Microsoft Defender for Endpoint Reviews

We use Microsoft Defender for Endpoint for protection, asset onboarding, and service onboarding. We primarily focus on Microsoft-based endpoints. Specifically, we look for processes to determine if malware, viruses, or adware have been installed.

Microsoft Defender for Endpoint helps prioritize threats across our enterprise. The solution notifies us of new vulnerabilities, including those that have been published, exploited, or are being exploited, and it provides some visibility into these threats.

Microsoft Defender for Endpoint has a significant impact on reducing the number of affected machines. I personally write custom detection rules to analyze the environment and look for specific patterns, such as ransomware. Although some of the pre-built detection rules in Azure on GitHub are useful, they are not as flexible in terms of use cases. Therefore, it makes sense to write custom rules instead of importing the pre-built ones.

Microsoft Defender for Endpoint helps automate routine tasks and helps automate the finding of high-value alerts.

Microsoft Defender for Endpoint improved our security posture and operations by automating some of the mundane tasks, such as analyzing alerts. This allows us to focus on incidents that were created from specific individual alerts.

Microsoft Defender for Endpoint saved us time in terms of operational and C- CERT security. It reduced the amount of time we spend analyzing what happened on a particular endpoint, which processes were started, and which ones were suspicious. For example, it helped us to quickly identify suspicious installation protocols.

Microsoft Defender for Endpoint reduced our time to detect and respond by 25 percent.

Endpoint's most valuable feature is deep analysis. It provides a lot more in-depth findings. However, it only analyzes portable files with the .exe and .drl extensions. It does not analyze other file extensions. Additionally, it does not provide all the necessary information about the file's memory usage or size. I have to download the file to my computer to do further analysis. Therefore, the size of the application that the deep analysis analyzes is the only other red flag I can think of.

Microsoft Defender for Endpoint does not provide much flexibility in terms of threats. It only looks at what is currently in the environment. It does not provide flexibility like threat modeling, where we can provide our own threat model within the environment. This would allow Defender to provide us with feedback on threat intelligence that is tailored to our organization's needs and threat landscape.

Microsoft Defender for Endpoint's deep analysis shows that it works well with Microsoft's standard applications. However, it does not function as intended when used with Unix or Linux distributions. Therefore, it would be beneficial to improve support for other systems.

I have been using Microsoft Defender for Endpoint for one and a half years.

In terms of resources, I believe the solution is more resource-intensive because I can initiate multiple automated investigations, which will likely take a day or two to complete.

Our organization has thousands of people using the solution.

I give Microsoft Defender for Endpoint an eight out of ten.

No maintenance is required from our end.

I believe a best-of-breed solution is better because it eliminates some of the limitations of applications that do not provide solid stability in terms of detection time, response time, and eradication. This is because a best-of-breed solution is designed to be the best in its class at each of these tasks. As a result, it can identify threats more quickly, respond to them more effectively, and eradicate them more completely.

When evaluating the solution, we must understand how our environment is structured. Is it a hybrid environment? Does it have Unix, Linux, or Microsoft distributions? And within those distributions, do we plan to purchase multiple enterprise systems to cater to each individual distribution?

I am using Defender for one of my customers. 

We use Defender with Sentinel, so we can see everything from one dashboard. You can also use the 365 security portal to manage all your Microsoft solutions, but Sentinel covers the entire estate. It has automation features, but I am not the one who configured that. A separate team does that for the customer. 

Defender helps us be more proactive about security with suggestions on how to improve. It provides a Microsoft security score for 365 and Azure, both of which are helpful. 

Defender saved us time. I believe it saved the customer some money, but I could not provide exact figures.

Defender's analytics are much better than CrowdStrike's. It has the ability to intelligently learn and respond to threats. We conducted a simulated ransomware attack to test it, and Defender detected it faster than CrowdStrike. 

My customer is also happy with Defender's interface. It helps them prioritize threats across their environment. We also use Sentinel and Defender for Cloud. I also tested a VM deployed with Defender that reports back to the 365 portal. It's easy to integrate Microsoft security solutions. All of the solutions work in concert, and they're synchronized. I have no problems with integration and can see the entire landscape. The protection is comprehensive. I'm impressed. I have no complaints about the product.

The bidirectional sync with Defender for Cloud is crucial. If I check the other side of the signal, I can update the source of the alerts. It's vital to have a bidirectional connection for analysis and feedback. 

The documentation could be better. When they update their manuals, sometimes they refer to products by their old names, so it is a little confusing. For example, the documentation might still say "Advanced Threat Protection" instead of Defender for Endpoint. 

I have used Defender for Endpoint for three months. 

I rate Defender a nine out of ten for stability. 

Defender scales well. 

I rate Microsoft's support a nine out of ten. They were impressive. Microsoft has excellent support engineers.

Positive

I previously worked with CrowdStrike Falcon. Defender is more effective because it identifies more threats than Falcon.

I rate Microsoft Defender for Endpoint a nine out of ten. If someone asked me whether a best-in-breed or single-vendor strategy was better, I would say there's no right or wrong answer. It's better to use one vendor from an integration perspective because it's easier to set up. 

A single-vendor approach also simplifies support. For example, if you use CrowdStrike, you might be using Splunk as your SIEM. When you open a ticket with CrowdStrike, they will only be able to answer questions about their own products. 

We use it for security purposes. It provides important security for some critical systems, such as network devices.

For securing access, USB security helps us block our USB ports and that ensures that users do not plug USB drives into their computers.

In addition, our efficiency in the way we handle our processes has been improved because the solution automates routine tasks and helps find high-value alerts.

It has also saved us a good amount of time, something like 15 percent, while decreasing our time to detect and our time to respond, each, by 5 percent.

It automatically detects intrusion and malware.

It's also easy to use. The interface is user-friendly and the navigation is 
not difficult. It is very easy to move from one hyperlink to another, to move from one solution within the platform to another solution.

And in terms of categorizing the info and the actions that need to be done, it helps you to prioritize threats. That is very important.

The time it takes to restore the application could be improved. It has a lot of dependencies. It's not like the Microsoft security that comes with the OS. Updating through the command prompt, most of the time, it takes some time to download some of these dependencies. They need to make the download of the dependencies more efficient.

I have been using Microsoft Defender for Endpoint for more than five years.

The stability is okay.

It is scalable. We use it for multiple departments, teams, and locations. We have over 5,000 users.

I would rate Microsoft's technical support at seven out of 10, because of the time it takes them to respond. But when they finally respond, they give us complete attention and things are resolved within the SLA.

Neutral

Before Microsoft Defender for Endpoint, we were using McAfee.

We constantly get updates from Microsoft that are light and they don't really affect us while we're working. The updates have been very helpful.

I would recommend Microsoft Defender for Endpoint.

Our server is on Azure, so we get alerts on Microsoft Defender. If it's an endpoint alert, we investigate the endpoint based on the type of endpoint it is, whether it's a computer or a phone, et cetera. We then figure out what kind of file was downloaded, if it was bad or good, based on the hash file. 

We also use Microsoft Defender for Office 365 for email, where we get alerts based on phishing emails, spam, and we investigate them. We also do Sentinel queries, with KQL (Kusto Query Language).

Automation has had a positive impact. When we have a lot of false-positive alerts, we are able to set up a condition in Microsoft Defender where it will automatically close that as false. I don't create those conditions, that's something our security engineer does, but it makes my job easier.

Also, threat intelligence helps against potential threats before they hit. You can actually block and delete the emails from MDE whenever you detect them, or when they report, "Hey, this is a phishing email or spam email." It's also able to block and detect a bad or phishing URL. It has decreased our time to respond because if it detects a URL, we're able to automatically block and delete it before a user even sees their mailbox the next morning. It's very fast in detecting and we like that.

As a SOC, it has saved us time, on the order of 60 percent of our time.

The Microsoft Sentinel part is the most valuable when you have to search for the malicious folder or file the user downloaded. We use it to ingest data from our entire ecosystem and that is very important if we have to go back 30 days and investigate cases, and we need more details. It's able to ingest that much data. That's pretty important.

Sentinel also enables us to respond holistically from one place and that's good for my job. It makes it easy.

Also, the visibility into threats that the solution provides is pretty awesome. I had never actually seen this type of technology before. It was the first time I had exposure to the cloud. This is something that makes me think, "Wow, okay. If I had my own organization, I would probably get this too." It stops the threat before an employee gets phished or something gets downloaded to their computer. Even if it gets downloaded to the computer, it doesn't spread to the other networks, because Defender will automatically block it.

Another thing that is pretty awesome is that our Microsoft security products work natively together and deliver coordinated detection and response throughout our environment. As a SOC person, it makes my job very easy.

When it comes to the comprehensiveness of the threat protection from these products, so far I have seen how it's able to pick up the smallest script that is hidden in any type of malicious file. It's so good. And it gives you all the details: what kind of script was run, what kind of hash file, and what type of command was run. I'm pretty happy with it.

If there were more template queries in the library, that would make it much easier. They could have basic things, like, "Where's the IP for this user?" or, "What file was downloaded from this user?" If there were more of those basic queries that would help. I haven't seen basic ones, but there are a lot of advanced queries, where people need to know the KQL language to understand them. I'm still learning so that's why I'm providing that feedback.

I have been using Microsoft Defender for Endpoint for almost a year.

The stability has been really good so far. I haven't seen it go down or have an issue where it didn't work. 

We have had some integration issues when something breaks, but that's just occasional. So far, it's good.

We have it deployed across various departments. The IT users have more privileged settings.

When I started with this company we used Splunk before we switched to Sentinel. We switched because Sentinel seems way faster.

I wasn't involved in the setup of the solution, but when it comes to maintenance, we have security engineers who maintain our alerts, in case there are false positive alerts coming in.

Work on Sentinel. It has a lot of power versus the Microsoft Defender solution.

We are using Microsoft Defender for Endpoint with advanced threat production. Microsoft's enterprise mobility and security suite fulfills a large number of security strategy requirements for our organization. We are going to use this solution for identity production and for endpoint security.

It's a hybrid setup. The advanced threat protection only comes from the cloud intelligence engine. That's something of a new experience for us, but the rest of the components will be on-prem. We are using Microsoft's cloud. 

The whole suite of security enhancement doesn't just include Microsoft Defender. It also covers many of the features that come with the Windows Enterprise version. With this option, we are actually upgrading to the Enterprise version as well and unlocking those security features which are not available in Windows Professional. Microsoft Defender is a whole suite, which is simply not comparable with a usual anti-virus, anti-malware product.

In terms of the architecture of the management infrastructure, we found that other technologies are more simple. Microsoft Defender could be simpler too. Plus, Microsoft's philosophy is that they leverage the technology they have already built in Windows or any other services within Windows. So, it is good from that standpoint, but it also becomes a bit cumbersome when it comes to the dependency. Having dependency on many things can be a weakness sometimes because you add up more points of failure to the services. Whereas the other vendors are doing the limited thing, and that's why they're not comparable in prices, but their solutions basically aren't dependent on Microsoft's other services or anything else. They're more dependent on their agent. With Microsoft, it is not just the agent. It is the operating systems that aren't working well. The technology won't give you the desired output.

So, that's something that Microsoft may need to improve: making services more independent wherever possible. That's something of their philosophy. When they build something on their OS layer, they add on technologies, and then there's something for the ISV. That's their strategy, but we keep arguing with them that they have to compare the dependence as other vendors are doing.

From the Microsoft end, the design working depends on the health of other services and other components of the operating system. Whereas if you compare it with the Symantec technology, just the agent health has to be there. That's the case with McAfee as well. They build up their products on developed agents only.

We did the POC around 18 months ago, and then we consolidated our findings. As per the organization procedure, we proposed to the committee and then got the recommendation to move on with the pilot and decide the future roadmap.

Microsoft Defender is just one part of the advanced risk protection and advanced malware protection functionality that comes with the Microsoft product. It came with a lot of security, advisories, reviews, and consultancy during the last couple of years. There was a stack of 15-20 requirements that we had to fulfill, like mobile device management and identity protection. We found that Windows Defender meets most of our requirements.

We have had good experience with tech support so far.

We have a direct support agreement with Microsoft. One of the major reasons for moving from the current endpoint security is the support. The quality is not up to the mark. That's something incomparable with the kind of support Microsoft provides.

I would give Microsoft's support a 5 out of 5.

In terms of the technical aspect, I'm the lead of the area, which actually takes care of endpoint management, and we have been using Symantec products for that purpose. We have evaluated Microsoft Defender and Microsoft security products, and we are going to switch over to that product. We found that  because the endpoint devices are based on Microsoft Windows devices and Windows Defender is integrated with the foundation and the core layer, it makes it more integrated and more agile in terms of responding to any security threats or changes or development, whereas compared to the other vendors who develop anything on top of that platform, they're always lagging behind.

Symantec support is very pathetic. They are very methodical. They're very slow. We seldom find them providing solutions to any incident or issue in a reasonable time. It can take from days to weeks. In the case of Microsoft, their resolution time is reasonably faster than Symantec. Even in the case of VMware and Redhead, Microsoft stands on top of all those vendors.

I wouldn't say the setup is easier than other solutions but it's not bad. It's almost equivalent to what we have been using currently, but the strength comes in what it does and how it secures that part. The setup is similar to the other competitors. For Symantec, we use their endpoint manager deployment and then a deployment across the sites and branches.

We are doing deployment with Microsoft's tech support. But for the implementations and rollout of technologies, we have seldom used Microsoft. We have our own technical team who are trained and who keep on updating on their skills, and we continue to inject new resources to the team as well. When a new technology comes in, then we do a combo, whereby the in-house team actually learns with the local authorized partner.

Microsoft Defender is not comparable to a single endpoint security product, like Trend Micro, Symantec, or McAfee. Because of that, the price is higher than others because it is doing more than what the others are doing.

I would rate this solution 7 out of 10.

We were using the basic endpoint from Sophos without Intercept X and the EDR model, and currently, we are in the selection process of a new platform that has EDR embedded. We are using Microsoft Defender Antivirus for the time being till we get the new platform.

It is easy to use because it is already pre-installed in Windows 10. We don't have to do anything to configure it. You can also configure the firewall by using a group policy so that it can be easily adopted in an environment.

Microsoft Defender in the basic form is not very useful for managing the security environment. The free version is not capable of covering the needs of centralized management, EDR, and behavioral analysis. If you don't have the commercial version, you can't have centralized management and set up the policies and other things. Each client is a standalone installation, which is not useful for security in an enterprise model.

I have been using this solution for six months.

Currently, we have about 2,000 users.

I didn't use support for this solution.

It was already pre-installed in Windows 10.

It is free. It is included in Windows 10.

We are using Microsoft Defender only for the time being. We will switch to another endpoint platform that can offer us more advanced features, centralized management, and EDR. We have not chosen the solution at the moment, but we might go for Bitdefender. It is one of the products that we have evaluated, and it can be suitable for our environment. It has some use cases that are really in the same line as our requirements.

I would recommend this solution only for small home environments. It is not for enterprise environments unless you buy the commercial version.

I would rate Microsoft Defender Antivirus a seven out of ten.

We are using it only for EDR, but we have a plan to extend it to Microsoft email as well as to the cloud.

Within one month of using Microsoft Defender for Endpoint, we could achieve great insights.

Microsoft Defender for Endpoint is a perfect solution. We have used several EDR products, and Microsoft Defender is the best one that I have worked with. It provides great visibility. It is very transparent. We can get so many details about a particular endpoint. It is a great product. I would rate it a five out of five in terms of visibility.

It helps us to identify process-based threats in our environment, not only the signature-based ones. We are able to identify some of the threats that were not detected previously.

We get severity levels from the solution itself. Based on them, we have developed our action plan to act upon any category of incident. It helps to achieve a better SLA to attend to incidents.

I am quite interested in the vulnerability dashboard. It provides vulnerability data according to the CVE database, which helps us to prioritize vulnerabilities in our environment and address them.

Microsoft Defender for Endpoint works with Windows and Linux, so we could cover them all. It is suitable for servers as well, not only for endpoints, so we could implement it on most devices in the organization. It has probably saved us 20% of the time. 

It has Kusto Query Language (KQL), so we can use our own queries to find anything.

We can get real-time updates. It is not just signature-based. It provides results based on behavior and successors. It analyzes the behavior and the process. With that, we can achieve greater results that other products do not offer.

We need better support to learn about the product. Documentation is available, but we need some kind of training program so that we can get a better understanding of the product.

We switched to Microsoft Defender for Endpoint about one month ago.

I would rate it an eight out of ten in terms of stability.

It is highly scalable. We have around 5,000 users. I would rate it a ten out of ten in terms of scalability.

Previously, we were using a separate EDR product in our environment. We were using Sophos. Our organization moved into Microsoft 365, so we switched to Microsoft Defender for Endpoint. 

We heard that it is one of the best products in the industry. We thought that we would get better results with Microsoft Defender for Endpoint. That is why we moved to Microsoft Defender for Endpoint, and we were able to achieve better results with it.

It is a cloud deployment. It took us a few months to make the switch.

It does not require any maintenance from our end.

Overall, I would rate Microsoft Defender for Endpoint a nine out of ten.

We used it as an EPP and EDR solution. 

Microsoft Defender made the work quite easy because we didn't have to rely on multiple tools, and we could look at one thing. It had a specific endpoint-level reporting standard as well where you can see the vulnerable threats and the outdated versions. It was very convenient.

We had certain compliance and usage issues. For example, our company wanted to go with CIS, but we didn't have a proper way of measuring whether the endpoints have the right standards in place or whether they were compliant with CIS. Microsoft Defender was like a one-stop for most things because it gave us the vulnerability and patching scores so that our vulnerability management teams can focus on covering up the vulnerabilities and the patching team can check the vulnerable versions and deploy the right versions. It had multiple advantages for us in terms of patching, vulnerability management, adhering to security standards, and EDR and AV capabilities. 

Microsoft Defender was pretty interesting in terms of visibility. When we compare the solution that we had before with Microsoft Defender, there is almost a night and day difference. Microsoft Defender is pretty advanced with the threats. We used to run, simulate, and see whether we were prone to the latest vulnerabilities. It was a pretty good solution in our experience.

It definitely saved us a lot of time. I don't have the metrics, but because it was a one-stop place, we didn't have to navigate through all the controls and go from one place to another to look for different reports for each section. We had one tool that could do everything in one place. It would have definitely saved us nearly one-fifth or 20% of the time. It would have also saved money because you rely on one single tool for multiple things. When you go with the premium suite, you get other tools as well. There is definitely a cost-saving aspect.

It came in a suite. There were multiple other products that were included with it as well in the premium suite. Another factor was that you don't have to invest in two products, and you can get both components, the EPP and the EDR, in one. You can also do simple vulnerability management, CIS hardening, and things like that from Microsoft Defender. Those were the main reasons for considering it back then.

I haven't used the product in nearly eight months. I use it on my device, but I haven't used it at an administrative level. Previously, with Microsoft Defender, we used to have certain problems with the Mac machines, but later on, they came up with various ways so that we could use the MDM solution to do the job. They provided pretty good support. Their engineers came and tried to figure out the solution.

I'm not too sure of its current capabilities, but I'm pretty sure they are doing a good job on Windows and Mac. However, I'm not sure whether they covered Linux. If I remember correctly, Microsoft Defender didn't have anything proper on Linux back then, but if they have improved it from that aspect, it would already be ticking all the boxes.

I have used Microsoft Defender for eight months to one year in my previous organization.

In comparison to the other solutions that I've had experience with, Microsoft Defender was very good.

It was definitely scalable. In my previous organization, we enrolled more than 20,000 endpoints.

It was pretty good. At that time, Microsoft Defender was very new. When they released it for Mac, that's when we got hold of them. There was a time when their support engineers learned certain things from me about it, and I also did learn something from them. It was a win-win situation for both of us.

I would rate their support a seven out of them. The level of support depends on the complexity of the issue. If an issue is small, anyone can solve it, and it wouldn't take much time, but when you run into a complex problem, you need proper people coming in quickly and giving you some support after looking into the issue. Ideally, if they are very well-trained at all levels, that would be good.

Neutral

We had other products for antivirus and EDR. We removed those two products and replaced them with Microsoft Defender. They both were pretty good solutions in the market back then. One of them is a pretty good solution even now.

We found Microsoft Defender pretty good when we did the PoC as compared to the rest of the tools. Some of the solutions were only antivirus, and some of them were only EDR, whereas this particular tool had a lot of features built into it. So, one agent could do many things. Another reason for going for this solution was that the company I used to work with was a bit biased toward Microsoft. They were a Microsoft customer, and they were comfortable with Microsoft. 

The reliability of support was one of the reasons why we chose Microsoft. When it comes to tools, there are always requirements related to budget, level of support, and other things. When you go for a PoC and look at the demo, you might think a product is stable, but when you run into a problem, the support could be weak. In such instances, what's the use of the product if you don't have good support or if they take at least two to three days to solve a small issue?

I handled the Mac machine part of it. Initially, setting up policies and getting all the configuration profiles in place was a bit of a challenge because they didn't have proper documentation at first. During the PoC, there were not many documents or support articles, but when we were in the deployment phase, they had everything, even specific to particular MDMs, which made it very smooth. We ran into a couple of small problems, but that's pretty common in every deployment. Other than that, it was pretty smooth. 

From Microsoft's side, there is a pretty good deployment strategy in place, but different companies have different objectives and different ways of working. There are situations where certain users and groups might need something specific but other users or groups don't. There could be multiple groups of users with different expectations. So, it is pretty straightforward, but like with any security tool, there could be internal user-level challenges. However, for a company that does not have a very complex environment, it should be a piece of cake. It should be pretty easy.

In terms of our implementation strategy, we first targeted the least impacted devices because we didn't want high-end or critical users complaining about having issues. So, we selected the low-priority users and implemented it for them, and then we tested it out. After that, we implemented it for users with higher priorities. We gradually moved based on the severity.

In terms of maintenance, agent updates are required, which we scheduled automatically. It didn't seem to need much attention. If the product is in a non-complex environment, it won't have many issues, but in a complex environment, there will be some because of VLAN restrictions, network connectivity limitations, etc. We also had issues where agents were not communicating, but it was not because of an issue with the tool. It was mainly because of the complexity of the environment in terms of networking and architecture.

Microsoft Defender decreased our time to detect and time to respond. However, we didn't completely rely on one solution. We had other means as well. We used to have another EDR solution as well, and we used to run both together.

I would definitely agree with a security colleague who says that it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite. For example, if you are a one-vendor customer, the day the vendor gets hit with zero-day or any huge attack, none of your tools or software would work. Your data and other things are also at risk. So, having multiple vendors is good because you'll be covered by different products. 

Microsoft Defender's threat intelligence helps to prepare for potential threats before they hit and take practice steps, but there was another team that was using the threat intelligence and reporting capabilities to see whether the organization was ready. In my previous organization, we had overall IT support, which was then divided into nearly 20 different teams. We had one team specifically to do one specific job. 

For prioritization of threats, if I'm not wrong, Microsoft Defender gives you a severity value. I haven't been in the admin part for long, but it gives you a severity value. Based on that, you can prioritize your threats.

I would rate Microsoft Defender an eight out of ten.