It's an AV and EDR. The AV is integrated with the OS and, once you onboard the devices through a portal, it also functions as an EDR.
Consultant at a tech services company with 1,001-5,000 employees
Enables us to run queries on application details for customized detection
Pros and Cons
- "Because it has been integrated with the OS, we get the entire software inventories, and we even get access to the registries. Those are the primary features."
- "I would like to see improvement from a management perspective. We have had to depend on Intune for certain tasks."
What is our primary use case?
How has it helped my organization?
The main reason it has improved our organization is that it is integrated with the entire Microsoft 365 suite. We get a lot of functionality and a centralized way of operating or controlling all the devices in the environment.
The solution automates routine tasks and the finding of high-value alerts. That helps a lot. I worked with a different product before and, if we wanted to check if a specific application was affecting our organization, we had to get the application details and then search in the EDR console or on the devices for those application details. But with Defender for Endpoint, you can simply put the application details in a query and run it, and that becomes a customized detection. I don't need to check for the same application again and again. I can get an alert whenever it pops up again.
There is integration with all the products, whether Defender for Cloud or Microsoft Purview or Office 365, so we have a centralized console. There is a sync so that you can get all the alerts in different portals on a single portal. That consolidation makes things easier because we don't have to navigate to multiple portals to check for all the information. Before, we used to only get basic details, like the title or the category of a particular alert. But now, since it is also syncing with Sentinel, we don't need to go to the Defender portal. We can view the entire alert story and related devices, or potentially affected devices, and which devices could be the next targets.
Another advantage is that the threat intelligence helps us proactively prepare for potential issues before they strike. There is an option to check for vulnerabilities and that is not only limited to our organization or the license we bought. We have one filter that will show all the potential threats in the market or that other customers might have reported. We can view them and the steps they have followed. There are all the CVD details that are not affecting our organization, things that are still new in the market, and it will give the remediation steps for them as well.
In terms of deployment, management, and manual efforts, it has saved me a lot of time. Previously, I would review each alert. That meant, during a given week, that I would be on alerts for three or four days, and only then would I go on to other things. It has saved me a couple of days a week because of the automation and auto-suppress rules, which are configured to automatically resolve an alert and trigger an email to me that the alert has come up and the action has been taken.
What is most valuable?
Because it has been integrated with the OS, we get the entire software inventories, and we even get access to the registries. Those are the primary features. We also have something called advanced hunting, which uses SQL tables to list out all the details of the device and that is also used for threat hunting.
Defender for Endpoint also helps prioritize threats across our enterprise, and we have an option for customized detections, which is an additional feature that differentiates it from other products. The customized detection helps us identify threats.
What needs improvement?
I would like to see improvement from a management perspective. We have had to depend on Intune for certain tasks.
I would also like to see additional features related to device control. For now, it has all the common features that other EDR and AV products offer, but device control is missing. Device control means automatically syncing the devices without any dependency on other products, like Intune, SCCM, or even Azure. If it could sync between products after only adding it to one product, that would be great.
Buyer's Guide
Microsoft Defender for Endpoint
September 2025

Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: September 2025.
868,706 professionals have used our research since 2012.
For how long have I used the solution?
I've been working with Microsoft Defender for Endpoint for close to one year.
What do I think about the stability of the solution?
It is stable.
What do I think about the scalability of the solution?
It is also scalable.
Since it's an AV and EDR, you can use it at any location and on all the platforms, including Android and iOS.
How are customer service and support?
Support depends on the support contract you have. The Premier support contract is comparatively efficient.
I would rate their support at eight out of 10. Sometimes, because they have multiple teams, there could be a delay with a ticket going to a wrong team. But once it is routed to the correct team, we get good support.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I worked with one similar solution, which was VMware Carbon Black Cloud. Defender for Endpoint has the advantage because Carbon Black is a third party to the OS. That is going to create a lot of additional work to manually deploy things, check the installation, see if it's parsing. There could also be compatibility issues. Because Defender is integrated with the OS, you don't need to do those manual tasks to install the product or work through the compatibility issues.
How was the initial setup?
It is pretty straightforward to deploy. There isn't any manual effort, even if you are a new customer and migrating from a different product to Defender. All you need to do is get a license and the credentials to log in.
In the back-end, if we were to deploy the new tenant, it would be on Azure, and there are a series of steps to follow, nothing complex. It's just a GUI. You just need to give the device count and the geographical location. It takes four to five people for the deployment.
Once the deployment is done, you don't need to constantly monitor it, but four people would be good for operations: two people to manage the devices and configuration, and the other two to review the alerts that are coming and analyze the vulnerabilities. Once a month you should review and update the software. Other than that, there is only maintenance when there is an issue. The signatures are updated automatically.
You can manage the devices on-prem, but if you want the EDR solution, it's completely cloud. You still have the option to control the devices on-prem through SCCM or any other integration, but ideally, it's cloud-based. The back-end portal is on Azure, but the console or tenant for users or management is a different portal. It's not on the Azure portal, it's a different URL.
The time it takes to see benefits depends on the end-users' requirements or which products they want to integrate it with. In my case, after two or three months I felt like I had found the good things to integrate it with and had a centralized way to manage them.
What's my experience with pricing, setup cost, and licensing?
The solution has saved us money compared to the other products we use, but it depends on the situation. If there are multiple integrations, you have to get the licenses for those as well. But in our case, comparatively, we have saved money.
Which other solutions did I evaluate?
We did consider other options, CyberArc and Trellix (which is the new name for McAfee products). But the ease of using Defender for Endpoint and the reduction in manual efforts are why we went with it. Also, collecting and reporting on the data was easier.
The visibility into threats that the solution gives us is the same as other EDR products. But one advantage I have noticed, because I have experience working with a couple of other EDR products, is getting the complete device registry information. If we want to query anything or look into the complete alert or vulnerability details, we can get to the core. We don't need to depend on getting access to the device. We can do it from a centralized console.
What other advice do I have?
I've seen a lot of people saying that they are looking for feature X but it's not there in the product. Most EDR products function in the same way, but they call features by different names. My advice would be to consult with Microsoft's Fast Track support engineers. They can guide you and explain every feature. Go for that first and then implement it.
I would definitely recommend Defender for Endpoint because going with a third party would require a lot of maintenance. For smaller companies, Defender for Endpoint would be more cost-efficient than requiring more headcount to do more maintenance.
Disclosure: My company has a business relationship with this vendor other than being a customer. Integrator

Infrastructure Analyst at a energy/utilities company with 1,001-5,000 employees
Covers almost all threats, doesn't slow down systems, and helps with compliance and business uptime
Pros and Cons
- "It doesn't cause the slowness of the system, which is one of the reasons why I like it."
- "They should bring back the feature of a dedicated proxy device for communication to the cloud. As of now, all the agents are required to send the logs directly to the cloud. There should be a solution where you can put a proxy and all the logs are consolidated, like a forwarder."
What is our primary use case?
I have tried so many antiviruses personally, but this one is integrated with the operating system. That's one of the main reasons for considering this.
How has it helped my organization?
The main benefits are compliance and protection from threats.
It helps us to avoid disruption in the business. It helps us see if other solutions are causing any slowness to our end-user machines. We can see if there are any service availability issues. Operations-wise, it helps us a lot to maintain the uptime of our business.
It helps us prioritize threats across our enterprise, which is very important and one of our priorities.
We have the Defender for cloud applications. It's very easy to integrate. It's straightforward. These solutions work natively together to deliver coordinated detection and response across our environment, which is very important for us.
We did extensive testing of its functionality, and it's very effective. It covers almost all the new, unknown, and known threats.
It helps automate routine tasks and the finding of high-value alerts, which is helpful for incident response and SLAs. It has saved us 50% of the time to respond to the incident.
It helps us to be proactive. It can detect unknown threats and alerts us. We're able to identify any malicious sign-ins or logins.
It has decreased our time to detect and respond. Previously, we were doing it manually. It took one hour to two hours to detect and respond. Now, it takes us minutes.
What is most valuable?
It has very good detection and protection capabilities. They have a new feature for ransomware protection.
It doesn't cause the slowness of the system, which is one of the reasons why I like it.
What needs improvement?
There is complexity in accessing the dashboard. Microsoft security suite has a different URL per service or per application. If there was one single place of information, that would help.
They should bring back the feature of a dedicated proxy device for communication to the cloud. As of now, all the agents are required to send the logs directly to the cloud. There should be a solution where you can put a proxy and all the logs are consolidated, like a forwarder.
For how long have I used the solution?
I've been using it for about five years.
What do I think about the stability of the solution?
It's very stable.
What do I think about the scalability of the solution?
It's very scalable. We have deployed it only to 250 endpoints for now. It's not enterprise-wide. We have plans to increase its usage.
How are customer service and support?
I haven't encountered many issues so far. Their support is good. I would rate them an 8 out of 10.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We used another solution. The switch over to this solution was a management decision.
How was the initial setup?
We have a hybrid deployment with the Microsoft Azure cloud. The initial setup was complex. There were some issues because a lot of prerequisites needed to be accomplished. It took us about three months.
We had a staged approach. We first onboarded non-critical assets and then moved to critical assets.
It takes time to realize the benefits from the time of deployment. It took us about two years.
What about the implementation team?
We had around five people for deployment. Some of them were testers, and some of them were admins for the configuration and deployment of agents.
It requires maintenance. We have cloud administrators and desktop support for endpoints.
Which other solutions did I evaluate?
We did look into other solutions. We have criteria for evaluation. The features that stood out were their reputation and innovation.
What other advice do I have?
I would recommend Microsoft Defender. They are a leader, and they have many deployment use cases. However, it also depends on the requirements of a company. There is no one-size-fits-all. Each company has its own unique requirements.
I would rate it an 8 out of 10.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Microsoft Defender for Endpoint
September 2025

Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: September 2025.
868,706 professionals have used our research since 2012.
Independent Security Consultant/ Virtual CISO at Galbraith & Associates Inc.
Is great at identifying threats on Windows and Azure products
Pros and Cons
- "The comprehensiveness of Microsoft threat-protection products is great... Today, Microsoft Sentinel by itself is a leading Gartner SIEM tool. It has advantages over competitors because of the ability to integrate with Microsoft solutions and automate continuous monitoring of Microsoft AD and Office 365 data."
- "If you have multi-cloud like Google and AWS, the native solutions are better for those particular cases."
What is our primary use case?
I worked for an enterprise client in the public sector with half a million endpoints. I'm in Canada, and that's bigger than most US companies. Defender is an endpoint agent, but it's tied into what I would call a SOC outsourcing stack. It's part of a security operations center that is getting threat intelligence, comparing that to endpoint detection and response, and feeding it all back into a SIEM.
I use either E3 or will upgrade to the E5 full suite, or will go a la carte. You can pick one or two off there, but it usually makes more sense to go all E5. Sentinel and Defender are the two things I like in E5 that I work together.
We use Defender's bidirectional sync capabilities at a high level. I'm more of a high-end security architect, so I do the conceptual designs but not the implementation. Even though I like it, I don't know if it gets implemented and used or not. As a capability, as an architect, that's a good thing to have.
How has it helped my organization?
Our deployment is still a work in progress, but it will enable us to mature and automate our cyber incident response and threat security posture. Defender helps us automate routine tasks and the findings of high-value alerts. That's the SOAR part we hope to achieve with the project reaches maturity.
Defender simplifies things if you are managing a multi-cloud environment or a hybrid deployment. Instead of having 10 dashboards, you're now down to three. It creates a fabric. Do I have a single pane of glass? No. However, I have three panes instead of ten.
It can give early warning signs. I'd stop short of saying Defender protects, detects, responds, and remediates. It still doesn't do the remediate part. Defender will ultimately save time and money when we've fully implemented it. I'll find more problems, but I think the integration will save me a lot more time on the operations, incident response, etc. It's all speculative until you're fully deployed and got key metrics to prove it.
What is most valuable?
The biggest reason I looked at Defender is that the world seems to have shifted to Office 365 and Azure in the last couple of years because COVID is forcing many people to work from home. Defender has better out-the-box integration with Office 365 and Microsoft security solutions like Sentinel, and its SIEM. CrowdStrike or other top products are excellent, but I'd still need to integrate them.
Defender is great at identifying threats on Windows and Azure products. If the threats aren't related to Microsoft, I will use something else. My view of Microsoft Defender changed significantly over the past five years. I used to think it couldn't compete with best-in-class solutions like CrowdStrike. It was like a Microsoft version of CrowdStrike. Today, I think it's on par pound-for-pound with CrowdStrike on the EDR Gartner MQ capability list.
If you have multi-cloud like Google and AWS, the native solutions are better for those particular cases. But if you want Azure covered and you use Sentinel and Defender, you can also integrate Defender well with Zscaler.
Zscaler is more of a multi-CSP fabric with zero trust capabilities that integrate with CrowdStrike and other third-party tools. I use Defender and Sentinel for Microsoft, but I also like that Microsoft integrates very well with Zscaler and vice versa.
The comprehensiveness of Microsoft threat-protection products is great. Five years ago, I would've said don't use it because other products are better. Today, Microsoft Sentinel by itself is a leading Gartner SIEM tool. It has advantages over competitors because of the ability to integrate with Microsoft solutions and automate continuous monitoring of Microsoft AD and Office 365 data.
Sentinel aggregates logs from everything. It's pretty good at that. If you were on Google Cloud or AWS, you would use the native products, but Sentinel is useful if you already have it and you want to use it as the central log aggregator.
Defender offers SOAR plus UEBA, and you can integrate it easily with the endpoint, making it a compelling security fabric as a SOC technology stack. I would put it in the top four along with IBM, Splunk, and maybe Fortinet as one of the better-integrated UEBA types of technology suites.
What needs improvement?
Microsoft Defender improved a lot. They weren't even on the Gartner Magic Quadrant, and now they've equaled or surpassed the leading solutions. I would suggest they continue doing what they're doing on their product roadmap and develop more SOAR. The last thing for them to tackle is multi-tenant and multi-cloud handling.
For how long have I used the solution?
I have been using Defender for about five years.
What do I think about the stability of the solution?
Defender is robust.
What do I think about the scalability of the solution?
I'm still in the early stage, but the scalability seems impressive based on my research and the size of reference clients.
How are customer service and support?
I've mostly seen the pre-sales part, like doing demos and licensing. As far as doing demos and licensing. My experience with the sales organization has been awesome, but I'm not dealing with maintenance, rollover, or contract.
Which solution did I use previously and why did I switch?
Five years ago, I looked at Micro Focus, ArcSight, and maybe some best-of-breed UEBA and EDR solutions, like CrowdStrike and Intercept. Business considerations led me to choose Defender.
Security people will go for the top security solution, but executives are worried about enterprise and return on investment. They push for Microsoft security products because they've got Azure and Windows. I now agree that it also makes sense from a security point of view,
How was the initial setup?
As an architect, my experience with the deployment is limited to evaluations and PoCs, and the full roll-out is ongoing. Ultimately, it's a low-maintenance solution. The payoff on automation and maturity is getting ongoing maintenance and support, training, patches, and new product upgrades. That's part and parcel of why it's a good idea.
What's my experience with pricing, setup cost, and licensing?
The price was a problem for me three years ago, but they improved their E3, E5, and a la carte licensing. In other words, you have to get all of E5. That used to be a problem because you had E3, Defender, and guardrails, but you needed an E5 license to get the management suite and the analytics.
It's more flexible now. You can switch from a la carte to the entire suite when it starts to make sense. It's becoming more economically competitive to go that route.
Which other solutions did I evaluate?
Defender is good enough if I compare it to the leading EDR solutions on Gartner. I would place it in the top quartile based on cyber threat intel. Cisco Talos and CrowdStrike are better, but Defender isn't that far behind. The payoff for me is the native Microsoft integration.
Suppose most of my applications and data were still on-premise and I didn't need to work from home because of COVID. In that case, I'd be looking at IBM, Q1 Radar, Resilient, FortiSIEM, or ArcSight because the legacy SIEM products do on-premise security well. However, most of my cloud data is Office 365 in Azure, so that's what prompted me to start looking at Sentinel and Defender. 90 percent of my criteria shifted to the cloud, specifically Microsoft Azure.
What other advice do I have?
I rate Microsoft Defender for Endpoint nine out of ten. If you're planning to use Defender, you need to understand the options around E3, E5, and a la carte licensing. This is also true if you do a bake-off between IBM, ArcSight, or other best-of-breed products, understand what capabilities you really need. If you're a small or medium-sized enterprise, you won't have the same needs as a corporation with half a million endpoints.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Security Consultant with 10,001+ employees
Zeros you in on the events that are concerning, and simplifies the effort of correlating the behaviors or actions you see in the environment
Pros and Cons
- "Coming from an organization where the EDR wasn't strong, it has always been a case of basically searching through the information you already have and looking for something. It was basically trying to find the needle in a haystack. What the Defender platform does is that it reduces the size of the haystack, and it'll say that the needle is over here. Minutes matter, and it certainly zeros you in on the events that are concerning. It also simplifies the effort of trying to get some kind of correlation of behaviors or actions you see in the environment and confirming if something is benign or a threat."
- "Something that is unique to Microsoft is its licensing model. When you go out and you buy McAfee or Symantec, you know what you're getting out of the box, but with Microsoft, often, when you're looking to achieve a certain set of capabilities, those capabilities are spread across different products. You might try to do something you could do with CrowdStrike, but then find out that you also need to purchase Microsoft Defender for Identity or Microsoft Defender for Azure. You realize that when they talk about what they can offer within the Microsoft platform, it's really the suite of investments. So, sometimes, you may find yourself buying Defender for Endpoint thinking that it matches CrowdStrike, but then you find that Microsoft really needs to sell you something else. One plus one will equal three, but when you have a very concise platform, such as CrowdStrike, you know what you're going to get."
What is our primary use case?
It is mainly utilized for telemetry collection and correlating specific behaviors or reactions to TTPs, IOCs, or indications of compromise. It is used for getting that level of detail.
How has it helped my organization?
It is good for attack surface reduction, which is how you harden your endpoint so that they're less likely to be infiltrated or compromised if you have an operative in your environment. So, it's mainly used for reducing the opportunity for someone to compromise the system but also for rapid detection when that occurs.
What is most valuable?
Coming from an organization where the EDR wasn't strong, it has always been a case of basically searching through the information you already have and looking for something. It was basically trying to find the needle in a haystack. What the Defender platform does is that it reduces the size of the haystack, and it'll say that the needle is over here. Minutes matter, and it certainly zeros you in on the events that are concerning. It also simplifies the effort of trying to get some kind of correlation of behaviors or actions you see in the environment and confirming if something is benign or a threat.
What needs improvement?
Something that is unique to Microsoft is its licensing model. When you go out and you buy McAfee or Symantec, you know what you're getting out of the box, but with Microsoft, often, when you're looking to achieve a certain set of capabilities, those capabilities are spread across different products. You might try to do something you could do with CrowdStrike, but then find out that you also need to purchase Microsoft Defender for Identity or Microsoft Defender for Azure. You realize that when they talk about what they can offer within the Microsoft platform, it's really the suite of investments. So, sometimes, you may find yourself buying Defender for Endpoint thinking that it matches CrowdStrike, but then you find that Microsoft really needs to sell you something else. One plus one will equal three, but when you have a very concise platform, such as CrowdStrike, you know what you're going to get.
The other consideration is that because it's Windows native capability, your capabilities are largely influenced by what version of OS you're running. For a small-medium business, it is not a big deal, but at an enterprise scale, there are always Server 2000, Server 2003, Server 2008, Server 2012, Server 2016, Server 2019, and so on. So, you're talking about having six or seven different versions where your capabilities are not consistent between 2003 and 2019. It's like asking how robust was security in Windows 2000 versus Windows 2010. You'd say that they're not even the same OS from a security perspective, and that's crazy. When you buy CrowdStrike, you're deploying an agent, and so you get a fairly consistent set of capabilities that are agnostic to the OS version, whereas, with Microsoft, the capabilities are largely influenced by the OS version. For an enterprise, being up to date is a very big consideration to be successful with the platform. So, it forces your platform to not lag behind. You can't have the old server versions and expect that you've got a robust EDR. Defender shines on Server 2016 and higher, but if you were to do some type of penetration or red teaming exercise on a 2003 server, you'd be better off with CrowdStrike or pretty much anything else.
For how long have I used the solution?
We've been piloting it for the last six months, and this is what we have selected to implement.
What do I think about the scalability of the solution?
There are no scalability constraints because it's all in the cloud. It's a SaaS. So, they can take on more PCs than any Fortune 500 would even have. The only constraint is that in terms of scaling, the strength of the platform is highly influenced by the OS version. If you were largely using Windows XP and Server 2003, you would not want to choose Microsoft Defender as your suite.
How are customer service and support?
It is fantastic, but sometimes, it could be challenging to navigate. If you buy something like a Carbon Black or a CrowdStrike, you normally have one sales rep and one sales engineer, and depending on the level of support you pay for, you may get premium or platinum support, which means you have a very concise escalation path. With Microsoft, there are 20 different account reps. There is a productivity suite guy. There is a security guy. There are so many different places, which can create some confusion at times, but there is no lack of resources. If you have an issue, there are so many Microsoft employees and reps who are engaged at the enterprise level that once you figure out who to speak to, you get traction pretty quick. So, in summary, because there are a lot more people, their support is really great, but sometimes, having a lot more people can also create confusion in terms of where to go.
How was the initial setup?
It is easy. It is native. They're literally like checkboxes. There is really nothing to package and deploy. If you're at a current version, it is a policy. You just turn on the policy. You go through the setup of installing McAfee on your home computer with next, next, next, and finish, or Microsoft will say, "Hey, we noticed you don't have an AV. Do you want to enable Microsoft or Windows Defender?" You say yes, and you slide the box from off to on, and you're now protected. It is like that. It couldn't be easier. There are things like firewall rules and network considerations that have to happen, but from an enablement perspective, because it is native, it really reduces the burden of onboarding the platform.
Which other solutions did I evaluate?
We didn't go through a real comprehensive analysis when we made the selection. We did some light touching, but we really did not do some comprehensive analysis between Microsoft and CrowdStrike.
At an enterprise level, a lot of the stuff is based on relationships. It's not like you're starting from a green field. You look at who is your strategic vendor and who is not. With Microsoft specifically, you always get bundle deals towards your renewals. It's always like if you buy more Office 365, we can give you a discount on Defender and things like that. If you don't have a relationship with CrowdStrike or someone else, it is hard for their rep to speak to your CEO or your CSO, but Microsoft does. They've already got standing monthly meetings with them. So, we've made a determination to go with Microsoft because:
- The technology is compelling.
- It is a strategic fit for us.
What other advice do I have?
I would rate it a nine out of 10.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
CEO at Sentree Systems, Corp.
Lowers costs for my clients and has the ransomware solution built into it, but there should be more telemetry information and more promotion
Pros and Cons
- "I like the fact that it has the ransomware solution in there. I'm glad that the ransomware solution is built into it. That's probably the biggest thing that I see in Microsoft Defender."
- "It is not very scalable from the eyes of an MSP because there is no dashboard that you can use to see all of your devices that have Windows Defender unless you have your own dashboard or an RMM tool to actually look at it. So, you might not get to know that a particular computer of a client is doing something, and it might have got a virus. That person might know that, but unless you set it up to actually send you the information, you won't get to know that. That's one of the things that is hard with Microsoft Defender. It is not made for the MSP world where you have one pane of glass to see all of your clients with Microsoft Defender on it unless your RMM tool already has that built-in and it can see the telemetry from Microsoft Defender."
What is our primary use case?
I offer a Security Operation Center (SOC), which is like a person standing and going through the metal detector at the airport. We're like the staff standing there and watching people and then having them send stuff through the conveyor. It is real-time detection and response.
I don't use Microsoft Defender that much. If I come across a client who doesn't want to spend on a different endpoint solution, I just have them use Microsoft Defender that is built into their devices.
How has it helped my organization?
The ransomware and some of the other features that are built into it give you more telemetry now. From the security side, I don't look at what an endpoint solution does. I look at what it gives me. I need data. I don't want something to just say, "Oh, I stopped it." That's good, but I need to be able to figure out what did it stop. Was it a good thing or a bad thing that it stopped, and what is it doing. I need to be able to break that down and go deeper into that analysis to figure out what is being stopped. Microsoft Defender is doing that now and is giving more telemetry. It doesn't give nearly as much as Bitdefender does, but it is pretty good.
It is built into Windows 10. So, I don't really have to go out and get an extra or a separate endpoint security solution. It stands on its own. I have some clients who are using Microsoft Defender, and it is perfectly fine because my SOC can actually get the telemetry from Microsoft Defender and use that as well. Microsoft Defender does have the telemetry information, and I can get some of that out of it for my SOC. I can use what's built into it to stop and do more of a response layer. I can use Microsoft Defender to stop something right there.
What is most valuable?
I like the fact that it has the ransomware solution in there. I'm glad that the ransomware solution is built into it. That's probably the biggest thing that I see in Microsoft Defender.
It is useful when a client does not want to spend extra on getting a new endpoint solution or does not want to get something else installed on their devices.
What needs improvement?
The biggest thing that I would emphasize to Microsoft is that if they are confident in their solution, they should brag more about it. In other words, they should put more stuff out there to prove that they're just as good as the others. The biggest thing is that people still don't believe in it. When it comes to the IT world, they still don't believe in Microsoft Defender. It has been there for a while, and I know that I used to not trust it because it was free and I didn't know what it was doing and if I could trust it. If you go to comparison sites, you would hardly see it being compared to solutions like Norton, Bitdefender, Webroot, etc. Microsoft can do a better job of promoting it.
They should offer more telemetry or more information coming out of there for Syslog type of scenario so that a SOC could use the data that they have built into it. This would be useful.
It is not very scalable from the eyes of an MSP because there is no dashboard that you can use to see all of your devices that have Windows Defender unless you have your own dashboard or an RMM tool to actually look at it. So, you might not get to know that a particular computer of a client is doing something, and it might have got a virus. That person might know that, but unless you set it up to actually send you the information, you won't get to know that. That's one of the things that is hard with Microsoft Defender. It is not made for the MSP world where you have one pane of glass to see all of your clients with Microsoft Defender on it unless your RMM tool already has that built-in and it can see the telemetry from Microsoft Defender.
For how long have I used the solution?
I have been using it off and on for some time.
What do I think about the stability of the solution?
Its stability is fine. It is a built-in and legacy solution. It can stand up to any other endpoint security solution.
What do I think about the scalability of the solution?
It is not very scalable from the eyes of an MSP. There is no dashboard that you can use to see all of your devices that have Windows Defender unless you have your own dashboard or an RMM tool to actually look at it. Because it doesn't give you one pane of glass to look at everything, you have to have an RMM tool that can actually see the data coming from Microsoft Defender. If you don't have an RMM tool, you would need one, and that would be an extra cost.
I don't really use an RMM tool. We have a SOC, and I don't really deal with individual computers themselves. In the past, I have used RMM tools, and some of them do well with looking at Microsoft Defender, but my SOC has a really good dashboard that I can use to see what's going on with Microsoft Defender. I can actually control stuff on Microsoft Defender from my SOC.
How are customer service and technical support?
I have not used their support for Microsoft Defender. Generally, their support is fine. They've definitely improved and gotten better.
Which solution did I use previously and why did I switch?
I don't use Microsoft Defender that much. It is built into Windows 10, and if you put the antivirus or endpoint security on, it kind of turns itself off automatically. I've been using Bitdefender lately. I used to use Panda Security, but now I use Bitdefender.
I recommend it for clients who don't want to spend on a different endpoint solution, but I don't put all my eggs in one basket. I don't say that a particular antivirus or endpoint security solution is 10 times better than the other one. I just don't look at things that way because I know the process and what hackers actually go through to get past all of them. So, none of them are that much better. The only thing I tell others is to not use the free ones, but to that defense, they all have a level of reachability.
When it comes to performance, Microsoft Defender is much faster because it really doesn't look at all of the things that are Microsoft-focused. It has a better understanding of what Microsoft has made, whereas other solutions are going to look at anything as a potential threat. It is definitely a better option because it knows Windows. You install another antivirus on Windows, it has to try to figure out the software. Microsoft already knows how Word, OneNote, or their other solutions work. So, Microsoft Defender doesn't need to scan specific things, whereas Bitdefender or another solution doesn't know that, and it is going to scan everything, which can slow your system down.
I offer a SOC, and we do real-time detection and response. I don't put all my eggs in one basket when it comes to endpoint security. I believe endpoint security needs to be there because it is a layer of security, but it is not everything. The reason I use Bitdefender is that it has more telemetry and more information coming out of it to put into my SOC than Microsoft Defender, which doesn't have as much telemetry coming out of it.
For telemetry or forensics, Microsoft Defender doesn't give you reports. It just does what it does. Microsoft Defender will give you information, but you got to go to the individual device. I can't pull much telemetry information into a SOC. So, if you want to see from where the hacker or the hacking software came in, how it got there, and how it moved unilaterally across the system or network, you may not get all of that with Microsoft Defender, but with the telemetry data that comes out of Bitdefender, you will get more of such information and you can follow its path.
How was the initial setup?
It just comes on a device when you buy it. When you buy a laptop, it is built into Windows 10. They have Windows Security, and there are separate pieces of it. When you look into some of it, it is called Defender. They also have a standalone Windows Defender.
It is a full endpoint security solution, and they have a firewall in there. You can go in there and set different things up for your firewall. When it comes to security, not everything is turned on. You actually have to go in and turn the ransomware part on. There are things about ransomware that you got to turn on, and they really depend on what you need in your practice or business. You have to make sure you go in there and look at it. You can't just set it and forget it. It does come automatically, but you got to go in there and set things up because they know that some things can stop certain aspects of your business from running. So, they don't want to turn everything on. They leave it up to you.
The configuration of those extra parts can get complex, but I do believe it is pretty straightforward. It involves more yes or no type of questions. It is just flipping a switch on each individual part that you want to use. It is just like everything else. You have to test and see if it is going to work in your environment.
In terms of maintenance, all the updates come with Microsoft. Every time they update Windows 10, they also update Microsoft Defender. It is pretty simple.
What was our ROI?
It doesn't really affect my business because the cost goes out to my client either way. If they have 200 devices and they are charged $2 per endpoint for each one of them, that's an extra $400 a month. If they are just using Microsoft Defender built into their systems, that cost goes away for them. My clients are definitely saving money with Microsoft Defender.
It doesn't affect my business because I'm looking at telemetry regardless of the solution. So, it doesn't matter if it is coming from Microsoft Defender or Bitdefender.
What's my experience with pricing, setup cost, and licensing?
It is built into Windows 10. If our clients are using Microsoft Defender, the cost goes away for them.
What other advice do I have?
It is just like anything. You should definitely do your homework and see if it is going to give you the information that you need. You should focus on forensics and the kind of information you are going to get out of Microsoft Defender. Will you get the reporting that you need? Will you get the telemetry and all the data that you need to be able to follow the path of an attack? You need to be able to see that. You need to know this information for your clients because they may need it for the FBI or something else. So, you need as much information as you can. You need to make sure that that you're going to get the information out of there and you have the right setup to be able to see everything with all of your clients. You should have an RMM tool or whatever you're using to be able to see all of your clients, and you need to make sure that you have the setup for that.
Microsoft Defender has been around for many years, and since Windows 10, they've really ramped it up, and it has gotten a lot better. I've seen some of the statistics on it, and it stands up against some of the other solutions out there, such as Norton. They've added things that make it more of an EDR, which is the endpoint detection and response layer. The ransomware was one of the big add-ons, and it is good that they've put that in there. It can stand on its own now.
It has not affected our organization's security posture a lot, but it has given me more options to lower costs for my clients. It has helped my clients and in turn, my business. It has not affected our end-user experience in a negative or a positive way. It is just a tool. I do the monitoring, stopping, blocking, and everything else for clients.
It can be a good solution, and I hope that they grow with it and do more with it. They can make it simpler for the security and MSP world. If their solution just gets better for the MSP world, it would help everyone.
I would rate Microsoft Defender a seven out of 10 because of its lack of usability for an MSP and its lack of telemetry information, but it is useful, and it does stop ransomware.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Cloud Architect at a consultancy with 11-50 employees
Robust security posture and streamlined incident response with excellent automation features, seamless integration within Microsoft systems and efficient threat prioritization
Pros and Cons
- "The most valuable aspect lies in its automation capabilities, particularly within security automation."
- "In terms of improvements for their technical support, a focus on enhancing response times could be beneficial."
What is our primary use case?
It is a comprehensive monitoring solution for all user activities and their associated details within our tenant. All data flows seamlessly through Sentinel, streamlining the process and ensuring thorough oversight of our environment.
How has it helped my organization?
It enhances our security posture. It seamlessly integrates with all our systems, particularly across our Microsoft infrastructure. It offers insights into threats, furnishing information about potential security risks within our environment. It effectively sets up alerts to notify us of any suspicious or unusual activities. The prioritization of threats holds significant importance. It concentrates on the most crucial threats rather than overwhelming us with all potential risks. It excels at organizing and highlighting those critical threats, providing a level of efficiency beyond what I've observed elsewhere. It has proven to be a cost-effective solution, saving both time and money, as the adage goes—time is money. Specifically, it has significantly reduced our time to detect and respond to incidents. Its real-time threat detection and blocking capabilities contribute to these improvements.
What is most valuable?
The most valuable aspect lies in its automation capabilities, particularly within security automation. It contributes to more efficient time management for us and it provides an efficient way to keep track of user actions and maintain a secure and well-monitored system.
What needs improvement?
In terms of improvements for their technical support, a focus on enhancing response times could be beneficial.
For how long have I used the solution?
I have been using it for approximately five years.
What do I think about the stability of the solution?
The stability is excellent and I've never encountered any issues; it has consistently performed well.
What do I think about the scalability of the solution?
The scalability is impressive, especially since we use it in the cloud. It works seamlessly without any issues.
How are customer service and support?
Microsoft's technical support is commendable. I would rate it eight out of ten.
How would you rate customer service and support?
Positive
What other advice do I have?
Overall, I would rate it nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Cloud Security Engineer at Theos
Helps us be more proactive about security with suggestions on how to improve
Pros and Cons
- "Defender's analytics are much better than CrowdStrike's."
- "The documentation could be better. When they update their manuals, sometimes they refer to products by their old names, so it is a little confusing. For example, the documentation might still say "Advanced Threat Protection" instead of Defender for Endpoint."
What is our primary use case?
I am using Defender for one of my customers.
How has it helped my organization?
We use Defender with Sentinel, so we can see everything from one dashboard. You can also use the 365 security portal to manage all your Microsoft solutions, but Sentinel covers the entire estate. It has automation features, but I am not the one who configured that. A separate team does that for the customer.
Defender helps us be more proactive about security with suggestions on how to improve. It provides a Microsoft security score for 365 and Azure, both of which are helpful.
Defender saved us time. I believe it saved the customer some money, but I could not provide exact figures.
What is most valuable?
Defender's analytics are much better than CrowdStrike's. It has the ability to intelligently learn and respond to threats. We conducted a simulated ransomware attack to test it, and Defender detected it faster than CrowdStrike.
My customer is also happy with Defender's interface. It helps them prioritize threats across their environment. We also use Sentinel and Defender for Cloud. I also tested a VM deployed with Defender that reports back to the 365 portal. It's easy to integrate Microsoft security solutions. All of the solutions work in concert, and they're synchronized. I have no problems with integration and can see the entire landscape. The protection is comprehensive. I'm impressed. I have no complaints about the product.
The bidirectional sync with Defender for Cloud is crucial. If I check the other side of the signal, I can update the source of the alerts. It's vital to have a bidirectional connection for analysis and feedback.
What needs improvement?
The documentation could be better. When they update their manuals, sometimes they refer to products by their old names, so it is a little confusing. For example, the documentation might still say "Advanced Threat Protection" instead of Defender for Endpoint.
For how long have I used the solution?
I have used Defender for Endpoint for three months.
What do I think about the stability of the solution?
I rate Defender a nine out of ten for stability.
What do I think about the scalability of the solution?
Defender scales well.
How are customer service and support?
I rate Microsoft's support a nine out of ten. They were impressive. Microsoft has excellent support engineers.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I previously worked with CrowdStrike Falcon. Defender is more effective because it identifies more threats than Falcon.
What other advice do I have?
I rate Microsoft Defender for Endpoint a nine out of ten. If someone asked me whether a best-in-breed or single-vendor strategy was better, I would say there's no right or wrong answer. It's better to use one vendor from an integration perspective because it's easier to set up.
A single-vendor approach also simplifies support. For example, if you use CrowdStrike, you might be using Splunk as your SIEM. When you open a ticket with CrowdStrike, they will only be able to answer questions about their own products.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Head of IT & Database Management at a educational organization with 51-200 employees
Is easy to use and implement, and decreases the threat detection and response times
Pros and Cons
- "I like the simplicity of the portal and the integration with Microsoft Intune. Microsoft Defender for Endpoint is easy to use and implement."
- "Right now, there's a portal for Azure, portals for Microsoft Office, and portals for endpoints. It would be good to have only one portal and integrate everything."
What is our primary use case?
We use it to prevent malware attacks.
How has it helped my organization?
The automatic report is very good, and it is easy to see which user or device has a problem. The benefit we were able to realize immediately was protection.
What is most valuable?
I like the simplicity of the portal and the integration with Microsoft Intune. Microsoft Defender for Endpoint is easy to use and implement.
It has helped automate routine tasks and the finding of high-value alerts. However, we have a small IT team, and we have not automated many tasks.
It has also helped us save a little time, but we have saved more time with email protection. We have saved money as well because of ransomware protection.
Microsoft Defender for Endpoint's threat intelligence has helped us prepare for potential threats before they hit and take proactive steps. We have a scoreboard of each device and can quickly see which device needs an upgrade.
This solution has made our threat detection and response time faster by a few hours.
What needs improvement?
Right now, there's a portal for Azure, portals for Microsoft Office, and portals for endpoints. It would be good to have only one portal and integrate everything.
For how long have I used the solution?
I've been using this solution for five years.
What do I think about the stability of the solution?
Because it is in the cloud, the stability is good.
What do I think about the scalability of the solution?
It is easy to scale and increase capacity.
We are at one location with multiple departments such as IT, marketing, sales, invoicing, etc. We are a small company and have 53 users of Microsoft Defender for Endpoint.
How are customer service and support?
I have contacted Microsoft technical support a few times a year, and they have responded quickly. I'd give them a rating of nine out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We used a different solution and switched to Microsoft Defender for Endpoint because the integration and alignment with Microsoft was great. The previous solution was heavy, and it took a long time to update.
How was the initial setup?
The initial deployment was easy and took a few hours.
It is deployed to the cloud, and I don't have to spend time on maintenance.
What about the implementation team?
I deployed it myself.
What was our ROI?
The ROI is very difficult to calculate, but it may be 20% ROI. We don't have any problems with ransomware or malware.
What's my experience with pricing, setup cost, and licensing?
It is an expensive solution. It would be nice if it could be included with the Microsoft Office package.
What other advice do I have?
In theory, the best-of-breed strategy is not secure, and practically, a single vendor's suite is better because there is only one contact.
I would recommend trying Microsoft Defender for Endpoint and would give it an overall rating of nine on a scale from one to ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.

Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros
sharing their opinions.
Updated: September 2025
Product Categories
Endpoint Protection Platform (EPP) Advanced Threat Protection (ATP) Anti-Malware Tools Endpoint Detection and Response (EDR) Microsoft Security SuitePopular Comparisons
CrowdStrike Falcon
Microsoft Intune
Fortinet FortiEDR
Microsoft Defender for Office 365
Microsoft Entra ID
Microsoft Sentinel
Microsoft Defender for Cloud
SentinelOne Singularity Complete
Microsoft Defender XDR
HP Wolf Security
Microsoft Purview Data Governance
Cortex XDR by Palo Alto Networks
Fortinet FortiClient
Elastic Security
WatchGuard Firebox
Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Compare Microsoft Windows Defender and Symantec Endpoint Protection. How Do I Choose?
- Which product would you choose: Microsoft Defender for Endpoint vs Cortex XDR by Palo Alto Networks?
- What do you think of the integration of Azure AD Services, Defender for Endpoint, and Intune as comprehensive security solutions?
- CrowdStrike Falcon vs Microsoft Defender ATP: Comparison of features and performance
- How does Microsoft Defender for Endpoint compare with Crowdstrike Falcon?
- Running Carbon Black Defense Along with Windows Defender
- How is Cortex XDR compared with Microsoft Defender?
- Which offers better endpoint security - Symantec or Microsoft Defender?
- How does Microsoft Defender for Endpoint compare with Carbon Black CB Defense?
- How would you compare between Microsoft Defender for Endpoint and Tanium EDR?