Microsoft Defender for Endpoint Reviews

We use Defender for Endpoint to secure our Windows 10 endpoints and Windows servers. We use Microsoft Defender as an antivirus, and we also leverage the EDR capability. If any malware or threat is present, Defender can take action on those threats and remediate if there are any malicious actors present in our environment.

It is deployed on-premises, on the cloud, and on multi-cloud solutions like AWS on Azure. We have a diverse, global environment with devices or servers in Europe, the US, and the Asia-Pacific region, except for China.

One feature I like the most is vulnerability management, which shows any vulnerable software or OS present in my environment. Microsoft Defender for Endpoint provides a complete overview and also recommends the steps to mitigate the vulnerabilities or threats. Most of the other antivirus or EDR solutions generally don't provide vulnerability management. It is an add-on that Microsoft Defender for Endpoint provides.

Also, because of this solution's EDR capabilities, we can determine what we want Microsoft Defender to do and then automate the entire process. We have already enabled these automated response capabilities and are leveraging them.

The visibility into threats that Microsoft Defender provides is very detailed. If we want to investigate how a threat was initially integrated into our environment, we can do that with a detailed activity timeline. It will be across the servers or Windows Endpoint, so we will be able to see the correlation and gain a complete picture of any threat within that timeline.

It helps us prioritize threats across our enterprise to a certain extent. Whenever there is a threat, we'll get a risk score along with the level of severity. We will then be able to see whether the threats are of high, medium, or low severity and can prioritize them accordingly.

Prioritization is really important to our organization because with 100,000 people working, we see an immense number of threat alerts including phishing, identity, and other kinds of threats. We have a limited number of people working in security operations centers, and we may see 30,000 alerts come through. Therefore, it's very important for us to prioritize those alerts so that we don't end up working on threats that are not important and miss critical alerts.

Along with Microsoft Defender, we also use Microsoft Defender for Cloud Apps, Microsoft Defender for Cloud, and Microsoft Defender for Identity. Integrating these products is quite simple. You just toggle the button, and the integration will be turned on. Once you have turned on integration, you will see feeds from the other portals. That is, if I get something in Defender for Identity, then I will be able to see relevant items in the Defender for Endpoint portal as well. It's out-of-the-box integration, and no additional measures are required.

These solutions work natively together to deliver coordinated detection and response across our environment. They work in the background and share common intelligence with each other and provide correlated feeds within these portals. They provide comprehensive threat protection.

When the integration is in place, it eliminates the need to look at multiple dashboards. Initially, we used to have different portals for incidents, but now, we have one central console. We can see alerts and incidents from Defender for Cloud, Defender for Identity, etc. It saves us a lot of time because our analysts don't have to spend time looking at different dashboards or consoles.

In terms of preparing for potential threats before they hit and taking proactive steps, the feeds in Microsoft Defender for Endpoint help us detect zero-day vulnerabilities or any ransomware. The threat analytics show us what the current and upcoming threats are. I can get the indicators of compromise from that particular list and can prepare my team on how to act on those particular threats. It has helped us to become more efficient.

Overall, this solution has helped us save 30% to 40% of our time.

Also, our time to detect and respond has decreased by around 40 to 50%.

One major item for improvement is the ability to add exceptions. We can add some exceptions, but not at the level we need to.

The second major area for improvement involves enhanced capabilities for different operating systems or platforms. That is, even though we have coverage for different operating systems or platforms such as Linux, we don't get all of the controls and enhanced capabilities that are available with Windows devices.

Reporting could also be improved because, at present, we get limited results at times. For example, in an environment with more than 100,000 devices, you may just get 10,000 results when you run a report.

I've been using it for close to four years.

It's not very stable because Microsoft keeps making a lot of improvements as it's a new product. For example, today I might see something on one page, on another day, it might be located on some other page or portal. However, I have seen stability to some extent over the last couple of months.

It's definitely a scalable solution. Almost all of the users in my organization, close to 70,000, use this solution.

Technical support is an area that needs a lot of improvement. Microsoft does not have the right people who can help with any challenges or problems, and ultimately, we end up finding the solutions on our own rather than relying on them. They take a lot of time to work on a support case, and we can't find the right level of support as well. Therefore, on a scale from one to ten with one being the worst and ten being the best, I would give technical support a rating of four.

Neutral

We have seen a return on investment in the last few years in terms of our organization being protected against threats.

Microsoft Defender for Endpoint is cost-effective because there's one unified license, and with this unified license, you get the capabilities for your cloud applications, servers, and endpoints as well. Therefore, it saves us a lot of money because the cost with other solutions is for just one piece of OS or maybe an urban environment. The licensing process is not complex as well.

Your use cases, how your organization is configured, and what your infrastructure is like will determine whether you go with a best-of-breed strategy rather than a single vendor's security suite. From a cost perspective, I think it's better to just go with one technology because when you have two technologies in place, there may be conflicts with policies that may result in additional time spent investigating.

However, if an organization has a high number of macOSs and they have a lot of Linux servers, they may choose to go with two technologies if Microsoft Defender doesn't provide a complete set of security capabilities.

Before you implement the solution, first see what your use cases are and what you're actually looking for. Then, define your environment and what you're going to protect first, whether they be application servers or just endpoints. Then, you can have a detailed discussion with the implementer or vendor.

On a scale from one to ten, I would give Microsoft Defender for Endpoint an overall rating of seven.

It's used to improve the security score for the whole system, even if it is the cloud or on-premises version.

The security is very useful.

Its stability is okay.

The solution can scale. 

Technical support has been great.

There's no setup process; a user simply needs to enable it to get started.

We'd like the stability to be better.

I've been using the solution for about two years. 

The solution is stable. There are no bugs or glitches and it doesn't crash or freeze. It's reliable and the performance is good.

The product can scale if a company needs it to.

There's a big number of users on the solution in our company. It's likely more than 400 users. 

We've dealt with support in the past and found them to be very helpful. We're quite satisfied with the level of service. 

I'm also familiar with Trend Micro, which is similar. However, Defender is specific to Microsoft.

The company does use more than one solution as well. 

There's not really an installation process. A user simply needs to enable it. That's all.

We pay a yearly licensing fee.

I'd rate the solution eight out of ten.

We want to find a solution that fits businesses of every size and type, but we primarily target small and medium-sized enterprises. 

Defender helps us prioritize threats across the organization. When we needed to update the patches on our endpoints, we could look at all the patches and see what still needed to be fixed. We could decide whether it's necessary to address something urgently or deploy it as part of routine monthly maintenance. It's crucial to have the insights and a report that I can show to an executive to demonstrate that we need to act fast. This is less common because most people accept your hotfixes and patches when they come out, especially monthly security updates. However, some older shops might be like, "I'm running Windows 10. No one's touching this." We still need to service and support those machines, too. 

The solution helps us automate routine tasks and alerts. There's a dashboard where I can see the statuses of my machines in the environment. It helps us breathe a little bit easier. We're responding to businesses that had shifting needs during COVID. How can we be more proactive and help them to be more proactive? We shifted from traditional PC antivirus software to stuff that's totally different. I can't say it's "set it and forget it" because that implies a lazy mentality. However, I know I have a level of protection that I can have faith in. 

Defender helps us be more proactive. I find value in the zero-day threats that get fixed from Microsoft bug fixes or security updates. I can read and research about those zero-day threats from Microsoft's public site without digging too deeply into the Defender side of things. 

We've saved some time with Defender for Endpoint because we were doing a lot of unnecessary remediation with the other products. We had a series of servers that our previous product was installed on. It would blue-screen the server at random, and you can't have that. I'm not worried about Defender impacting my system stability. We put a lot of high-performance systems out there, including PCs and backend compute. I want to ensure we won't be overburdened by unnecessary security software that may not be giving me the protection I want.

Defender's reporting saves us four hours to eight hours each month. It has many of the standard reports we need built in, so it's effortless to generate and pull from. The time we save in other areas isn't as easy to quantify. I don't have to worry about the stability of a box or a computer cluster. 

It has decreased my detection time. On Wednesday, I got emails notifying me that new vulnerabilities were detected. They weren't new, but they were newly disclosed because patches came out for them. It has enabled us to react much quicker. 

I like Defender's reporting and logging features. The email alerts are also helpful. It's hard sometimes to sift through the email, especially if you're an IT firm managing hundreds if not thousands of endpoints, but we find email reporting useful. For example, last Tuesday, we learned of new vulnerabilities that were discovered as a result of the previous patches. The endpoints without those patches triggered alerts in Defender.

Defender ties into the Microsoft 365 portal where many shops spend a lot of their time doing password resets or other tasks. There is much more in the Azure portal too, but the 365 portal has a list of open issues, bugs, and necessary remediation steps. If I'm working on my security score, I have all of those on an active list, which is nice.

Defender should be more accessible for small and medium-sized businesses. You have some organizations that maybe have a hundred employees, and they're focused on making their widgets. That's their nine-to-five every day. They're not thinking about that security side, but maybe they're already invested in 365 or the Azure ecosystem and having Defender as an add-on makes sense from a price perspective. It's easy to deploy, but it could be easier for some of those smaller businesses to onboard endpoints.

The onboarding and deployment could be more user-friendly, and there is room to grow in some of the reports. I don't want them to be oversimplified or overly complex, but there is room for improvement in the reporting it can do. It's relatively minor.

We have used Defender for Endpoint for the last 18 months or so. 

Defender's stability is one of the things I love most about the solution. 

There are no limitations on Defender's scalability. I get the impression that it's designed to cater to massive enterprises with 20,000 or more endpoints, but I think there's a market for a simpler deployment, like 100 PCs, 10 servers, etc. Give me a deployment option that's simple. 

I rate Microsoft support eight out of 10. It's good overall, but it can be hit or miss depending on your issue, and sometimes you don't get the right level or technician. All of my 2023 support experiences have been stellar, but 2022 was a little inconsistent. 

Positive

The company evaluated other solutions in parallel and in tandem with it. Our trajectory shifted slightly during COVID-19, so we explored that more. We tried ESET and SentinelOne for a while. But those are apples-to-oranges comparisons. Defender for Endpoint is geared toward common reporting,  notifications, and backend stuff, whereas SentinelOne is designed to lock machines down. It has many more tendrils deep within, so they're not great comparisons. 

We decided to go with Defender because we're pretty heavily invested in the rest of the Microsoft Stack, so it made sense. However, we wanted to do our due diligence because we're already using other products. We wanted to ensure we were picking the best of breed for our customers fair enough.

We were having issues with other products like ESET, SentinelOne, and Symantec. SentinelOne is just too deep and heavy. It's like trying to shoot a fence post with a missile. It was too much. We rely on the product and trust it. It takes a little while to get there, but once you trust a product, you can move on to the next thing and know you're protected.

The onboarding process could be more straightforward. I wish the onboarding were simpler. It seems a little more ethereal than, "Hey, here's your executable, put this on every machine." That would be easier for a small shop. We're still deploying into a lot of our sites. It didn't take long at all, but it takes a while to get fully ready to deploy, 

Defender's pricing is competitive. There are ways to negotiate a better price with Microsoft or your reseller as your business grows. You can say, "Hey, I bought 365 Business, then E3, and E5. Now, I'm buying Defender, so give me bulk pricing."  There are opportunities to save as you grow that wouldn't exist if you picked a different vendor.

I rate Microsoft Defender for Endpoint eight out of 10. 

We use the solution for antivirus and firewall protection.

Microsoft Defender for Endpoint's visibility into threats is good. The solution helps us prioritize threats across our enterprise.

Microsoft Defender for Endpoint has helped our organization by providing continuous protection across our organization without overloading our CPUs by running in the background. We realized the benefits of Microsoft Defender for Endpoint while we were comparing it with other solutions.

Microsoft security solutions help automate routine tasks and identify high-value alerts. I used to work as a System Administrator or Network Administrator, so I understand how useful it is for admins to have their routines automated. I am aware that the solution supports policies and ensures that it is very beneficial.

Automation has enabled the process to be automated, such as protecting certain roles or allowing digital transactions, etc.

Microsoft Defender for Endpoint's threat intelligence helps us prepare for potential threats before they hit and to take proactive steps.

Microsoft Defender for Endpoint saves us time and money.

The solution has helped reduce our time for detection and response.

Microsoft Defender for Endpoint is easy to load and it runs quietly in the background, unlike other solutions.

The solution is reliable.

Microsoft Defender for Endpoint can use more advertising to promote their features.

I have been using the solution for five years.

The stability of Microsoft Defender for Endpoint is good.

The solution is easily scalable. We have ten people using the solution currently.

I previously used, Symantec Endpoint Detection and Response, ESET Endpoint Security, and McAfee MVISION Endpoint Detection and Response before switching to Microsoft Defender for Endpoint.

I give the solution a ten out of ten.

The solution is deployed across our local network. 

I recommend the solution and it should not be removed from a person's computer.

The type of endpoint security solution that is used in an organization should be based on the environment.

I offer a Security Operation Center (SOC), which is like a person standing and going through the metal detector at the airport. We're like the staff standing there and watching people and then having them send stuff through the conveyor. It is real-time detection and response.

I don't use Microsoft Defender that much. If I come across a client who doesn't want to spend on a different endpoint solution, I just have them use Microsoft Defender that is built into their devices.

The ransomware and some of the other features that are built into it give you more telemetry now. From the security side, I don't look at what an endpoint solution does. I look at what it gives me. I need data. I don't want something to just say, "Oh, I stopped it." That's good, but I need to be able to figure out what did it stop. Was it a good thing or a bad thing that it stopped, and what is it doing. I need to be able to break that down and go deeper into that analysis to figure out what is being stopped. Microsoft Defender is doing that now and is giving more telemetry. It doesn't give nearly as much as Bitdefender does, but it is pretty good.

It is built into Windows 10. So, I don't really have to go out and get an extra or a separate endpoint security solution. It stands on its own. I have some clients who are using Microsoft Defender, and it is perfectly fine because my SOC can actually get the telemetry from Microsoft Defender and use that as well. Microsoft Defender does have the telemetry information, and I can get some of that out of it for my SOC. I can use what's built into it to stop and do more of a response layer. I can use Microsoft Defender to stop something right there.

I like the fact that it has the ransomware solution in there. I'm glad that the ransomware solution is built into it. That's probably the biggest thing that I see in Microsoft Defender.

It is useful when a client does not want to spend extra on getting a new endpoint solution or does not want to get something else installed on their devices.

The biggest thing that I would emphasize to Microsoft is that if they are confident in their solution, they should brag more about it. In other words, they should put more stuff out there to prove that they're just as good as the others. The biggest thing is that people still don't believe in it. When it comes to the IT world, they still don't believe in Microsoft Defender. It has been there for a while, and I know that I used to not trust it because it was free and I didn't know what it was doing and if I could trust it. If you go to comparison sites, you would hardly see it being compared to solutions like Norton, Bitdefender, Webroot, etc. Microsoft can do a better job of promoting it.

They should offer more telemetry or more information coming out of there for Syslog type of scenario so that a SOC could use the data that they have built into it. This would be useful.

It is not very scalable from the eyes of an MSP because there is no dashboard that you can use to see all of your devices that have Windows Defender unless you have your own dashboard or an RMM tool to actually look at it. So, you might not get to know that a particular computer of a client is doing something, and it might have got a virus. That person might know that, but unless you set it up to actually send you the information, you won't get to know that. That's one of the things that is hard with Microsoft Defender. It is not made for the MSP world where you have one pane of glass to see all of your clients with Microsoft Defender on it unless your RMM tool already has that built-in and it can see the telemetry from Microsoft Defender. 

I have been using it off and on for some time.

Its stability is fine. It is a built-in and legacy solution. It can stand up to any other endpoint security solution. 

It is not very scalable from the eyes of an MSP. There is no dashboard that you can use to see all of your devices that have Windows Defender unless you have your own dashboard or an RMM tool to actually look at it. Because it doesn't give you one pane of glass to look at everything, you have to have an RMM tool that can actually see the data coming from Microsoft Defender. If you don't have an RMM tool, you would need one, and that would be an extra cost.

I don't really use an RMM tool. We have a SOC, and I don't really deal with individual computers themselves. In the past, I have used RMM tools, and some of them do well with looking at Microsoft Defender, but my SOC has a really good dashboard that I can use to see what's going on with Microsoft Defender. I can actually control stuff on Microsoft Defender from my SOC.

I have not used their support for Microsoft Defender. Generally, their support is fine. They've definitely improved and gotten better.

I don't use Microsoft Defender that much. It is built into Windows 10, and if you put the antivirus or endpoint security on, it kind of turns itself off automatically. I've been using Bitdefender lately. I used to use Panda Security, but now I use Bitdefender.

I recommend it for clients who don't want to spend on a different endpoint solution, but I don't put all my eggs in one basket. I don't say that a particular antivirus or endpoint security solution is 10 times better than the other one. I just don't look at things that way because I know the process and what hackers actually go through to get past all of them. So, none of them are that much better. The only thing I tell others is to not use the free ones, but to that defense, they all have a level of reachability.

When it comes to performance, Microsoft Defender is much faster because it really doesn't look at all of the things that are Microsoft-focused. It has a better understanding of what Microsoft has made, whereas other solutions are going to look at anything as a potential threat. It is definitely a better option because it knows Windows. You install another antivirus on Windows, it has to try to figure out the software. Microsoft already knows how Word, OneNote, or their other solutions work. So, Microsoft Defender doesn't need to scan specific things, whereas Bitdefender or another solution doesn't know that, and it is going to scan everything, which can slow your system down. 

I offer a SOC, and we do real-time detection and response. I don't put all my eggs in one basket when it comes to endpoint security. I believe endpoint security needs to be there because it is a layer of security, but it is not everything. The reason I use Bitdefender is that it has more telemetry and more information coming out of it to put into my SOC than Microsoft Defender, which doesn't have as much telemetry coming out of it.

For telemetry or forensics, Microsoft Defender doesn't give you reports. It just does what it does. Microsoft Defender will give you information, but you got to go to the individual device. I can't pull much telemetry information into a SOC. So, if you want to see from where the hacker or the hacking software came in, how it got there, and how it moved unilaterally across the system or network, you may not get all of that with Microsoft Defender, but with the telemetry data that comes out of Bitdefender, you will get more of such information and you can follow its path.

It just comes on a device when you buy it. When you buy a laptop, it is built into Windows 10. They have Windows Security, and there are separate pieces of it. When you look into some of it, it is called Defender. They also have a standalone Windows Defender.

It is a full endpoint security solution, and they have a firewall in there. You can go in there and set different things up for your firewall. When it comes to security, not everything is turned on. You actually have to go in and turn the ransomware part on. There are things about ransomware that you got to turn on, and they really depend on what you need in your practice or business. You have to make sure you go in there and look at it. You can't just set it and forget it. It does come automatically, but you got to go in there and set things up because they know that some things can stop certain aspects of your business from running. So, they don't want to turn everything on. They leave it up to you.

The configuration of those extra parts can get complex, but I do believe it is pretty straightforward. It involves more yes or no type of questions. It is just flipping a switch on each individual part that you want to use. It is just like everything else. You have to test and see if it is going to work in your environment.

In terms of maintenance, all the updates come with Microsoft. Every time they update Windows 10, they also update Microsoft Defender. It is pretty simple.

It doesn't really affect my business because the cost goes out to my client either way. If they have 200 devices and they are charged $2 per endpoint for each one of them, that's an extra $400 a month. If they are just using Microsoft Defender built into their systems, that cost goes away for them. My clients are definitely saving money with Microsoft Defender.

It doesn't affect my business because I'm looking at telemetry regardless of the solution. So, it doesn't matter if it is coming from Microsoft Defender or Bitdefender.

It is built into Windows 10. If our clients are using Microsoft Defender, the cost goes away for them.

It is just like anything. You should definitely do your homework and see if it is going to give you the information that you need. You should focus on forensics and the kind of information you are going to get out of Microsoft Defender. Will you get the reporting that you need? Will you get the telemetry and all the data that you need to be able to follow the path of an attack? You need to be able to see that. You need to know this information for your clients because they may need it for the FBI or something else. So, you need as much information as you can. You need to make sure that that you're going to get the information out of there and you have the right setup to be able to see everything with all of your clients. You should have an RMM tool or whatever you're using to be able to see all of your clients, and you need to make sure that you have the setup for that.

Microsoft Defender has been around for many years, and since Windows 10, they've really ramped it up, and it has gotten a lot better. I've seen some of the statistics on it, and it stands up against some of the other solutions out there, such as Norton. They've added things that make it more of an EDR, which is the endpoint detection and response layer. The ransomware was one of the big add-ons, and it is good that they've put that in there. It can stand on its own now.

It has not affected our organization's security posture a lot, but it has given me more options to lower costs for my clients. It has helped my clients and in turn, my business. It has not affected our end-user experience in a negative or a positive way. It is just a tool. I do the monitoring, stopping, blocking, and everything else for clients. 

It can be a good solution, and I hope that they grow with it and do more with it. They can make it simpler for the security and MSP world. If their solution just gets better for the MSP world, it would help everyone.

I would rate Microsoft Defender a seven out of 10 because of its lack of usability for an MSP and its lack of telemetry information, but it is useful, and it does stop ransomware.

We use it to protect computers or endpoints from any malicious software, malware, and other viruses. You have to use this one as part of your overall protection plan.

The deployment of Microsoft Defender for Endpoint is a no-brainer when it comes to Windows. When you provision a new laptop for your environment, it comes with it. We use Intune to be seen on the cloud for centralized management. There's actually a console where you can go in and manage it properly, and we use Intune to deliver the onboarding.

I like that it's easy to deploy because it already comes with Windows 10. Overall, it has all the features that we need. Easy to deploy, comes with updates, and comes with Windows updates. You don't have to really manage or update the signature.

Integration with third-party vendors could be better. It would be better if it integrates with other protection solutions or other products outside of Microsoft. Nowadays, anti-virus protection doesn't really have to be planned as overall protection for your environment in terms of security. There are really different avenues that bad actors can take to wreak havoc on your machine. 

We don't just use anti-virus. That's really like a traditional way of doing it. We have different kinds of protections. We have our advanced threat protection for email, and we have advanced threats analytics for domain controllers for servers. We use all those. 

I have been using Microsoft Defender for Endpoint for three or four years.

It's very reliable and very dependable. I don't see any issues with it. In fact, it's the best product I have used because it's integrated with Windows 10. It doesn't eat up resources while running like other products. It's a really well-thought product.

It can scale as much as you want. It installs a very low footprint on your laptop, but the management is cloud-based.

Technical support is average. We call technical support very rarely for this particular product, but it's actually hit or miss with Microsoft. Sometimes you get a good person on the other line. Sometimes you get someone that's slow in providing support.

I've used many products in the past, and I liked this one because I can't really find that many issues with it. I used McAfee, Symantec, CrowdStrike, and different anti-malware and anti-virus programs, but this seems to be good.

We switched because we're Microsoft partners, and we're actually kind of biased about it. We also implement other products because some of our clients use them. It's very hard to convince them to go with another product. Sometimes because of the existing subscriptions, they are unable to make the switch.

The initial setup is straightforward.

We are a Microsoft partner and consultants. We implement these solutions.

Microsoft Defender for Endpoint comes with Windows 10, and it's free. But for you to be able to manage it in the cloud and use the console, you need to have either an Office 365 E5 subscription or a Microsoft M365 subscription. You need to buy an extra license.

If you're looking for anti-virus software, use the one that comes with Windows 10, and save your money.

On a scale from one to ten, I would give Microsoft Defender for Endpoint a ten.

We use Microsoft Defender for Endpoint to secure our customers' networks. One of the main reasons we chose this solution is its seamless integration with other Microsoft products, including Security. This integration enables the efficient exchange of signals and facilitates incident investigation and correlation with other security measures. Therefore, we recommend Microsoft Defender to our customers for robust endpoint security. 

Microsoft has been recognized as a leader in Gartner reports for two consecutive years for their exceptional threat-capturing abilities within their division. In comparison to other solutions, Microsoft Defender Endpoint Security offers a wide range of features, and the benefit of integration with other solutions makes it a more powerful product. This is in contrast to individual products from separate vendors, which lack default integrations and may not offer visibility over other endpoints in our environment.

The solution provides a high level of visibility into threats and is integrated with other solutions such as Microsoft Defender for Identity. This integration enables the solution to receive signals from Microsoft Defender for Identity, which are then relayed to users who attempt to log in to an infected device. If the threat originates from Microsoft Defender or Office 365, users are alerted and advised not to open any suspicious links or attachments. This integration greatly enhances the investigation experience and is extremely useful in the detection and analysis of potential threats.

Microsoft Defender for Endpoint helps prioritize the threats across our organization.

The automatic investigation response is the key feature of Microsoft Defender for Endpoint. It enables us to concentrate on the critical incidents related to the endpoint or machines. This capability enables the security team to focus on the most significant alerts or incidents related to the device's self-analytics. Prioritizing our investigations and responses with Microsoft Defender for Endpoint is crucial.

The integration with Microsoft solutions is smooth, and integrating with other products can be done with just one click.

In most cases, the solutions work natively together to deliver coordinated detection responses across our environment, which is very helpful.

The comprehensiveness of threat protection offered by Microsoft's solutions is extensive. These solutions can thoroughly investigate all resources in an organization when deployed correctly according to best practices. They can detect any threats related to email, endpoints, and identity attacks, whether on-premises or in the cloud.

Microsoft Defender for Endpoint has been instrumental in enhancing our organization's operations. It detects the majority of threats aimed at our devices, aiding us in our efforts to combat threats. Additionally, it expedites the investigation process by running playbooks on incidents. This saves us time and increases efficiency. Furthermore, the integration capabilities of Microsoft Defender for Endpoint allow us to address the source of the threat by partnering it with other solutions. Microsoft Defender for Endpoint can be integrated with Microsoft Intune, allowing us to provide device signals to the latter. This permits us to grant or deny access to specific sources based on device signals.

The solution assists in automating routine tasks and streamlines the identification of high-value alerts. When used in conjunction with Microsoft Sentinel, which is highly effective in detection and comprehensive investigations, the quality of high-value alerts is excellent.

Microsoft Defender for Endpoint has eliminated the need to access multiple dashboards and provided us with a single XDR dashboard. Instead of logging into five different portals to investigate a threat, we only need to access one portal, Microsoft Defender for Endpoint. This portal collects signals from various solutions and integrates them into a single incident, providing a comprehensive view of the detection from different sources in one place. This improves our visibility and simplifies the threat investigation process.

Having a consolidated dashboard saves us a significant amount of time by eliminating the need to log into multiple portals. This single portal can be used for investigation purposes and can relate to various aspects. It simplifies the process of monitoring a multitude of sources or resources in the environment, making it easier to detect and investigate potential issues. A consolidated dashboard improves collections and visibility, streamlining the investigation process.

The threat intelligence provided by the solution helps us prepare for potential threats and take proactive measures before they occur. Many of Microsoft's security solutions now depend on Microsoft's security intelligence. The ISG collects signals from various products worldwide, providing extensive information on recent global threats targeting different products. Integrating with Microsoft Defender for Endpoint, this information is particularly helpful.

The solution has helped us save time. I suggested that we check Microsoft Defender for Endpoint daily to review the latest incidents that occurred during the process. We can quickly examine the incident and then take action based on the recommendations provided by either Microsoft Defender for Endpoint or Microsoft 365 Defender, as it consolidates the signals.

This solution is cost-effective since we would otherwise have to pay for multiple licenses if we were to use various solutions. Additionally, we prefer not to subscribe to multiple vendors for different services. By integrating these features, we save time, and they are already integrated by default, unlike other vendors who may not offer this feature or integration.

Real-time detection and cloud-based delivery of detections are highly efficient. I have deployed the Microsoft Application Control which I found to be very effective, albeit difficult to deploy. I have implemented point guard and attack deduction rules which enable me to identify attack locations effectively. Microsoft Defender for Endpoint has several excellent features, and the correlation of alerts and investigation experiences within the platform helps lead investigations

The application control feature requires improvement. It is currently challenging to detect and fine-tune the application control policies. A better GUI is needed for configuring the policies, beyond the current partial console, such as a third-party or Microsoft tool. Additionally, more documentation is required for the application control section as there is currently none available in Microsoft's resources. This lack of documentation can make the process confusing.

The policy configuration has room for improvement. Currently, we require additional solutions to configure policies for Microsoft Defender for Endpoint. We need either Microsoft Intune or a new policy object. It seems many individuals find this process confusing. It is perplexing to me why we must configure policies using different solutions when ideally, we should have all configurations for Microsoft Defender for Endpoint in a single portal. It would be more practical to configure policies directly within Microsoft Defender for Endpoint, rather than using external solutions.

I have been using the solution for three years.

Microsoft Defender for Endpoint is stable.

Microsoft Defender for Endpoint is scalable.

I previously used Trend Micro Apex One, but I've found that Microsoft Defender for Endpoint has more benefits. Although I haven't worked with the full suite of Trend Micro, I believe that their Suite is also highly effective. However, I have experience using the full suite of Microsoft Defender, and I find it to be a more powerful tool for threat detection. While Trend Micro Apex One is easy to implement, has a seamless implementation experience, and is superior when it comes to policy configuration; For threat detection capabilities, Microsoft Defender for Endpoint is stronger.

The initial setup is straightforward because we just need to onboard devices, through a script, employment, onboarding package, or any other MDM Solution like Intune. The deployment takes between four and eight hours and requires a maximum of two people.

We implement the solution for our customers.

Microsoft Defender for Endpoint can be costly as a standalone solution. However, when included in a bundled license with other Microsoft solutions, it becomes a cost-effective option. Microsoft Defender for Endpoint provides excellent value for our organization.

There is an additional cost for Microsoft Premier support.

I give the solution an eight out of ten.

Microsoft Defender for Endpoint is deployed across multiple locations and departments. The solution can be used for enterprise, medium, and small businesses but can be expensive for SMBs.

To achieve success with Microsoft Defender for Endpoint, it is crucial to establish best practices and ensure full deployment without causing any disruptions to business productivity. Simply enabling all features without understanding their impact could lead to interruptions in productivity. By adhering to best practices and carefully assessing the impact of each policy, we can ensure a smooth and effective implementation.

I used MDE to investigate individual alerts. We were able to initiate AV scans on devices from MDE. That was our normal practice as soon as we pulled up an alert. My understanding was that it wouldn't slow down the throughput or the productivity of the endpoint device. We could theoretically isolate the device via MDE.

We also used Cloud App Security, Microsoft Defender for Cloud, and Azure Sentinel. At my last two organizations, they were in the process of moving from Splunk to the Microsoft security suite. It was standard procedure for us to install MDE on Microsoft Defender as the endpoint solution for every device. We didn't have anything on-premises.

I have experience with Microsoft Sentinel. We were transitioning toward using that as our SIEM. They encouraged us to learn the Kusto Query Language, which is extremely useful.

My organization was in the process of using Sentinel to ingest data from their entire ecosystem.

The solution was deployed across multiple departments and multiple locations in North America. It was deployed on a private cloud.

MDE eliminates the need to look at multiple dashboards, given it has only one XDR dashboard. It has a good user interface for looking at campaigns and the big picture as opposed to just one incident. They also have good graphics.

MDE decreased the time it takes to do detection and response. It allows us to quickly look at the timeline and see what caused the alert. In my organization, they wanted to know what caused the alert, not just whether or not it was a false positive. 

If there is malware on a device, they wanted to know how it got there. If there is malware on the device from another device in our environment, that is a huge deal. If someone clicked on something in an email or went to a suspicious website on their own, that is extremely important to determine quickly in our environment. It's very helpful to determine the level of the threat.

The investigation aspect is the most useful. It's user-friendly and has a good user interface. There's a universal search bar at the top of MDE. Plugging in the hostname brings up the page for the host. From there, we can see any alerts and an overview of the host, who it's assigned to, and who is logged into it.

I usually quickly go straight to the alerts tab and start investigating the alerts. It has a really great timeline function on it. It shows everything that occurred on the device and any connections it made on the internet or with other devices on the network. It shows activities like who logged in and who logged off. I could pull all of that through the timeline and figure out what happened and why it happened. The investigative capabilities are really good.

MDE provides pretty good visibility into threats. I would give it an A-. Overall, I was pretty impressed by it.

Sentinel enables us to investigate threats and respond holistically from just one place. Sentinel's security protection is pretty good. We had some alerts that we considered for a potential campaign. There were some instances when we had the AI perform an investigation for us, and it was pretty comprehensive.

MDE helps automate routine tasks. This was at a level higher than mine, but the automation seemed to work well for them. They had some queries and other tasks that they would schedule and set up alerts for.

MDE has also saved us time.

One of our main problems in cybersecurity is dealing with noise. If you look at the logs for any device over a 10-minute period, it's just too much information. The timeline on MDE is very good at whittling down the noise to find the answers to our questions.

I would like MDE to have the ability to isolate a certain amount of time on the timeline. Splunk has a better UI when it comes to isolating a certain amount of time. I need to know exactly what happened two minutes prior to and two minutes after an incident. I don't need to see half an hour's worth of information.

With Splunk, the UI is perfect. With just a couple of clicks of a button, it'll show us 30 seconds prior to and 30 seconds after an incident. The timeline for MDE is more difficult to understand.

After a failed log-in, Splunk shows when the event happened on the timeline down to a thousandth of a second. Theoretically, we could do that with the Kusto language, but that would mean changing the query every time. It's just not as user-friendly as it could be.

I used MDE for two years.

The stability is great.

I used Carbon Black and McAfee ePO in my previous organization, but they were in the process of moving everything to the Microsoft security solution.

Splunk was our main SIEM and alert system. It pulled alerts from different sources. When we received an alert, Splunk would quickly give us basic information, and then we would go straight to MDE. We received a lot more information from MDE's alerts than we did from Splunk.

I didn't spend a lot of time with Splunk. I normally input the hostname of the affected device that triggered the alert. I pulled all of the information from there, like the timeline of the event, the IOCs it had spotted, the name of the alert, and all of the other details. From there, I did a full investigation of the alert through MDE. I was very impressed with MDE. It gives great details, and it's very easy to use.

We didn't have dedicated personnel for any problems. We purchased full support with the license. Setup wasn't flawless, but there weren't any major issues.

I would rate this solution as eight out of ten.

If you have the money for it, I would recommend the Microsoft security solution.

I would recommend a single-vendor strategy if you have the money for it. I believe in defense in depth. Regarding endpoint protection, I think it's better to stick with one vendor. In my previous organization, they had conflicts between MDE and McAfee. McAfee would read MDE as a virus, and MDE would read McAfee as a virus.

The problem with endpoints is that if you have more than one solution, each of those solutions will see the other guy as a virus or potential virus. When it comes to endpoint protection, I would go with a single vendor.