Snr. Infrastructure Architect at LogicEra
Advanced threat protection improves security posture and device management
Pros and Cons
- "Microsoft Defender for Endpoint is a comprehensive and scalable solution for protecting on-premises and hybrid infrastructure."
- "The initial support process can be lacking as first-line support is sometimes not well-versed technically, resulting in repeated exchanges to finally engage a knowledgeable support person."
What is our primary use case?
Our customers use Microsoft Defender for Endpoint to protect their hybrid environments. We onboard the hybrid environment to the Azure Security posture with proper Intune integration. This setup ensures that devices are protected and secured with anti-malware, antivirus, and other protective measures. We deploy this primarily in hybrid environments.
What is most valuable?
Microsoft Defender for Endpoint provides a unified management interface allowing customers to manage their on-premises and hybrid infrastructures from a single pane. The integration with Intune enables control over devices like laptops, enhancing security. Automated Investigation and Remediation features are vital for advanced threat protection and beneficial for device protection. The ability to manage both devices and users efficiently is advantageous.
What needs improvement?
One area that needs improvement is the integration cost of logs with external solutions like Sentinel, which can be expensive. Additionally, Microsoft could allow storing logs locally within the Defender panel to reduce costs. It would also be beneficial if policies could be configured without relying on Microsoft Entra ID, allowing for better integration with local directories.
For how long have I used the solution?
I have been working with Microsoft Defender for Endpoint for three to four years.
Buyer's Guide
Microsoft Defender for Endpoint
March 2025

Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
844,944 professionals have used our research since 2012.
What was my experience with deployment of the solution?
Sometimes devices do not sync properly with the Endpoint. We often need to diagnose whether the issue lies with the Endpoint or the device. This can delay proper deployment.
What do I think about the stability of the solution?
Microsoft Defender for Endpoint is stable with no major issues reported. However, syncing of devices sometimes encounters problems, requiring us to investigate the root causes.
What do I think about the scalability of the solution?
Microsoft Defender for Endpoint is scalable enough to handle various devices across environments, whether they are laptops, Android devices, or operating in hybrid environments. Customers mostly use it in hybrid setups.
How are customer service and support?
The initial support process can be lacking as first-line support is sometimes not well-versed technically, resulting in repeated exchanges to finally engage a knowledgeable support person. This process is often slow and time-consuming.
How would you rate customer service and support?
Neutral
How was the initial setup?
Setting up Microsoft Defender for Endpoint requires technical knowledge of Microsoft Entra ID and policy configurations. While it is not easy for all customers, skilled technical personnel can handle it without major issues.
What's my experience with pricing, setup cost, and licensing?
The pricing of Microsoft Defender for Endpoint is reasonable. It costs $15 per VM for the P2 plan, which is seen as affordable for customers. Additional add-ons are priced at $5.
What other advice do I have?
Microsoft Defender for Endpoint is a comprehensive and scalable solution for protecting on-premises and hybrid infrastructure. It provides strong protection and management capabilities. Customers are advised to use this solution for its robust features like advanced threat protection and easy integration with other Azure applications. I rate Defender for Endpoint nine out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer:
Last updated: Mar 18, 2025
Flag as inappropriate
Office 365 Subject Expert at a government with 10,001+ employees
Ensures that malicious websites aren't accessed, thereby enhancing desktop and network security
Pros and Cons
- "Web filtering is the most valuable feature of Microsoft Defender for Endpoint because it effectively maintains security for website access."
- "Defender for Endpoint has significantly reduced our SOC team's workload by automating threat detection and response, allowing them to focus on other critical projects."
- "There is a need for improvement in reducing false positives."
- "There is a need for improvement in reducing false positives."
What is our primary use case?
Our primary use case for Microsoft Defender for Endpoint is desktop security.
How has it helped my organization?
Defender for Endpoint has improved our security posture by ensuring that malicious websites aren't accessed, thereby enhancing desktop and network security.
The visibility into our attack surface provided by Defender for Endpoint is good.
Defender for Endpoint has significantly reduced our SOC team's workload by automating threat detection and response, allowing them to focus on other critical projects. This increased efficiency has minimized security concerns and freed up several hours per week for the team.
We are primarily a Microsoft environment, but we also utilize a few Macs. Microsoft Defender for Endpoint functions effectively across both platforms.
What is most valuable?
Web filtering is the most valuable feature of Microsoft Defender for Endpoint because it effectively maintains security for website access.
What needs improvement?
There is a need for improvement in reducing false positives. Defender flags vulnerabilities based on registry keys or temporary files that are not necessarily vulnerabilities. This creates a lot of false positives. There could also be better clarity in navigating through the GUI to identify and resolve vulnerabilities.
A disconnect exists between the subject-matter experts and Microsoft's Level One support teams, causing delays in issue resolution. Repeated interactions are necessary due to Level One's lack of tools and knowledge, hindering efficient problem-solving and negatively impacting our experience with Microsoft support.
For how long have I used the solution?
I have been using Microsoft Defender for Endpoint for about three years.
What do I think about the stability of the solution?
Defender for Endpoint is a stable product with reliable uptime.
How are customer service and support?
The support from Microsoft is somewhat lacking. The level-one support seems disconnected from subject matter experts, leading to back-and-forth delays in resolving issues.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
CrowdStrike's GUI is more user-friendly and provides easy-to-follow instructions, while Defender for Endpoint requires more effort to access detailed file information and vulnerability assessments. For instance, locating a specific device involves navigating through reported vulnerabilities, clicking on associated devices, and then searching for the device name to identify the vulnerabilities and their origins. The switch to Defender for Endpoint was likely motivated by cost savings and compliance requirements.
What was our ROI?
Defender for Endpoint is a good security product that provides a good return on investment.
What other advice do I have?
I would rate Microsoft Defender for Endpoint a seven out of ten. It has effectively improved our security posture, but there are areas where support and usability can be enhanced.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Nov 27, 2024
Flag as inappropriateBuyer's Guide
Microsoft Defender for Endpoint
March 2025

Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
844,944 professionals have used our research since 2012.
IT Security Engineer at a financial services firm with 1,001-5,000 employees
Offers excellent visibility into vulnerabilities and the attack surface itself
Pros and Cons
- "Attack surface reduction and limiting attack surface vectors are valuable features. It's helpful to isolate specific devices and get super granular with the features they offer."
- "The stability is great. I haven't seen any outages with Microsoft."
- "Defender for Endpoint is complex, and the documentation is detailed. At the same time, it's hard to navigate sometimes. You have to go through tons of documentation to find what you want."
- "Defender for Endpoint is complex, and the documentation is detailed. At the same time, it's hard to navigate sometimes."
What is our primary use case?
Currently, I'm working to build out DLP policies in Defender for Endpoints.
How has it helped my organization?
Defender for Endpoint enables us to see vulnerabilities on certain endpoints and investigate the attack surface. We've improved our Security Score to the industry standard. The solution has reduced the mean time to remediation, but it's hard to give a precise number because it varies on a case-to-case basis. Automatic remediation of certain vulnerabilities has allowed our SOC to work on other projects.
What is most valuable?
Attack surface reduction and limiting attack surface vectors are valuable features. It's helpful to isolate specific devices and get super granular with the features they offer. The visibility into the attack surface is good. It gets highly granular. I don't work on that side, but the people who do tell me they get more visibility.
What needs improvement?
Defender for Endpoint is complex, and the documentation is detailed. At the same time, it's hard to navigate sometimes. You have to go through tons of documentation to find what you want.
For how long have I used the solution?
I have been using Microsoft Defender for Endpoint for one and a half years.
What do I think about the stability of the solution?
The stability is great. I haven't seen any outages with Microsoft.
What do I think about the scalability of the solution?
It's pretty easy to scale with Microsoft, as they make it easy if you look into the documentation.
How are customer service and support?
I rate Microsoft support eight out of 10. Customer service has been pretty good. I don't have any complaints.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We've had E5 licensing for a while now, but our security stacks were spread across multiple resources, so we are currently consolidating.
What's my experience with pricing, setup cost, and licensing?
I don't work much with the costs, but I have not heard of any issues with pricing, licensing, or setup costs for Microsoft Defender for Endpoint.
What other advice do I have?
I rate Microsoft Defender for Endpoint eight out of 10.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Nov 24, 2024
Flag as inappropriateSenior Data Hosting and Security Special at Two aquate
Helps to prioritize threats, provides good visibility, and saves us time
Pros and Cons
- "Microsoft Defender for Endpoint is extremely stable."
- "A single dashboard would be a significant improvement."
What is our primary use case?
We are a Microsoft-heavy organization, so we use Microsoft Defender for Endpoint because of its compatibility with our environment and its reports, which provide good visibility into our environment and send telemetry logs to the server.
How has it helped my organization?
Microsoft Defender for Endpoint collects all system logs, activity logs, and threats. It then sends this data to the Office 365 security portal, where we can view all logs and use various analytics tools to forecast average bandwidth usage, identify programs used by users, and view which apps are running in our environment, including unauthorized apps. All of these insights are easily accessible if we have a complete Microsoft solution.
Microsoft Defender for Endpoint helps us prioritize threats across our enterprise. We have configured the standard settings and are using many Microsoft solutions, so we receive direct support from Microsoft. We have created many policies, including a standard policy for all apps and programs used in our organization. We have a list of these programs, and any that are in the Defender for Endpoint exclusion list, such as DLP software or trusted software, are excluded so that they do not slow down the process. We then prioritize the apps according to standard cybersecurity priorities. For example, if an application is vulnerable and not from a renowned vendor, it should be blocked.
We have integrated Sentinel with Defender for Endpoint. The integration was a few simple clicks.
Our integrated solutions work together seamlessly to provide coordinated detection and response across our environment. We like Microsoft's Advanced Threat Protection solution, which uses EDR and AI to protect endpoints. Recently, a user downloaded an unknown file, and ATP immediately flagged it. ATP then ran an automatic investigation and provided us with the results in the portal. We can then decide whether to quarantine, delete, or report the file to Microsoft Defender for Endpoint.
Microsoft provides comprehensive security products that have fulfilled all of our security needs and assured us that we have enterprise-grade security and do not need any other solutions. We have received positive results.
We use the cloud's bidirectional synchronization capabilities to synchronize our on-premises Sentinel agents with the Azure Monitor agents.
It is our requirement to have bi-directional synchronization between the cloud and on-premises environments because we now have users in both locations. This means that if a user changes their password in the cloud, it will also be updated in the local Active Directory. Additionally, we have some on-premises servers that require our SQL databases in Azure, so they communicate with the cloud bi-directionally.
Microsoft Sentinel enables us to ingest data from our entire ecosystem. The whole point of Sentinel is to collect logs and notify us, showing us our cybersecurity posture and where we stand. It also advises us on the policies we define for our system and whether the system in our environment matches those policies, identifying any applications that are not fulfilling those policies.
Sentinel provides visibility into our environment and we can investigate and respond to threats through Defender.
In the context of user and entity behavior analytics, Sentinel is very effective. It can identify high- and low-risk users by analyzing their daily usage activities, such as the applications they access, the websites they visit, and how they handle data. Sentinel then segregates users into high-risk and low-risk groups based on this analysis. This gives us good visibility into user behavior, which is essential for protecting our organization. While Sentinel has other capabilities, we are currently using it for UEBA.
Microsoft security has helped us save about 30 hours per month, reducing our workload.
Microsoft security has helped us save costs. In our company, we have different Office 365 licenses, including E5, E3, and F5. Some of the security add-ins are free with these subscriptions. For example, the E5 license includes SIEM, Office 365, Defender for Endpoint, and an Active Directory P1 subscription. This means that we do not have to purchase these add-ins separately, as they are included in our licensing.
Defender for Endpoint has reduced our time to detect and respond. Once an incident has occurred the AI automatically takes action and provides us with a detailed report of the investigation. It takes five to ten minutes to resolve an incident.
What needs improvement?
To have full visibility, we must access multiple dashboards, which is a problem because they change frequently, with daily updates to naming conventions. A single dashboard would be a significant improvement.
For how long have I used the solution?
I have been using Microsoft Defender for Endpoint for seven months.
What do I think about the stability of the solution?
Microsoft Defender for Endpoint is extremely stable.
What do I think about the scalability of the solution?
Microsoft Defender for Endpoint is easily scalable because it is compatible with a variety of Windows and Linux machines.
How are customer service and support?
Technical support is good. We usually receive a response with a solution within 24 hours.
How would you rate customer service and support?
Neutral
Which other solutions did I evaluate?
We are currently evaluating CrowdStrike and a few other solutions.
What other advice do I have?
I would rate Microsoft Defender for Endpoint eight out of ten.
Microsoft-heavy organizations should avoid using third-party SIEM solutions, as the compatibility issues would require significant effort from the IT department to configure them with Microsoft applications.
Microsoft Defender for Endpoint is a detection system, not a prevention system. We receive alerts after a threat has occurred.
It is better to choose a single company security solution because it will free up time to focus on the environment and identify loopholes. Rather than using three or four third-party software programs, which would require us to spend more time learning about them and resolving compatibility issues, a single solution would provide a better view of the environment.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Team Lead at Global Brands Group
Real-time detection, easy to deploy, and scalable
Pros and Cons
- "Real-time detection and cloud-based delivery of detections are highly efficient."
- "The application control feature requires improvement."
What is our primary use case?
We use Microsoft Defender for Endpoint to secure our customers' networks. One of the main reasons we chose this solution is its seamless integration with other Microsoft products, including Security. This integration enables the efficient exchange of signals and facilitates incident investigation and correlation with other security measures. Therefore, we recommend Microsoft Defender to our customers for robust endpoint security.
Microsoft has been recognized as a leader in Gartner reports for two consecutive years for their exceptional threat-capturing abilities within their division. In comparison to other solutions, Microsoft Defender Endpoint Security offers a wide range of features, and the benefit of integration with other solutions makes it a more powerful product. This is in contrast to individual products from separate vendors, which lack default integrations and may not offer visibility over other endpoints in our environment.
How has it helped my organization?
The solution provides a high level of visibility into threats and is integrated with other solutions such as Microsoft Defender for Identity. This integration enables the solution to receive signals from Microsoft Defender for Identity, which are then relayed to users who attempt to log in to an infected device. If the threat originates from Microsoft Defender or Office 365, users are alerted and advised not to open any suspicious links or attachments. This integration greatly enhances the investigation experience and is extremely useful in the detection and analysis of potential threats.
Microsoft Defender for Endpoint helps prioritize the threats across our organization.
The automatic investigation response is the key feature of Microsoft Defender for Endpoint. It enables us to concentrate on the critical incidents related to the endpoint or machines. This capability enables the security team to focus on the most significant alerts or incidents related to the device's self-analytics. Prioritizing our investigations and responses with Microsoft Defender for Endpoint is crucial.
The integration with Microsoft solutions is smooth, and integrating with other products can be done with just one click.
In most cases, the solutions work natively together to deliver coordinated detection responses across our environment, which is very helpful.
The comprehensiveness of threat protection offered by Microsoft's solutions is extensive. These solutions can thoroughly investigate all resources in an organization when deployed correctly according to best practices. They can detect any threats related to email, endpoints, and identity attacks, whether on-premises or in the cloud.
Microsoft Defender for Endpoint has been instrumental in enhancing our organization's operations. It detects the majority of threats aimed at our devices, aiding us in our efforts to combat threats. Additionally, it expedites the investigation process by running playbooks on incidents. This saves us time and increases efficiency. Furthermore, the integration capabilities of Microsoft Defender for Endpoint allow us to address the source of the threat by partnering it with other solutions. Microsoft Defender for Endpoint can be integrated with Microsoft Intune, allowing us to provide device signals to the latter. This permits us to grant or deny access to specific sources based on device signals.
The solution assists in automating routine tasks and streamlines the identification of high-value alerts. When used in conjunction with Microsoft Sentinel, which is highly effective in detection and comprehensive investigations, the quality of high-value alerts is excellent.
Microsoft Defender for Endpoint has eliminated the need to access multiple dashboards and provided us with a single XDR dashboard. Instead of logging into five different portals to investigate a threat, we only need to access one portal, Microsoft Defender for Endpoint. This portal collects signals from various solutions and integrates them into a single incident, providing a comprehensive view of the detection from different sources in one place. This improves our visibility and simplifies the threat investigation process.
Having a consolidated dashboard saves us a significant amount of time by eliminating the need to log into multiple portals. This single portal can be used for investigation purposes and can relate to various aspects. It simplifies the process of monitoring a multitude of sources or resources in the environment, making it easier to detect and investigate potential issues. A consolidated dashboard improves collections and visibility, streamlining the investigation process.
The threat intelligence provided by the solution helps us prepare for potential threats and take proactive measures before they occur. Many of Microsoft's security solutions now depend on Microsoft's security intelligence. The ISG collects signals from various products worldwide, providing extensive information on recent global threats targeting different products. Integrating with Microsoft Defender for Endpoint, this information is particularly helpful.
The solution has helped us save time. I suggested that we check Microsoft Defender for Endpoint daily to review the latest incidents that occurred during the process. We can quickly examine the incident and then take action based on the recommendations provided by either Microsoft Defender for Endpoint or Microsoft 365 Defender, as it consolidates the signals.
This solution is cost-effective since we would otherwise have to pay for multiple licenses if we were to use various solutions. Additionally, we prefer not to subscribe to multiple vendors for different services. By integrating these features, we save time, and they are already integrated by default, unlike other vendors who may not offer this feature or integration.
What is most valuable?
Real-time detection and cloud-based delivery of detections are highly efficient. I have deployed the Microsoft Application Control which I found to be very effective, albeit difficult to deploy. I have implemented point guard and attack deduction rules which enable me to identify attack locations effectively. Microsoft Defender for Endpoint has several excellent features, and the correlation of alerts and investigation experiences within the platform helps lead investigations
What needs improvement?
The application control feature requires improvement. It is currently challenging to detect and fine-tune the application control policies. A better GUI is needed for configuring the policies, beyond the current partial console, such as a third-party or Microsoft tool. Additionally, more documentation is required for the application control section as there is currently none available in Microsoft's resources. This lack of documentation can make the process confusing.
The policy configuration has room for improvement. Currently, we require additional solutions to configure policies for Microsoft Defender for Endpoint. We need either Microsoft Intune or a new policy object. It seems many individuals find this process confusing. It is perplexing to me why we must configure policies using different solutions when ideally, we should have all configurations for Microsoft Defender for Endpoint in a single portal. It would be more practical to configure policies directly within Microsoft Defender for Endpoint, rather than using external solutions.
For how long have I used the solution?
I have been using the solution for three years.
What do I think about the stability of the solution?
Microsoft Defender for Endpoint is stable.
What do I think about the scalability of the solution?
Microsoft Defender for Endpoint is scalable.
Which solution did I use previously and why did I switch?
I previously used Trend Micro Apex One, but I've found that Microsoft Defender for Endpoint has more benefits. Although I haven't worked with the full suite of Trend Micro, I believe that their Suite is also highly effective. However, I have experience using the full suite of Microsoft Defender, and I find it to be a more powerful tool for threat detection. While Trend Micro Apex One is easy to implement, has a seamless implementation experience, and is superior when it comes to policy configuration; For threat detection capabilities, Microsoft Defender for Endpoint is stronger.
How was the initial setup?
The initial setup is straightforward because we just need to onboard devices, through a script, employment, onboarding package, or any other MDM Solution like Intune. The deployment takes between four and eight hours and requires a maximum of two people.
What about the implementation team?
We implement the solution for our customers.
What's my experience with pricing, setup cost, and licensing?
Microsoft Defender for Endpoint can be costly as a standalone solution. However, when included in a bundled license with other Microsoft solutions, it becomes a cost-effective option. Microsoft Defender for Endpoint provides excellent value for our organization.
There is an additional cost for Microsoft Premier support.
What other advice do I have?
I give the solution an eight out of ten.
Microsoft Defender for Endpoint is deployed across multiple locations and departments. The solution can be used for enterprise, medium, and small businesses but can be expensive for SMBs.
To achieve success with Microsoft Defender for Endpoint, it is crucial to establish best practices and ensure full deployment without causing any disruptions to business productivity. Simply enabling all features without understanding their impact could lead to interruptions in productivity. By adhering to best practices and carefully assessing the impact of each policy, we can ensure a smooth and effective implementation.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Director of Technologies Solutions at a retailer with 1-10 employees
Has good reporting and logging features
Pros and Cons
- "I like Defender's reporting and logging features. The email alerts are also helpful. It's hard sometimes to sift through the email, especially if you're an IT firm managing hundreds if not thousands of endpoints, but we find email reporting useful. For example, last Tuesday, we learned of new vulnerabilities that were discovered as a result of the previous patches. The endpoints without those patches triggered alerts in Defender."
- "The onboarding and deployment could be more user-friendly, and there is room to grow in some of the reports. I don't want them to be oversimplified or overly complex, but there is room for improvement in the reporting it can do. It's relatively minor."
What is our primary use case?
We want to find a solution that fits businesses of every size and type, but we primarily target small and medium-sized enterprises.
How has it helped my organization?
Defender helps us prioritize threats across the organization. When we needed to update the patches on our endpoints, we could look at all the patches and see what still needed to be fixed. We could decide whether it's necessary to address something urgently or deploy it as part of routine monthly maintenance. It's crucial to have the insights and a report that I can show to an executive to demonstrate that we need to act fast. This is less common because most people accept your hotfixes and patches when they come out, especially monthly security updates. However, some older shops might be like, "I'm running Windows 10. No one's touching this." We still need to service and support those machines, too.
The solution helps us automate routine tasks and alerts. There's a dashboard where I can see the statuses of my machines in the environment. It helps us breathe a little bit easier. We're responding to businesses that had shifting needs during COVID. How can we be more proactive and help them to be more proactive? We shifted from traditional PC antivirus software to stuff that's totally different. I can't say it's "set it and forget it" because that implies a lazy mentality. However, I know I have a level of protection that I can have faith in.
Defender helps us be more proactive. I find value in the zero-day threats that get fixed from Microsoft bug fixes or security updates. I can read and research about those zero-day threats from Microsoft's public site without digging too deeply into the Defender side of things.
We've saved some time with Defender for Endpoint because we were doing a lot of unnecessary remediation with the other products. We had a series of servers that our previous product was installed on. It would blue-screen the server at random, and you can't have that. I'm not worried about Defender impacting my system stability. We put a lot of high-performance systems out there, including PCs and backend compute. I want to ensure we won't be overburdened by unnecessary security software that may not be giving me the protection I want.
Defender's reporting saves us four hours to eight hours each month. It has many of the standard reports we need built in, so it's effortless to generate and pull from. The time we save in other areas isn't as easy to quantify. I don't have to worry about the stability of a box or a computer cluster.
It has decreased my detection time. On Wednesday, I got emails notifying me that new vulnerabilities were detected. They weren't new, but they were newly disclosed because patches came out for them. It has enabled us to react much quicker.
What is most valuable?
I like Defender's reporting and logging features. The email alerts are also helpful. It's hard sometimes to sift through the email, especially if you're an IT firm managing hundreds if not thousands of endpoints, but we find email reporting useful. For example, last Tuesday, we learned of new vulnerabilities that were discovered as a result of the previous patches. The endpoints without those patches triggered alerts in Defender.
Defender ties into the Microsoft 365 portal where many shops spend a lot of their time doing password resets or other tasks. There is much more in the Azure portal too, but the 365 portal has a list of open issues, bugs, and necessary remediation steps. If I'm working on my security score, I have all of those on an active list, which is nice.
What needs improvement?
Defender should be more accessible for small and medium-sized businesses. You have some organizations that maybe have a hundred employees, and they're focused on making their widgets. That's their nine-to-five every day. They're not thinking about that security side, but maybe they're already invested in 365 or the Azure ecosystem and having Defender as an add-on makes sense from a price perspective. It's easy to deploy, but it could be easier for some of those smaller businesses to onboard endpoints.
The onboarding and deployment could be more user-friendly, and there is room to grow in some of the reports. I don't want them to be oversimplified or overly complex, but there is room for improvement in the reporting it can do. It's relatively minor.
For how long have I used the solution?
We have used Defender for Endpoint for the last 18 months or so.
What do I think about the stability of the solution?
Defender's stability is one of the things I love most about the solution.
What do I think about the scalability of the solution?
There are no limitations on Defender's scalability. I get the impression that it's designed to cater to massive enterprises with 20,000 or more endpoints, but I think there's a market for a simpler deployment, like 100 PCs, 10 servers, etc. Give me a deployment option that's simple.
How are customer service and support?
I rate Microsoft support eight out of 10. It's good overall, but it can be hit or miss depending on your issue, and sometimes you don't get the right level or technician. All of my 2023 support experiences have been stellar, but 2022 was a little inconsistent.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
The company evaluated other solutions in parallel and in tandem with it. Our trajectory shifted slightly during COVID-19, so we explored that more. We tried ESET and SentinelOne for a while. But those are apples-to-oranges comparisons. Defender for Endpoint is geared toward common reporting, notifications, and backend stuff, whereas SentinelOne is designed to lock machines down. It has many more tendrils deep within, so they're not great comparisons.
We decided to go with Defender because we're pretty heavily invested in the rest of the Microsoft Stack, so it made sense. However, we wanted to do our due diligence because we're already using other products. We wanted to ensure we were picking the best of breed for our customers fair enough.
We were having issues with other products like ESET, SentinelOne, and Symantec. SentinelOne is just too deep and heavy. It's like trying to shoot a fence post with a missile. It was too much. We rely on the product and trust it. It takes a little while to get there, but once you trust a product, you can move on to the next thing and know you're protected.
How was the initial setup?
The onboarding process could be more straightforward. I wish the onboarding were simpler. It seems a little more ethereal than, "Hey, here's your executable, put this on every machine." That would be easier for a small shop. We're still deploying into a lot of our sites. It didn't take long at all, but it takes a while to get fully ready to deploy,
What's my experience with pricing, setup cost, and licensing?
Defender's pricing is competitive. There are ways to negotiate a better price with Microsoft or your reseller as your business grows. You can say, "Hey, I bought 365 Business, then E3, and E5. Now, I'm buying Defender, so give me bulk pricing." There are opportunities to save as you grow that wouldn't exist if you picked a different vendor.
What other advice do I have?
I rate Microsoft Defender for Endpoint eight out of 10.
Disclosure: My company has a business relationship with this vendor other than being a customer: Resellers
Head of Security at a tech vendor with 10,001+ employees
Helps prioritize threats, offers good visibility, and saves us time
Pros and Cons
- "The antivirus is the most valuable feature."
- "There are alternative solutions that offer a greater range of dashboard insights when compared to Microsoft Defender for Endpoint."
What is our primary use case?
We use Microsoft Defender for Endpoint for our antivirus protection.
How has it helped my organization?
The visibility into threats that Defender for Endpoint provides is good because we are using all Microsoft products.
Microsoft Defender for Endpoint assists us in prioritizing threats throughout our enterprise. This prioritization of threats is crucial for safeguarding end-user devices.
Sentinel allows us to gather data from our entire ecosystem, and the interface is highly impressive. Data ingestion is of utmost importance for our organization, especially concerning the security of our environment.
It allows us to comprehensively investigate threats and respond from a unified platform. This is of great significance to us, as Sentinel plays a pivotal role in our Security Operations Center.
Microsoft Defender for Endpoint assists us in automating the prioritization of critical alerts. I am certified in cybersecurity. Recently, I have begun the process of renewing my certification as it is set to expire next year. I have been reading numerous articles regarding Sentinel, Defender for Cloud, Identity, and Endpoint applications, and there is a multitude of information available. Automation is now fully integrated, which holds significant importance for enterprise-level customers.
The solution assists in eliminating the necessity of using multiple dashboards, providing us with a single XDR dashboard integrated across various Microsoft products.
The threat intelligence assists us in preparing for potential threats before they occur, allowing us to take proactive measures to prevent them. The assessment mechanism analyzes and identifies threats, providing clear instructions before we proceed to the security parameters.
It has saved our clients time, mainly with their SOC operations.
What is most valuable?
The antivirus is the most valuable feature.
What needs improvement?
There are alternative solutions that offer a greater range of dashboard insights when compared to Microsoft Defender for Endpoint. The solution needs better integration with third-party vendors.
The analysis that identifies the threats and remedies them can be enhanced in a future release.
For how long have I used the solution?
I have been using Microsoft Defender for Endpoint for almost four years.
What do I think about the stability of the solution?
Microsoft Defender for Endpoint is stable.
What do I think about the scalability of the solution?
Microsoft Defender for Endpoint is scalable.
How are customer service and support?
The quality of technical support is determined by the customer's priority levels: P1, P2, and P3. Overall, they are known to provide good support.
Sometimes, the support takes a while to respond, and their shifts change, so we have to begin again with the new person on the shift.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial setup is straightforward for me. All Microsoft products are easy to configure and integrate data also. To properly utilize all the features the person integrating must understand the architecture code concept as well.
Before deployment, I consistently conduct a rapid assessment to comprehend the customer's infrastructure. Subsequently, I formulate a plan grounded in this information. Typically, we aim for minimal personnel involvement due to the centralized nature of cloud operations. Additionally, we can advocate for either GPO or CCM deployment software. Our approach entails utilizing a singular architect, one resource, and one SME for implementing and overseeing the infrastructure, aligning with the security prerequisites of the customer's locale. Continuous monitoring of the infrastructure is imperative, maintaining a 24/7 vigilance.
The implementation takes around three months to install and configure.
What's my experience with pricing, setup cost, and licensing?
The pricing is competitive. The pay model is pay as we use.
For organizations that make use of all Microsoft solutions, the cost is lower, and the visibility is increased.
What other advice do I have?
I rate Microsoft Defender for Endpoint nine out of ten.
Microsoft Defender for Endpoint is indeed a commendable product. However, despite its implementation, we should consider the integration of other security products. This is due to the escalating variety of cyberattacks prevalent today. While Windows consistently issues patches to update its existing products, I propose the adoption of a dual-product approach within our infrastructure. This approach aims to preempt eleventh-hour security breaches. By juxtaposing and scrutinizing the attributes of different solutions, we can better comprehend their nuances, specifically at the feature level. The pivotal factor lies in how adeptly a solution identifies and mitigates potential threats. Therefore, I advocate for the incorporation of two distinct solutions within our infrastructure. This strategy is poised to yield heightened efficiency, effectively mitigating the risks of both security breaches and data breaches.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Information Security Engineer at a financial services firm with 10,001+ employees
Easily integrates with Microsoft solutions and helps us prioritize threats across our enterprise
Pros and Cons
- "The integration with all variations of Microsoft Defender, for Endpoint, 365, and Cloud is valuable."
- "The time it takes to implement policies has room for improvement."
What is our primary use case?
We use Microsoft Defender for Endpoint to protect our work environment.
How has it helped my organization?
The endpoint provides good visibility into threats. However, working with Microsoft Defender for Endpoint and its control panel can be challenging, especially when dealing with features such as compliance and cloud app security details. Nevertheless, with enough experience, it becomes a useful tool for threat detection. Although it may be difficult to work with initially, it is an essential instrument for information security.
Microsoft Defender for Endpoint helps us prioritize threats across our enterprise.
The integration of Microsoft Defender for Endpoint with other Microsoft solutions is easy. The integrated Microsoft solutions work natively with each other.
The level of comprehensiveness provided by all of the integrated solutions is satisfactory.
Microsoft Sentinel allows us to investigate and respond to threats from one place.
Microsoft Defender for Endpoint helps automate routine tasks and find high-value alerts. The solution has a powerful advanced query that we can schedule to run automatically.
Microsoft Defender for Endpoint simplifies the use of multiple dashboards by providing a single XDR feature. This is a beneficial feature, but my reliance is on the 50 automated rules that run on a schedule to keep me informed of any incidents.
The automatic rules and policies that we apply using Microsoft Defender for Endpoint save us around four hours per day.
Microsoft Defender for Endpoint has saved our organization money by protecting the environment from threats.
Microsoft Defender for Endpoint has reduced our time to detect and respond to security threats by consolidating all relevant information in a single panel within a web portal. This enables us to quickly review and respond to potential threats, thus improving our ability to mitigate risks effectively.
Microsoft Defender for Endpoint has helped our organization by working to identify threats quickly before they become a problem.
What is most valuable?
The integration with all variations of Microsoft Defender, for Endpoint, 365, and Cloud is valuable.
What needs improvement?
The time it takes to implement policies has room for improvement. When we create policies or configure file profiles and assign them to specific groups, Microsoft Defender for Endpoint will apply these rules accordingly. If we need to make changes to the policy, it can take up to thirty minutes or even two to three hours for the changes to take effect on Microsoft Defender for Endpoint. This waiting period can be a significant amount of time to implement changes. It is at times quicker to create new policies than to make changes to existing policies.
We are experiencing problems with certain Samsung Android mobile devices that have Microsoft Defender for Endpoint installed. Specifically, when attempting to log into the corporate profile, users are prompted multiple times to enter their credentials.
For how long have I used the solution?
I have been using Microsoft Defender for Endpoint for two years.
What do I think about the stability of the solution?
Microsoft Defender for Endpoint is extremely stable.
What do I think about the scalability of the solution?
Microsoft Defender for Endpoint is scalable.
How are customer service and support?
The technical support team is professional.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We previously used a separate antivirus and endpoint solution called Cynet but it was not very useful. Our organization moved into the Cloud so we decided to use Microsoft Defender for Endpoint.
What about the implementation team?
We deployed Microsoft Defender for Endpoint across multiple locations in our organization.
Which other solutions did I evaluate?
We evaluated Splunk and Microsoft 365 before the head of our company chose Microsoft Defender for Endpoint.
What other advice do I have?
I give Microsoft Defender for Endpoint an eight out of ten.
No maintenance is required on our end for Microsoft Defender for Endpoint.
Microsoft Defender for Endpoint is a powerful tool and I recommend it.
Using a single vendor security suite carries inherent risks, but with a well-established company like Microsoft, those risks are significantly reduced, and it's more cost-effective than using multiple best-of-breed solutions to achieve the same level of security.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.

Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros
sharing their opinions.
Updated: March 2025
Product Categories
Endpoint Protection Platform (EPP) Advanced Threat Protection (ATP) Anti-Malware Tools Endpoint Detection and Response (EDR) Microsoft Security SuitePopular Comparisons
CrowdStrike Falcon
SentinelOne Singularity Complete
Cisco Secure Endpoint
Cortex XDR by Palo Alto Networks
Fortinet FortiClient
Symantec Endpoint Security
HP Wolf Security
Trellix Endpoint Security
Trend Vision One Endpoint Security
Kaspersky Endpoint Security for Business
Intercept X Endpoint
ESET Endpoint Protection Platform
Check Point Harmony Endpoint
Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Compare Microsoft Windows Defender and Symantec Endpoint Protection. How Do I Choose?
- Which product would you choose: Microsoft Defender for Endpoint vs Cortex XDR by Palo Alto Networks?
- What do you think of the integration of Azure AD Services, Defender for Endpoint, and Intune as comprehensive security solutions?
- CrowdStrike Falcon vs Microsoft Defender ATP: Comparison of features and performance
- How does Microsoft Defender for Endpoint compare with Crowdstrike Falcon?
- Running Carbon Black Defense Along with Windows Defender
- How is Cortex XDR compared with Microsoft Defender?
- Which offers better endpoint security - Symantec or Microsoft Defender?
- How does Microsoft Defender for Endpoint compare with Carbon Black CB Defense?
- How would you compare between Microsoft Defender for Endpoint and Tanium EDR?