. We experienced a plethora of GA changes including, but not limited to, IOS/multiple OS support, device discovery, web content filtering, API updates, and continuous integrations with existing security tools.

The solution is used for endpoint detection and response, however, it also has vulnerability management. I don't use that as much as the endpoint detection and response. I use it in combination with Cloud App Security and Endpoint Manager.

The most valuable feature is the fact that, if you have the M365 E5, it's included and everything is in the bundle. 

It's a very solid security system and the advanced hunting and everything really lets you dive deep into things.

Overall, they're doing a much better job. However, recently, they added the Azure Defender. When you use the Azure Defender licenses, you're already enrolled. 

I prefer that they had the old interface that was not combined with compliance, and still, they've changed that to make it better. I would just like them to have more consistency, and that's a comment that's across the board with Microsoft. They change things a lot.

I probably started diving into Microsoft Defender about two years ago.

Stability-wise, I have not had another product that has been as stable and has had fewer issues. It's amazing.

The solution is scalable. For example, I helped a 12,000-person company put it in and automated it without any issue.

In terms of technical support, I have not had to call them related to anything on Defender for Endpoint. I'm a CSP, so I'm calling and I'm getting different assistance than, say, a home user. That said, at the same time, it really depends on if you're getting level one or level three support.

The initial setup is very straightforward. There's a lot of people putting it in that don't understand it, however. They're not using device groups and auto-remediation settings.

I do a lot of security reviews as well, and what I find is that, although it works well out of the box, there are missing components. Another thing is that people will basically use the product, and yet, not set up the integrations with Cloud App Security and Endpoint Manager. When they do that, they're not getting the full functionality of it. I, on the other hand, know the system, so I see people often having trouble with it. If people are trained or go through training, they would be able to get the full functionality out of it.

I can't give numbers, however, for the price, when you're increasing from an E3 to an E5 license, the amount of features you get eliminates a lot of other systems. Therefore, you do get a pretty good ROI. On top of that, you only have one management system and one reporting system. Overall, the numbers have been quite impressive.

I don't know the standalone costs. It is my understanding that the M365 E5 is $56 a month or something close to that pricing. That would be for the full suite. Just Defender might be $8 a month. I can't say for sure.

I'm a consultant. I primarily work with Microsoft and I do the threat management and check vulnerabilities on the database. I'm looking for something that is not super expensive yet covers vulnerability management and where you can pick the products, and pick alerts, and you get a weekly digest report, just so that we can better manage everything.

I work with pretty much all of the 365 products. I'm pretty widely experienced in Defender. I work for a managed service provider. I'm one of the people that's, besides having my Microsoft Azure architecture, Azure security, Microsoft 365 expert level, plus M365 security knowledge. I focus on Azure and M365 security.

For Microsoft Defender, the product is cloud-based, therefore it is managed and it's updated constantly.

I would advise users to take advantage of Microsoft integrations. I would suggest that they put it all together, so they can use it as a full bundle.

I'd rate the solution at a ten out of ten.

We use it for endpoint security.

When looking at the ecosystem as a whole, security-wise, Microsoft provides a complete solution with the E5 Security suite. Microsoft has a big advantage because Defender knows how to interact with the CASB and all the other security components that you have. Overall, that makes the management of the environment much easier. It's easier to understand what's going on, to become aware of risks, and to take action.

• Defender has very little impact on the end-user.
• The agent works quite well with a minimal impact on the client and server.
• It's very easy to deploy it.

We did a trial of Microsoft Defender for Endpoint for about three months, and now we are in the process of rolling it out.

We have about 4,300 users of Defender and it took two days to have it fully deployed. With Cortex it took some time. With Cortex, we had some 500 clients that we had to investigate because for some reason they did not get the agent immediately and we had to do some tweaking to get it to all the end-users.

We used consultants for the deployment of both Cortex and Defender.

We gave Palo Alto Cortex XDR a try and we are now in the process of removing it and going to Microsoft Defender for Endpoint. I have experience with both of them.

Cortex has quite good management capabilities that give IT organizations quite a good picture of attempted cyber attacks. It has good investigation capabilities, out-of-the-box, in case there is an event that you'd like to investigate. It's quite convenient. Microsoft has those capabilities as well, but you need a bit more training on the product to get the basic information that you can get out-of-the-box with Cortex.

The onboarding process with Defender is much easier. In two days we were able to deploy it to our whole organization. Cortex is much more cumbersome. But the onboarding process is not the issue. A more important difference is that once you have security risks that you would like to mitigate, Cortex more easily gives you information regarding the threats. Microsoft gives you exactly the same information, but you have to know how to dig a bit more and do some manual steps that, with Cortex, are more straightforward.

The main issue that we had with Cortex, and the reason we decided to roll back and go to Defender, is that Cortex has a horrible impact on the performance of the system. For an enterprise-level organization, it kills the system. Users were complaining that when moving between emails in Outlook it would take a lot of time, creating a lot of delays and timeouts. Web browsing and every action on their computers took much more time than usual with Cortex.

I would rate Defender a nine out of 10, while Cortex XDR is a five out of 10.

We are using it for protection. We had a request from one of our customers, and we just started to implement it. We don't have any great idea about it. We are in the process of implementing it for the first time.

We are using its latest version. It is on-prem. The problem with going for a cloud version is that most of our customers prefer to work with on-prem solutions. So, we need all the features to be available on-prem as well as on the cloud.

We have just started to implement it. It is useful for protection from malware and ransomware. We are not exactly sure about zero-day, but we are trying to see if it will be effective for everyday antivirus purposes.

Auto recovery is the most important feature that we would need from this solution. For decryption, similar to Malwarebytes, there should be something to be able to recover the data up to the last normal status. Its ability to recover data to the last normal copy must not exceed 5 to 10 minutes.

We just started to use it.

We need to test its functionality in heavy environments.

Their support could be faster through the phone. The support through chat is very unuseful. It takes a lot of time and effort and but does not help in any way. We provide the first line of support to customers, so it is not a big issue for us.

We work on most of the protection products, such as Kaspersky, Malwarebytes. We normally use a lot of them. We had a request from one of our customers, so we started to implement Microsoft Defender for Endpoint.

Its initial setup is straightforward. The solution itself doesn't take more than 15 to 20 minutes, but the configuration duration depends on the environment, such as the number of policies, users, etc. It will vary according to the environment in which you are doing the implementation.

We implement it ourselves. Currently, we have only one customer of this solution.

Its price is fair. It has approximately the same price as the other products such as Kaspersky. It is much cheaper than Malwarebytes.

I would rate Microsoft Defender for Endpoint a seven out of 10.

Our clients use it for antivirus and anti-malware purposes.

It depends on the licensing. Most of the customers have got at least a 365 E3 license, and they can use most of the features of Windows 10 Defender. So, anyone who has got an enterprise license can start using those features. Some of the customers have got E5 licenses, and they can use all advanced features. Customers with E5 licenses use the advanced site protection (ATP) features and web content filtering without going via a proxy, which gives the benefit of replacing the proxy. They can get the benefit of MCAS and integration with Intune and the endpoint manager. It is a kind of single platform for all 365 technologies. It helps customers in managing everything through a unified portal.

Normally, we implement the attack surface reduction (ASR) rules and exploit protections. We also use Microsoft Defender Application Guard and ad blocker. Instead of using the application control list, we use the ad blocker at most of the places.

What I've heard from the customers is that the anti-malware engine is not up to date. So, sometimes, it may not detect such threats. I, however, haven't got any data to show for this.

Its licensing can be better. Currently, customers with the E3 license cannot use many features, and they would like those features to be available. With Windows 10 E5, Microsoft is phasing out all the functionality. They have also made a lot of changes recently where you can also buy add-ons for Defender ATP, but for Office 365, ADT, and other stuff, you still require E5 licensing. If they can improve its licensing, it would definitely be helpful in implementing the features from the security point of view. E5 definitely has more features from the security point of view.

I would like Microsoft to have some kind of direct integration for USB controls. They have GPO and other controls to control the access of the USB drives on devices, but if there is something that can be directly implemented into the portal, it would be good. There should be a way to control via a cloud portal or something like that in a dynamic way. USB control for data exfiltration would be a good feature to implement. Currently, there are ways to do it, but it involves too many different things. You have to implement it via GPOs and other stuff, and then you move or copy those big files via Defender ATP. If there is a simple way of implementing those features, it would be great.

We have been recommending Defender to customers for Windows 10 and helping them in implementing it for two years.

It is okay in terms of stability. I haven't seen any issues. Even if you go for a third-party vendor as your primary anti-malware software, you can get the benefit of Defender in a passive mode. 

I am an Azure engineer, and I work with an architect to design the solutions. I'm not a security person, and I don't know whether it catches all the new malware that comes into the IT world, and how quickly it gets updated because it is not my area of work as I'm not an SEC OP admin. I have read a few articles mentioning that the engine might only be 80% or 90% up to date. Obviously, no engine is 100% up to date, but it is still a little bit behind some of the third-party vendors. 

We haven't used their support much, but one of my colleagues has had some problems, and I think he didn't get good support from Microsoft. So, obviously, it depends on what kind of support engineer you have been assigned. Sometimes, it can be difficult. It is not only applicable to Defender; it could be with any of the products.

While implementing the ASR rules and other things, if you don't put it in the audit mode and don't do proper discovery, then it can definitely break lots of applications. You need to adhere to the implementation guidelines for ASR rules. So, proper analysis definitely needs to be done before implementing those rules because it can affect the business functionality.

Its deployment can take from few weeks to months depending on the size of the organization. In terms of the implementation strategy, we start with the pilot key users, and we deploy those policies. We also deploy ASR rules and other exploit protection rules in the audit mode, instead of directly enabling them. We then monitor the resources in terms of what can be blocked or what can get impacted by those rules. After that, we work with the users to implement it and see whether it breaks anything. If it breaks, then we look at the solutions. After we are happy with all those solutions and we know that enabling it won't break anything on a business side, we just roll it out.

Our clients are definitely seeing an ROI. Some of the clients have already got the licenses, and they can use lots of features of their Defender ATP. They are basically saving the cost of not going with a third-party solution.

Some of the clients who already had another third-party solution are also moving to Defender ATP because they already have the licenses, and they can save the cost on those. One of our clients is using ESET. They have the ESET standard version, so they are not getting any of the other features. They already have an E5 license to use all Defender ATP features. So, obviously, it would be beneficial for them to go with Defender ATP.

We did a little bit of comparison with Sophos. Sophos also offers cloud and network protection, but it would be an extra cost to buy it if you already have a license of Defender ATP. With Sophos, the USB features are a part of the cloud solution. So, you can configure USB restrictions and other things in the Sophos portal. With Defender, you will have to implement the USB security features via GPO or something else.

I would definitely recommend others to go with Defender ATP if they have got the licenses because it can give them a wide range of security controls. It is integrated with Office portals and Microsoft monitoring systems, so they get the sensors from different places. We haven't come across any security threats yet. From the point of view of its theory, implementation, and architecture, Defender ATP and other ATP integrations would definitely help customers in controlling their organization and implementing the best security rules and policies.

It hasn't affected the user experience much for our customers. Customers only see the notification pop up saying that Defender hasn't found anything and things like that.

I would rate Microsoft Defender for Endpoint a seven out of 10.