Try our new research platform with insights from 80,000+ expert users
Sales Manager at Syntech
Real User
Helps us prioritize threats across our enterprise and saves us time and money
Pros and Cons
  • "Microsoft Defender for Endpoint is easy to load and it runs quietly in the background, unlike other solutions."
  • "Microsoft Defender for Endpoint can use more advertising to promote their features."

What is our primary use case?

We use the solution for antivirus and firewall protection.

How has it helped my organization?

Microsoft Defender for Endpoint's visibility into threats is good. The solution helps us prioritize threats across our enterprise.

Microsoft Defender for Endpoint has helped our organization by providing continuous protection across our organization without overloading our CPUs by running in the background. We realized the benefits of Microsoft Defender for Endpoint while we were comparing it with other solutions.

Microsoft security solutions help automate routine tasks and identify high-value alerts. I used to work as a System Administrator or Network Administrator, so I understand how useful it is for admins to have their routines automated. I am aware that the solution supports policies and ensures that it is very beneficial.

Automation has enabled the process to be automated, such as protecting certain roles or allowing digital transactions, etc.

Microsoft Defender for Endpoint's threat intelligence helps us prepare for potential threats before they hit and to take proactive steps.

Microsoft Defender for Endpoint saves us time and money.

The solution has helped reduce our time for detection and response.

What is most valuable?

Microsoft Defender for Endpoint is easy to load and it runs quietly in the background, unlike other solutions.

The solution is reliable.

What needs improvement?

Microsoft Defender for Endpoint can use more advertising to promote their features.

Buyer's Guide
Microsoft Defender for Endpoint
July 2025
Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: July 2025.
862,514 professionals have used our research since 2012.

For how long have I used the solution?

I have been using the solution for five years.

What do I think about the stability of the solution?

The stability of Microsoft Defender for Endpoint is good.

What do I think about the scalability of the solution?

The solution is easily scalable. We have ten people using the solution currently.

Which solution did I use previously and why did I switch?

I previously used, Symantec Endpoint Detection and Response, ESET Endpoint Security, and McAfee MVISION Endpoint Detection and Response before switching to Microsoft Defender for Endpoint.

What other advice do I have?

I give the solution a ten out of ten.

The solution is deployed across our local network. 

I recommend the solution and it should not be removed from a person's computer.

The type of endpoint security solution that is used in an organization should be based on the environment.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Infrastructure Engineer at Red Cross International Committee
Real User
Gives me all the resources I need in one place
Pros and Cons
  • "It's a very complete application. I have all the controls in one site. I can track emails, attacks, and threats, and I can research information. I really like this configuration because I have all the information in place."
  • "I have accounts for administrators and corporate employees, but I also have accounts for students. I can't split these types of accounts. I need a separate configuration for both... I need to research how I can get alerts for only the administrative machines."

How has it helped my organization?

In the past, I needed two, three, or four apps to do my job. With Microsoft Defender for Endpoint, I have all the resources on one site. I can check what the threats are and if the computers need to be updated or if they reboot with various apps. It's very helpful for us. For example, I have colleagues who use different versions of a certain programming software. With this tool, I can check whether they need to update the app because an older version might have a lot of bugs. I can check which applications need to be updated or uninstalled.

I have a lot of alerts set up as well. For example, all our users are here in Mexico. If we get someone connecting in the UK or Venezuela or Colombia, we get an alert. I then know I need to change the password and use two-step authentication.

And I get a message when a new threat comes up or I need to do updates to different tools. This is helpful because threats are always working in innovative ways. These are very important messages for us.

Defender for Endpoint saves me a lot of time because I have all the alerts and information in one application. It also saves money because when you lose information due to an attack, you lose a lot of money on the reconfiguration of the sites or the information or on the recovery of a backup or a server. It's very important to have a tool like this. It saves a lot of money. The cost-benefit is very good.

What is most valuable?

It's a very complete application. I have all the controls in one site. I can track emails, attacks, and threats, and I can research information. I really like this configuration because I have all the information in place. It was very easy for me to configure it to show me all the things that I need in one dashboard for monitoring.

The visibility into threats is very good. I can track the threats very easily in this application. I have also used Trend Micro and it's more difficult to do with that solution. With Defender, I have all the information and I can follow all of the steps and do my job. It's really easy and very impressive.

I also use Microsoft Endpoint Manager to control all our laptops and cell phones. I take care of all those policies in that solution. In addition, I use Microsoft Azure and Microsoft Exchange, as well as Teams and SharePoint. I have integrated them all into one environment. All the solutions are integrated into one solution and that makes my job easier. Integrating them is really easy because you have one platform to configure all of them. In the role of the global manager, I can make all the changes in these solutions. And the process for connecting all these apps is very easy.

What needs improvement?

I have two different environments, two different types of accounts. I have accounts for administrators and corporate employees, but I also have accounts for students. I can't split these types of accounts. I need a separate configuration for both. I don't have access to the laptops or computers of the students, so I can't deactivate the alerts from the students' machines. I get a lot of alerts from their machines. I need to research how I can get alerts for only the administrative machines.

For how long have I used the solution?

I have been using Microsoft Defender for Endpoint for three years.

What do I think about the stability of the solution?

The stability of Defender for Endpoint is very good. I haven't had trouble with it.

What do I think about the scalability of the solution?

The scalability is pretty good. It's easy to scale it.

I have different locations here in Mexico, with about 300 users here and two or three in the UK, depending on the travel schedule.

How are customer service and support?

I have contact with a Microsoft partner here in Mexico as well as directly with Microsoft. If the partner doesn't have a solution, I can contact Microsoft support.

The support is very quick in communicating. Usually, with one mail or one call, the problem is resolved.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I used Trend Micro and Symantec in the past to research threats, like viruses and malware, but for me, Defender for Endpoint is the better solution. It's very easy to integrate all the tools and gives me a lot of information in one place. It's very easy to detect an attack or email threat.

How was the initial setup?

I also get all the alerts on my cell phone. Because I have all the alerts, if one of my colleagues in the IT area makes a change, I have all the information. That makes it very easy to maintain.

What's my experience with pricing, setup cost, and licensing?

For me, the pricing is very good, but for management it's very expensive. Other solutions are less expensive. But when I present all the information and all the reports they say, "Well, it's expensive, but the cost-benefit is very good."

What other advice do I have?

If you have all the information, and you are clear about what solutions your business needs, and Microsoft has all that information, the change is very easy. It's a very good solution.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Buyer's Guide
Microsoft Defender for Endpoint
July 2025
Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: July 2025.
862,514 professionals have used our research since 2012.
reviewer1828581 - PeerSpot reviewer
ICT&CyberSecurity Services Team Lead at a comms service provider with 501-1,000 employees
Real User
Scalable, has XDR capabilities, and integrates well with Microsoft products
Pros and Cons
  • "I've started to test it from the security point of view. There are plenty of features that are interesting, but at this time, the XDR functionality is most valuable. It is endpoint security on steroids."
  • "I miss having an executive dashboard or a simple view for viewing things. Everything is extensive in this solution. Everything is configurable and manageable, but the environment of Microsoft 365 has about 13 administrative dashboards, and in each of the dashboards, there are a gazillion things to set up. It is good for a large enterprise, but for a 200-seat client, you need to see 5% of that."

What is our primary use case?

We have been using it in our test environment. On the customer side, we are using the small business variant of the tool. So, we are using Microsoft Defender for Endpoint and Microsoft Defender for SMBs. They're pretty similar, but the one for SMBs is a little lighter.

In our test environment, we have access to 50-seat licenses for everything. So, we are making sure that we are technically in a good place before we begin to offer this kind of solution to our clients. In addition to our solutions, we are delivering services to our clients. So, when we sell an SMB or enterprise Microsoft license, we are able to do the migration, management, and other things for a client.

How has it helped my organization?

It works well with different solutions from Microsoft. If a company is using Microsoft 365 package, this security addition is easier to implement and manage because it is from the same vendor. You have greater visibility because they are from the same vendor. Microsoft probably also has larger visibility on the endpoint itself because of its own operating system.

It provides good visibility into threats. I would rate it a seven out of ten in terms of visibility.

Its threat intelligence is helpful for preparing for potential threats before they hit and taking proactive steps. We can manage our own images, and we can also inform the client to patch certain things.

What is most valuable?

I've started to test it from the security point of view. There are plenty of features that are interesting, but at this time, the XDR functionality is most valuable. It is endpoint security on steroids.

It allows you to prioritize threats across the enterprise, which is very important because the SLAs are different for different cases. If the error is critical, you must act now. If something is just informal, it can be done in weeks. 

What needs improvement?

I miss having an executive dashboard or a simple view for viewing things. Everything is extensive in this solution. Everything is configurable and manageable, but the environment of Microsoft 365 has about 13 administrative dashboards, and in each of the dashboards, there are a gazillion things to set up. It is good for a large enterprise, but for a 200-seat client, you need to see 5% of that.

A simplified SIEM would work so that we don't have to use everything on the Sentinel, which is great by the way, but Sentinel is too expensive for our kind of market. It is an enterprise product. It is not an SMB product.

For how long have I used the solution?

We have been using it for half a year in our test environment.

What do I think about the stability of the solution?

It is good. It is stable. Once you set it up, it works, but we haven't tested it on a large time scale. The solution itself is pretty young. We'll see how stable it will be in the next few years.

What do I think about the scalability of the solution?

It is very scalable. We hope to increase the usage of the product. It is being used only by our team for now at multiple locations. It is for laptops in the office and other networks and also for mobile devices. A few tech guys in our department are testing everything that could happen on the client side, and that's it.

How are customer service and support?

I didn't use their support for this solution, but the knowledge base, training, and documentation are pretty good. I would rate it a nine out of ten.

How would you rate customer service and support?

Positive

How was the initial setup?

It is complex. You need to first have a list of computers. Then, you need to set up the plan for these computers, and then, you need to deploy it and apply it. There are too many steps to deploy this kind of solution because it is a Microsoft native solution.

In terms of the implementation strategy, first, you need to have a view of the inventory. You have to have knowledge of what is already installed on an endpoint. You don't want to cause any clashes with some other endpoint security vendor. So, you need to know your devices. The next one is to prepare the package and then decide to deploy it via Intune or via MSI, through group policy.

In terms of duration, you can deploy it on one computer in minutes. If you are deploying it on a thousand computers and everything is set up correctly, it can be done in a few hours, but if everything is not set up correctly, it can take up to a day or a week. 

It took a month for us to realize its benefits from the time of deployment. It takes some time to understand the settings, portal, etc. 

It has not yet saved any time. It has only consumed my time for now because I need to learn and do the training and PoCs, but it is an investment for the future.

What about the implementation team?

The number of people required for deployment depends on the size of the client or the company. I can do it by myself if I have a client with 100 seats, but if there is a corporation or enterprise in several locations, we need to involve the local IT people to confirm everything is okay, etc.

It doesn't require any maintenance, but it requires somebody to take care of the consequences. You can implement endpoint security and just have it there. You don't have to maintain the solution itself, but you need to take care of the alerts. You need to take care of the patches and other things. The number of people required depends on the size of the client.

What was our ROI?

It hasn't saved us any money yet. It might save in the future, but it depends on the pricing of Microsoft because there are several different parts of the Microsoft solution. 

What's my experience with pricing, setup cost, and licensing?

Everybody would like to see a lower price on everything. The Slovenian market is basically an SME market with clients having up to 100 seat licenses, comprising 90% of the company. They're very price sensitive. So, the price could be cheaper. 

Any additional costs depend on the basic license of the client. There could be additional costs. If somebody needs Plan 2 of Defender for Endpoint, if I'm not mistaken, it is only available as an add-on. It is not included in any license, not even in the E5 license. So, there are some things at an additional cost.

Which other solutions did I evaluate?

We are always open to suggestions and newer and better things. We are constantly looking around for similar solutions and testing them. Microsoft is the biggest player. Everybody uses something from Microsoft. So, it is a logical next step. For an MSP, by having everything from one vendor or everything under one umbrella, managing clients is easier. This is the main reason for exploring this solution.

At the moment, we are using the Cynet XDR solution, and we also tried SentinelOne. We are going to put it in our portfolio in the following months, but mostly, we are comparing everything to Cynet because we have more clients on Cynet.

In comparison to other solutions that we are using, Microsoft Defender for Endpoint has not decreased our time to detect and time to respond much.

What other advice do I have?

In my opinion, from the management and maintenance point of view, it is better to go with a single vendor, but from the security point of view, multiple vendors on multiple layers could work better than one vendor. If one vendor is breached, then everything goes, but if you have several layers with several vendors, and only one is breached, you have other vendors.

My advice to those evaluating Microsoft Defender for Endpoint is to stick with it and train themselves. They should know the solution and try it as much as they can. Microsoft is on the right path here.

It helps to automate routine tasks and the finding of high-value alerts, but we haven't yet implemented automation. We are planning to implement it, but at this time, because of a small number of clients, it is easier to do it manually. We just look into the alerts and resolve them one by one. We don't have a few thousand alerts per day, per week, or per month. So, it is manageable to handle them manually.

It would help us to eliminate looking at multiple dashboards and have one XDR dashboard, but we haven't yet managed to do that.

I would rate it an eight out of ten. I would have rated it a ten, but it is a pretty pricey solution.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
reviewer1324401 - PeerSpot reviewer
Principle IT Support Engineer at a retailer with 201-500 employees
Real User
A robust, straightforward, and intuitive tool that's easy to manage from the admin center
Pros and Cons
  • "Defender for Endpoint is a robust solution that works well out-of-the-box."
  • "Our team's knowledge of the solution needs to be improved, and Microsoft could do a better job conveying the necessary information to users. We could proactively use the tool more and explore capabilities we are not yet utilizing."

What is our primary use case?

Our primary use case is anti-malware and virus protection for our machines. We don't operate a network as such; our setup is almost entirely in the cloud.

We use the solution across multiple departments and teams, with about 400 total end users.

How has it helped my organization?

Around 90% of our estate is Mac, so we rarely have security alerts, but we get daily reports. The solution lets us proactively advise users about security concerns, especially when downloading files.

What is most valuable?

The solution is a Microsoft built-in tool, so it's very straightforward to use and monitor from the admin center, it's intuitive. 

As with all antivirus software, the benefits of using it far outweigh the risks of not having it. Protecting our estate, machines, and users is essential. We can take action quickly, for example, when a user downloads something suspicious and step in before the threat escalates. As an organization, we have encrypted files and data it is vital for us to protect.

Defender for Endpoint is a robust solution that works well out of the box. 

We can monitor and manage our security picture from one dashboard, and that's one of the primary reasons we use the solution. Our machines are enrolled on Microsoft Intune, which further simplifies management. With the E5 license, everything is in the same place; that makes our job easier and allows us to be more proactive when confronting threats. Not having to log in and out of different systems to manage devices is an excellent improvement to our operation.

The solution's threat intelligence helps us prepare for potential threats and makes us more proactive. We have the information required to warn our users of threats, including malicious links and phishing emails. The product gives us an accurate picture of the threat landscape, enabling us to adapt our strategy to protect our most sensitive and vital data.

There is a difficult balance working in IT, as we don't want to put all our eggs in one basket; if one system goes down, we are compromised. We want the flexibility and reliability offered by different specialized solutions, but that complicates management. With Defender for Endpoint, we don't need to worry about machines slipping through the gaps and remaining unprotected because the product is connected to the user account and pushed by the tenant. There is no agent, and the solution isn't intrusive; the user doesn't even know it's there. Other vendors I dealt with in the past required clients to be installed and updated, with potential problems coming in if the client isn't up to date. This isn't an issue we have with Defender. 

What needs improvement?

Our team's knowledge of the solution needs to be improved, and Microsoft could do a better job conveying the necessary information to users. We could proactively use the tool more and explore capabilities we are not yet utilizing.

For how long have I used the solution?

We have been using the solution for about six months.

What do I think about the stability of the solution?

The solution is stable; Microsoft goes down very rarely. It happened just a few times over my career. If it does go down, the impact is significant.

What do I think about the scalability of the solution?

The solution is very scalable. Microsoft makes that easy, and we plan to increase our Defender for Endpoint usage.

How are customer service and support?

I've only contacted Microsoft support a few times, and they were always helpful. I don't have any issues with the support; they're good.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used Symantec Endpoint Security. It was somewhat clunky. The engineers found it too intrusive as it required a client to be installed, dramatically slowing down the machines. We switched to Defender for Endpoint because it's part of the Microsoft suite, and we can use it across platforms for Windows and Mac.

How was the initial setup?

The initial setup is straightforward. Initially, we didn't use the E5 licensing, so it was a basic cloud setup with a license per user. Now we have our own tenants, and we're deploying E5 licenses, and Defender for Endpoint comes as part of the license. A user activates the app in the Office 365 tenant, and that's the setup.

The initial deployment didn't take very long; it was just a tick box exercise. We are moving tenants, so we're giving everyone a new E5 license when they move over. It's quick and easy to assign licenses via a tool we have, which provides users with access to the entire Microsoft suite, including Defender for Endpoint.

Five people were involved in the deployment, all of them IT staff.

I'm not directly involved in taking care of the solution, but it seems lightweight in terms of maintenance. Most of the updating is end-user-driven; users are prompted to restart their machines to stay up to date with security patches.

What was our ROI?

As we have only been using the solution for six months, I don't think we've seen an ROI yet. I imagine in another two years, we will see a return.

What's my experience with pricing, setup cost, and licensing?

AV solutions are pretty expensive because they are necessary, not just for protection, but many businesses need them to comply with regulatory bodies and receive accreditation. We recently purchased an E5 license, which gives us access to the entire Microsoft suite. I would say the pricing is competitive; most tools of this kind are similarly priced. There are minor differences between the competitors, but they aren't spectacularly different. Defender for Endpoint makes sense because all our solutions are in the same place, paid for with a single license. The subscription price is around £50 per user per month, though it may have increased slightly.

Which other solutions did I evaluate?

We evaluated Sophos Intercept X and Kaspersky Endpoint Security for Business.

What other advice do I have?

I would rate the solution an eight out of ten. 

Defender for Endpoint helps us automate routine tasks, but I don't specifically know what kind of automation it does or what we use it for, as the InfoSec team is responsible for that. 

No solution is completely foolproof, but the configuration has a large part to play in the quality of the protection. 

We have been in business for two years, so we're a relatively small and young company. Nevertheless, it's vital to have protection against malicious actors. The threat landscape we face today is complex and diverse, so our threat protection needs to be up to par. That's the benefit of using the product; we need to protect our data, and having a tool that informs us of potential threats is excellent.

As an end user, the solution didn't personally save me time, but I imagine it did for the InfoSec team who deal with it directly. The security reporting will all be in one place, and we don't have to go to the marketplace to look for separate tools to fulfill different functions.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Gregory Leiby - PeerSpot reviewer
Endpoint Security at a manufacturing company with 10,001+ employees
Real User
We use it to keep endpoints safe, and we have had outstanding technical support
Pros and Cons
  • "You have endpoint security to keep your devices safe. That's the feature that we're interested in."
  • "There are some areas in the proactive threats that are just overwhelming the SOC, so we've had to turn those off until we can figure out how to filter out the false positives."

What is our primary use case?

I'm part of a team that does governance and consulting for migration from Symantec Endpoint Security to Microsoft Defender for Endpoint.

How has it helped my organization?

I haven't really seen anything in the solution that is an improvement over anything else. It's just that as we move to Microsoft cloud, it makes sense to look at some of the other products that sync between onsite and cloud. It's a stretch to say that it has inherently improved things.

What is most valuable?

You have endpoint security to keep your devices safe. That's the feature that we're interested in.

The visibility into threats is good.

What needs improvement?

There are some areas in the proactive threats that are just overwhelming the SOC, so we've had to turn those off until we can figure out how to filter out the false positives. Otherwise, there's no point in using it, as our SOC would be overwhelmed. Their choice would be either to run down every false positive, which would take their attention away from other things or to start ignoring positives, which defeats the purpose of having alerts.

The threat intelligence is too overwhelming right now. The amount of time it takes to sort through and figure out proactive solutions and prioritize—if there was an imminent threat and we just relied on that—means the bad actors would have already had a chance to get to work.

It also hasn't eliminated having to look at multiple dashboards. That's one of the running jokes with the Microsoft products: They keep hinting at a single pane for everything, and they're getting better, but they're still pretty far away from that. That would be revolutionary if Microsoft could figure out how to run all their security stuff through a single pane. They would have people lined up with money in hand, but they are not there. They're not close to it. For them to even talk about it right now is disingenuous. Microsoft is better than that.

The single biggest thing that Microsoft needs to do is figure out how to pull everything together so that all their security products can be accessed through one dashboard; one place where all of that information can be gathered and looked at by people with the appropriate access permissions.

The other thing that they need to figure out is how to move away from the amount of scripting that needs to be done with a lot of their products and move into a GUI. That's especially true because there is difficulty getting people with scripting skills, especially when you get into the Kusto Query Language and putting together tables through scripts. If that could be done with a point-and-click, that would be a notable achievement.

For how long have I used the solution?

I have been using Microsoft Defender for Endpoint for about a year and a half.

What do I think about the stability of the solution?

The solution is solid. 

The biggest "catch" is that clients do not always want to implement systems according to the manufacturer's best practices. There's always friction if the client has in mind one way it should be, but it was designed differently.

In our case, we're talking about a big company that is used to being a big enough client that the vendor will change what they do to accommodate them. Microsoft does not have to. That's not a criticism of Microsoft. It's just that Microsoft is big. They are not a little regional provider. They will not change something in their product that's distributed globally to accommodate a client with a non-standard way of wanting to implement something. There's friction with that. 

I do not see that as friction with Microsoft because of Microsoft, I see it as the friction of a client that takes a solution from a huge provider but sometimes has the mindset that they want the attention that comes when they purchase a solution from a small provider.

How are customer service and support?

When it comes to technical support, I have found Microsoft to be outstanding. The answers are not always what people want to hear, but the answers are legitimate. I do not have any criticism of Microsoft on that.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used Symantec Endpoint Security.

Aside from the possibility that some forward-thinking people see us having more of a presence in Azure, and the logic of using a Microsoft product that goes along with that, I have no clear idea what prompted the switch. That is not a poor reflection on Microsoft. It's just that whatever motivated moving from a solution that was working fine to another solution is beyond my knowledge.

How was the initial setup?

We have about 180,000 endpoints and they are distributed globally. It took us about six months to do the rollout. As we did that, we figured out various aspects that needed to be tweaked or changed for the best.

What was our ROI?

I doubt, at this point in the migration, that there is going to be ROI. I do not have enough information on that to really make an accurate determination. I think the biggest payoff is going to come in the future, as we throw more and more resources into cloud and we need to have some continuity with systems in the cloud and onsite.

What other advice do I have?

First, have an understanding of Microsoft's best practices. Second, understand that Defender for Endpoint is part of the operating system. It is not a "bolt-on," like most antiviruses are. There are going to be some differences in how Defender interacts with an operating system, compared to an external solution. Be prepared for that.

It helps prioritize threats across an enterprise to some extent, but we haven't delved that deeply into that part of Defender yet.

The solution hasn't saved us time but I'll qualify that with the fact that we are in migration, moving to a new system, which is Microsoft, and that always takes more time and effort, as we work through the teething troubles. That is not necessarily a reflection on Microsoft. It's a reflection that anytime you move from one system to another, it takes a while before the teething troubles are smoothed out.

If a security colleague said to me that it's better to go with a best-of-breed strategy rather than a single vendor security suite, I would say there are pros and cons. It would have to be a discussion about what they need to achieve and their thoughts on why a particular solution would seem best. On a high level, there are good and bad reasons for all kinds of solutions. Without having a clear understanding of what is trying to be achieved, it's really difficult to say whether one is particularly good or bad.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
reviewer1945362 - PeerSpot reviewer
Consultant at a tech services company with 1,001-5,000 employees
Real User
Enables us to run queries on application details for customized detection
Pros and Cons
  • "Because it has been integrated with the OS, we get the entire software inventories, and we even get access to the registries. Those are the primary features."
  • "I would like to see improvement from a management perspective. We have had to depend on Intune for certain tasks."

What is our primary use case?

It's an AV and EDR. The AV is integrated with the OS and, once you onboard the devices through a portal, it also functions as an EDR.

How has it helped my organization?

The main reason it has improved our organization is that it is integrated with the entire Microsoft 365 suite. We get a lot of functionality and a centralized way of operating or controlling all the devices in the environment.

The solution automates routine tasks and the finding of high-value alerts. That helps a lot. I worked with a different product before and, if we wanted to check if a specific application was affecting our organization, we had to get the application details and then search in the EDR console or on the devices for those application details. But with Defender for Endpoint, you can simply put the application details in a query and run it, and that becomes a customized detection. I don't need to check for the same application again and again. I can get an alert whenever it pops up again.

There is integration with all the products, whether Defender for Cloud or Microsoft Purview or Office 365, so we have a centralized console. There is a sync so that you can get all the alerts in different portals on a single portal. That consolidation makes things easier because we don't have to navigate to multiple portals to check for all the information. Before, we used to only get basic details, like the title or the category of a particular alert. But now, since it is also syncing with Sentinel, we don't need to go to the Defender portal. We can view the entire alert story and related devices, or potentially affected devices, and which devices could be the next targets.

Another advantage is that the threat intelligence helps us proactively prepare for potential issues before they strike. There is an option to check for vulnerabilities and that is not only limited to our organization or the license we bought. We have one filter that will show all the potential threats in the market or that other customers might have reported. We can view them and the steps they have followed. There are all the CVD details that are not affecting our organization, things that are still new in the market, and it will give the remediation steps for them as well.

In terms of deployment, management, and manual efforts, it has saved me a lot of time. Previously, I would review each alert. That meant, during a given week, that I would be on alerts for three or four days, and only then would I go on to other things. It has saved me a couple of days a week because of the automation and auto-suppress rules, which are configured to automatically resolve an alert and trigger an email to me that the alert has come up and the action has been taken.

What is most valuable?

Because it has been integrated with the OS, we get the entire software inventories, and we even get access to the registries. Those are the primary features. We also have something called advanced hunting, which uses SQL tables to list out all the details of the device and that is also used for threat hunting.

Defender for Endpoint also helps prioritize threats across our enterprise, and we have an option for customized detections, which is an additional feature that differentiates it from other products. The customized detection helps us identify threats.

What needs improvement?

I would like to see improvement from a management perspective. We have had to depend on Intune for certain tasks.

I would also like to see additional features related to device control. For now, it has all the common features that other EDR and AV products offer, but device control is missing. Device control means automatically syncing the devices without any dependency on other products, like Intune, SCCM, or even Azure. If it could sync between products after only adding it to one product, that would be great.

For how long have I used the solution?

I've been working with Microsoft Defender for Endpoint for close to one year.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

It is also scalable. 

Since it's an AV and EDR, you can use it at any location and on all the platforms, including Android and iOS.

How are customer service and support?

Support depends on the support contract you have. The Premier support contract is comparatively efficient.

I would rate their support at eight out of 10. Sometimes, because they have multiple teams, there could be a delay with a ticket going to a wrong team. But once it is routed to the correct team, we get good support.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I worked with one similar solution, which was VMware Carbon Black Cloud. Defender for Endpoint has the advantage because Carbon Black is a third party to the OS. That is going to create a lot of additional work to manually deploy things, check the installation, see if it's parsing. There could also be compatibility issues. Because Defender is integrated with the OS, you don't need to do those manual tasks to install the product or work through the compatibility issues.

How was the initial setup?

It is pretty straightforward to deploy. There isn't any manual effort, even if you are a new customer and migrating from a different product to Defender. All you need to do is get a license and the credentials to log in.

In the back-end, if we were to deploy the new tenant, it would be on Azure, and there are a series of steps to follow, nothing complex. It's just a GUI. You just need to give the device count and the geographical location. It takes four to five people for the deployment. 

Once the deployment is done, you don't need to constantly monitor it, but four people would be good for operations: two people to manage the devices and configuration, and the other two to review the alerts that are coming and analyze the vulnerabilities. Once a month you should review and update the software. Other than that, there is only maintenance when there is an issue. The signatures are updated automatically.

You can manage the devices on-prem, but if you want the EDR solution, it's completely cloud. You still have the option to control the devices on-prem through SCCM or any other integration, but ideally, it's cloud-based. The back-end portal is on Azure, but the console or tenant for users or management is a different portal. It's not on the Azure portal, it's a different URL.

The time it takes to see benefits depends on the end-users' requirements or which products they want to integrate it with. In my case, after two or three months I felt like I had found the good things to integrate it with and had a centralized way to manage them.

What's my experience with pricing, setup cost, and licensing?

The solution has saved us money compared to the other products we use, but it depends on the situation. If there are multiple integrations, you have to get the licenses for those as well. But in our case, comparatively, we have saved money.

Which other solutions did I evaluate?

We did consider other options, CyberArc and Trellix (which is the new name for McAfee products). But the ease of using Defender for Endpoint and the reduction in manual efforts are why we went with it. Also, collecting and reporting on the data was easier.

The visibility into threats that the solution gives us is the same as other EDR products. But one advantage I have noticed, because I have experience working with a couple of other EDR products, is getting the complete device registry information. If we want to query anything or look into the complete alert or vulnerability details, we can get to the core. We don't need to depend on getting access to the device. We can do it from a centralized console.

What other advice do I have?

I've seen a lot of people saying that they are looking for feature X but it's not there in the product. Most EDR products function in the same way, but they call features by different names. My advice would be to consult with Microsoft's Fast Track support engineers. They can guide you and explain every feature. Go for that first and then implement it.

I would definitely recommend Defender for Endpoint because going with a third party would require a lot of maintenance. For smaller companies, Defender for Endpoint would be more cost-efficient than requiring more headcount to do more maintenance.

Disclosure: My company has a business relationship with this vendor other than being a customer. Integrator
PeerSpot user
reviewer896508 - PeerSpot reviewer
‎Infrastructure Analyst at a energy/utilities company with 1,001-5,000 employees
Real User
Covers almost all threats, doesn't slow down systems, and helps with compliance and business uptime
Pros and Cons
  • "It doesn't cause the slowness of the system, which is one of the reasons why I like it."
  • "They should bring back the feature of a dedicated proxy device for communication to the cloud. As of now, all the agents are required to send the logs directly to the cloud. There should be a solution where you can put a proxy and all the logs are consolidated, like a forwarder."

What is our primary use case?

I have tried so many antiviruses personally, but this one is integrated with the operating system. That's one of the main reasons for considering this.

How has it helped my organization?

The main benefits are compliance and protection from threats.

It helps us to avoid disruption in the business. It helps us see if other solutions are causing any slowness to our end-user machines. We can see if there are any service availability issues. Operations-wise, it helps us a lot to maintain the uptime of our business.

It helps us prioritize threats across our enterprise, which is very important and one of our priorities.

We have the Defender for cloud applications. It's very easy to integrate. It's straightforward. These solutions work natively together to deliver coordinated detection and response across our environment, which is very important for us.

We did extensive testing of its functionality, and it's very effective. It covers almost all the new, unknown, and known threats. 

It helps automate routine tasks and the finding of high-value alerts, which is helpful for incident response and SLAs. It has saved us 50% of the time to respond to the incident.

It helps us to be proactive. It can detect unknown threats and alerts us. We're able to identify any malicious sign-ins or logins. 

It has decreased our time to detect and respond. Previously, we were doing it manually. It took one hour to two hours to detect and respond. Now, it takes us minutes.

What is most valuable?

It has very good detection and protection capabilities. They have a new feature for ransomware protection. 

It doesn't cause the slowness of the system, which is one of the reasons why I like it.

What needs improvement?

There is complexity in accessing the dashboard. Microsoft security suite has a different URL per service or per application. If there was one single place of information, that would help.

They should bring back the feature of a dedicated proxy device for communication to the cloud. As of now, all the agents are required to send the logs directly to the cloud. There should be a solution where you can put a proxy and all the logs are consolidated, like a forwarder.

For how long have I used the solution?

I've been using it for about five years.

What do I think about the stability of the solution?

It's very stable.

What do I think about the scalability of the solution?

It's very scalable. We have deployed it only to 250 endpoints for now. It's not enterprise-wide. We have plans to increase its usage.

How are customer service and support?

I haven't encountered many issues so far. Their support is good. I would rate them an 8 out of 10.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We used another solution. The switch over to this solution was a management decision.

How was the initial setup?

We have a hybrid deployment with the Microsoft Azure cloud. The initial setup was complex. There were some issues because a lot of prerequisites needed to be accomplished. It took us about three months.

We had a staged approach. We first onboarded non-critical assets and then moved to critical assets.

It takes time to realize the benefits from the time of deployment. It took us about two years.

What about the implementation team?

We had around five people for deployment. Some of them were testers, and some of them were admins for the configuration and deployment of agents.

It requires maintenance. We have cloud administrators and desktop support for endpoints.

Which other solutions did I evaluate?

We did look into other solutions. We have criteria for evaluation. The features that stood out were their reputation and innovation.

What other advice do I have?

I would recommend Microsoft Defender. They are a leader, and they have many deployment use cases. However, it also depends on the requirements of a company. There is no one-size-fits-all. Each company has its own unique requirements.

I would rate it an 8 out of 10.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
reviewer1126467 - PeerSpot reviewer
Security Consultant with 10,001+ employees
Real User
Zeros you in on the events that are concerning, and simplifies the effort of correlating the behaviors or actions you see in the environment
Pros and Cons
  • "Coming from an organization where the EDR wasn't strong, it has always been a case of basically searching through the information you already have and looking for something. It was basically trying to find the needle in a haystack. What the Defender platform does is that it reduces the size of the haystack, and it'll say that the needle is over here. Minutes matter, and it certainly zeros you in on the events that are concerning. It also simplifies the effort of trying to get some kind of correlation of behaviors or actions you see in the environment and confirming if something is benign or a threat."
  • "Something that is unique to Microsoft is its licensing model. When you go out and you buy McAfee or Symantec, you know what you're getting out of the box, but with Microsoft, often, when you're looking to achieve a certain set of capabilities, those capabilities are spread across different products. You might try to do something you could do with CrowdStrike, but then find out that you also need to purchase Microsoft Defender for Identity or Microsoft Defender for Azure. You realize that when they talk about what they can offer within the Microsoft platform, it's really the suite of investments. So, sometimes, you may find yourself buying Defender for Endpoint thinking that it matches CrowdStrike, but then you find that Microsoft really needs to sell you something else. One plus one will equal three, but when you have a very concise platform, such as CrowdStrike, you know what you're going to get."

What is our primary use case?

It is mainly utilized for telemetry collection and correlating specific behaviors or reactions to TTPs, IOCs, or indications of compromise. It is used for getting that level of detail. 

How has it helped my organization?

It is good for attack surface reduction, which is how you harden your endpoint so that they're less likely to be infiltrated or compromised if you have an operative in your environment. So, it's mainly used for reducing the opportunity for someone to compromise the system but also for rapid detection when that occurs.

What is most valuable?

Coming from an organization where the EDR wasn't strong, it has always been a case of basically searching through the information you already have and looking for something. It was basically trying to find the needle in a haystack. What the Defender platform does is that it reduces the size of the haystack, and it'll say that the needle is over here. Minutes matter, and it certainly zeros you in on the events that are concerning. It also simplifies the effort of trying to get some kind of correlation of behaviors or actions you see in the environment and confirming if something is benign or a threat.

What needs improvement?

Something that is unique to Microsoft is its licensing model. When you go out and you buy McAfee or Symantec, you know what you're getting out of the box, but with Microsoft, often, when you're looking to achieve a certain set of capabilities, those capabilities are spread across different products. You might try to do something you could do with CrowdStrike, but then find out that you also need to purchase Microsoft Defender for Identity or Microsoft Defender for Azure. You realize that when they talk about what they can offer within the Microsoft platform, it's really the suite of investments. So, sometimes, you may find yourself buying Defender for Endpoint thinking that it matches CrowdStrike, but then you find that Microsoft really needs to sell you something else. One plus one will equal three, but when you have a very concise platform, such as CrowdStrike, you know what you're going to get.

The other consideration is that because it's Windows native capability, your capabilities are largely influenced by what version of OS you're running. For a small-medium business, it is not a big deal, but at an enterprise scale, there are always Server 2000, Server 2003, Server 2008, Server 2012, Server 2016, Server 2019, and so on. So, you're talking about having six or seven different versions where your capabilities are not consistent between 2003 and 2019. It's like asking how robust was security in Windows 2000 versus Windows 2010. You'd say that they're not even the same OS from a security perspective, and that's crazy. When you buy CrowdStrike, you're deploying an agent, and so you get a fairly consistent set of capabilities that are agnostic to the OS version, whereas, with Microsoft, the capabilities are largely influenced by the OS version. For an enterprise, being up to date is a very big consideration to be successful with the platform. So, it forces your platform to not lag behind. You can't have the old server versions and expect that you've got a robust EDR. Defender shines on Server 2016 and higher, but if you were to do some type of penetration or red teaming exercise on a 2003 server, you'd be better off with CrowdStrike or pretty much anything else.

For how long have I used the solution?

We've been piloting it for the last six months, and this is what we have selected to implement.

What do I think about the scalability of the solution?

There are no scalability constraints because it's all in the cloud. It's a SaaS. So, they can take on more PCs than any Fortune 500 would even have. The only constraint is that in terms of scaling, the strength of the platform is highly influenced by the OS version. If you were largely using Windows XP and Server 2003, you would not want to choose Microsoft Defender as your suite.

How are customer service and support?

It is fantastic, but sometimes, it could be challenging to navigate. If you buy something like a Carbon Black or a CrowdStrike, you normally have one sales rep and one sales engineer, and depending on the level of support you pay for, you may get premium or platinum support, which means you have a very concise escalation path. With Microsoft, there are 20 different account reps. There is a productivity suite guy. There is a security guy. There are so many different places, which can create some confusion at times, but there is no lack of resources. If you have an issue, there are so many Microsoft employees and reps who are engaged at the enterprise level that once you figure out who to speak to, you get traction pretty quick. So, in summary, because there are a lot more people, their support is really great, but sometimes, having a lot more people can also create confusion in terms of where to go.

How was the initial setup?

It is easy. It is native. They're literally like checkboxes. There is really nothing to package and deploy. If you're at a current version, it is a policy. You just turn on the policy. You go through the setup of installing McAfee on your home computer with next, next, next, and finish, or Microsoft will say, "Hey, we noticed you don't have an AV. Do you want to enable Microsoft or Windows Defender?" You say yes, and you slide the box from off to on, and you're now protected. It is like that. It couldn't be easier. There are things like firewall rules and network considerations that have to happen, but from an enablement perspective, because it is native, it really reduces the burden of onboarding the platform.

Which other solutions did I evaluate?

We didn't go through a real comprehensive analysis when we made the selection. We did some light touching, but we really did not do some comprehensive analysis between Microsoft and CrowdStrike. 

At an enterprise level, a lot of the stuff is based on relationships. It's not like you're starting from a green field. You look at who is your strategic vendor and who is not. With Microsoft specifically, you always get bundle deals towards your renewals. It's always like if you buy more Office 365, we can give you a discount on Defender and things like that. If you don't have a relationship with CrowdStrike or someone else, it is hard for their rep to speak to your CEO or your CSO, but Microsoft does. They've already got standing monthly meetings with them. So, we've made a determination to go with Microsoft because:

  1. The technology is compelling.
  2. It is a strategic fit for us. 

What other advice do I have?

I would rate it a nine out of 10.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros sharing their opinions.
Updated: July 2025
Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros sharing their opinions.