Microsoft Defender for Endpoint Reviews

We use Microsoft Defender for Endpoint to manage the firewall and provide endpoint security, such as antivirus protection, on the endpoint.

The visibility of threats is excellent. The most difficult aspect of Microsoft Defender for Endpoint, especially for a small MSP, is the amount of information that needs to be filtered through. There is a lot that can be done in the portal, so it requires someone to spend a lot of time going through all the settings and making sure any issues are resolved. This is why we added Huntress to it, as it helps with the identification of other issues.

Microsoft Defender for Endpoint helps prioritize threats across the enterprise. The great thing about the Defender portal is that if there is a new issue, it highlights the issue for us in the portal, enabling us to easily check the CVE report to see which devices are affected, and make the necessary changes.

The major advantage of Microsoft Defender for Endpoint for us is that we receive a great deal of information. Initially, when we encountered the solution, the most difficult thing was that there was a lot more detail to go through, a lot more logs, and settings that we had to configure. However, once we had everything in place, as we are covering so many devices using the same solution, we were able to make a significant impact on our security.

The solution helps automate the high-value alerts to identify the devices that are at high risk of attack, but we still have to remediate ourselves.

We still enjoy jumping between Defender and Huntress' portals. Microsoft has removed the need for a large number of solutions as the Defender portal itself encompasses a great deal. This is both good and bad as they continue to add to the Defender portal. For a small team, it can be quite overwhelming to have to go through the one Defender portal. However, if the team was larger and we had more dedicated staff, it would be great as everything would be in one place.

Microsoft Defender for Endpoint's threat intelligence helps us prepare for potential threats before they occur and take proactive steps based on the CVE reports, which advise us which devices have higher threat issues.

Being aware of the issues is a good thing, and with solutions like Webroot Business Endpoint Protection, we may think everything is fine as long as the antivirus is installed. However, with Microsoft Defender for Endpoint, we are given a lot of information and become more aware of the issues. This helps us strive to reach the 100 mark on the security score.

Microsoft Defender for Endpoint has saved time by preventing attacks from occurring, and I have been able to rely on it. In contrast, when we used Webroot Business Endpoint Protection, we installed it and then largely forgot about it, assuming it would take care of itself. Webroot rarely gave us any warnings, which may have been due to the product not knowing what to do or not having anything to alert us about. On the other hand, Defender is constantly active and provides us with updates about the endpoints. This may take up more time, as it is making us aware of a lot of other things.

Microsoft Defender for Endpoint is more expensive than Webroot Business Endpoint Protection. However, the value is there in terms of the product we are getting. The cost savings with Microsoft Defender for Endpoint come from being aware of the issues and taking steps to prevent them from occurring. The savings come from avoiding the issues.

Microsoft Defender for Endpoints has a quick response time when it detects a threat. From what I've seen, the system is quite fast. It's not instantaneous when changes are made in the portal and sent to the endpoint, but it is still quick.

The most valuable feature of Microsoft Defender for Endpoint is its ability to bring together all the data, providing more information than just antivirus hits. Additionally, it has a useful security score that is tied into the Defender platform, giving us a better understanding of what is happening at the endpoint.

Microsoft often changes the names of its products, the design of its portals, and what is included in them. This can be confusing for people who are not using them regularly. There is a lot of information to take in, and the portals tend to change quickly due to the fast-paced nature of the industry. This can be frustrating when something that was there one day is gone the next.

I would like to see when NDR solutions become more widespread in other regions. It would be amazing to observe how that progresses. It is something that we are considering, having Microsoft do part of the work using the dependent portal instead of having engineers from our own company do it. Therefore, I am eager to see where that goes.

The stability has room for improvement.

I have been using the solution for over one year.

When testing to see if the antivirus solution is working properly with a lot of different events occurring on the device, we found that the Defender interface can become cluttered. The solution does not always give us a real-time view of what is happening, making it difficult to navigate the user interface. Therefore, there is potential for improvement in terms of stability.

We've deployed the solution in small environments and larger ones. So we haven't had any issues going between the two. Microsoft Defender for Endpoint is scalable.

We have encountered two technical issues in the past. The support team was very competent, and when I contacted Microsoft support, they were extremely helpful.

Positive

We had previously used Webroot Business Endpoint Protection, Bitdefender GravityZone, CrowdStrike Falcon, and Cortex XDR by Palo Alto Networks. Microsoft Defender for Endpoint is now included in our licenses, making it an easy addition for many of our clients since some of them already had the licenses that included the solution. Moreover, since many of us already use Microsoft products and portals daily, we were comfortable with Microsoft and the solution did not require a lot of retraining. Additionally, the price was another factor that made the solution attractive; CrowdStrike and the requirements associated with it are too costly for some of our clients.

The initial setup is not complex. It is more cumbersome than Huntress because it is not just an installer. We have a package that needs to be deployed to a few machines. We can run a script, or use a GPO package to distribute it. Although it is not as easy as some of the other smaller solutions, it is still quite simple. We can roll out a group policy. The deployment didn't take long at all. We had already set people up with licenses to access a Hive with Microsoft, so the deployment solution was straightforward. Most of our clients also have directories managed through Azure, which made the rollout easy.

The deployment process requiring engineering numbers or similar is very minimal as it can be done through a single group policy.

The implementations are completed in-house for our clients.

The licensing costs for Microsoft Defender for Endpoint are reasonable.

I give the solution an eight out of ten. When discussing Microsoft Defender with other engineers, we agree that it can be challenging to become accustomed to and comprehend the UI at first. Once we have a grasp on the UI, it is excellent; however, initially, it is difficult to learn.

Microsoft Defender for Endpoint is deployed in systems located in data centers and on-premises, providing a wide range of devices. Approximately two thousand endpoint devices are in use.

Since the solution is a Windows subsystem, it is not difficult to maintain. We utilize a management solution to run many of those updates regularly, ensuring that they are completed regularly.

No single solution or vendor has all the answers, and it can be risky to rely on just one source. If an attack occurs and we are only using one form of security, if it is breached, the attackers will have unfettered access. Therefore, I believe it is beneficial to have a multi-layered approach, utilizing multiple solutions and vendors with different technologies that can work together.

I suggest people do some Microsoft training regarding the Defender platform to become comfortable with it before deploying it to understand exactly what is necessary to make it work.

Initially, I was running a different endpoint security program but it did not have a dashboard that met my needs. It would only do on-premises. If laptops, desktops, or VDIs were remote, such as people working from home or in a different office, my VDIs—which are really just on-premises but they're in a separate subnet in VMware, Windows 10, Windows 7, Windows 11, 2008, all the way up to 2022—I could only get the servers that were on-prem. That solution had a management console but there was no integrated console within Microsoft so that I could cover all bases. I deployed Defender for Endpoint and now I'm able to see them in there. For some, I've still got the old AMP on them, but Defender will run in passive mode and let AMP run and report to its own console.

The reason I don't want to run AMP, primarily, is that it's a resource hog. Defender for Endpoint integrates it and automatically comes with the Windows operating system or Windows Server Desktop. Plus I can use Defender for IoT and see, on my network—which is a home lab company—my routers, my switches, and, believe it or not, my televisions and refrigerators; the IoT devices that I might have on my network. And that integrates into Defender for Endpoint.

And with Sentinel, I'm hoping to pull that into logs that I have for my cloud-based and on-premises-based servers so I have one pane of glass that will alert me if something is going on. It will correlate those logs from Defender on every endpoint and put them into one incident if there are alerts to be had.

It probably could help me prepare for potential threats before they hit. The nice thing about it is that it has filtering. I can filter on different logs and say, "I'm looking for this user and every place he ever logged into. I can filter on his name and the scope of the machines I'm looking at. If there's a bad actor, a different version of software, I can pull that up. It has simple filtering and advanced filters, which really help out a lot. It does speed things up.

I rely a lot on Defender for Endpoint to find a lot of stuff for me. With Microsoft knowing about a threat in the wild, something that hasn't hit me yet but it's out there and I'm vulnerable to it, it will detect those vulnerable systems for me. I rely on that to patch or update that operating system.

When you install an OS, it could be a year old, it could be brand-new, or it could be five years old and it's not patched and updated. Sometimes there are apps on it, from Google or Adobe for example. This will tell me that my Adobe Acrobat has so many vulnerabilities and that I need to bring it up to this date because I've got 13 vulnerabilities that could be hacked. I rely on it quite a bit to pull those notices together and alert me on what needs to be updated. I don't have to actually hunt for a lot of it. It does the hunting for me automatically.

The features I found to be most valuable in Defender for Endpoint are its alerting, policies, and threat-hunting.

For threat-hunting, I'll put some threats in a test scenario. I've downloaded known viruses that are out in the public for testing. They're not really a virus but they've got a signature. Defender for Endpoint will automatically find those, quarantine them for me, and alert me to what it did. It gives me "automated eyes."

A lot of it is hands-off. It just deploys and it updates by itself. With other applications, like McAfee or AMP, I'll have to download a new version and make sure that the signatures were applied. With Defender, one of the things I like is that it has automatic updates.

And Defender has other integrations with Microsoft that are of benefit. It will tell me that certificates are out of date for my certificate server; I've deployed certificates to my laptops or VDIs or servers or switches. There's an automation routine that I can kick in using KQL—Kustom Query Language—so that it automatically remediates the issues that it finds.

And the visibility into threats that Defender for Endpoint provides is fantastic. Since it is a Microsoft product, and they have it deployed worldwide, they pull over a couple of trillion data points a day from other companies and countries. They've got teams of security analysts or researchers who are constantly updating these and they feed me that information. I'll know about a threat that might be down the road or I might be susceptible to, something that I could patch. It tells me if there is a known fix or if there isn't, in which case I might have to go in a different direction. It's the might behind Microsoft. It pulls in all that information so everybody else can see it.

In addition, with the data connectors for Azure or containers or even M365, threats are automatically classified as high, medium, low, or informational. If they're not classified, I can classify them myself or set a priority on them as to whether they need to be looked at right away, whether they're active or in process or resolved.

Microsoft security products provide a little more comprehensive protection than some of the other offerings. One great thing about it is that it's part of the operating system and it's already turned on when you deploy the OS.

But if you do have a third party, like AMP or McAfee for example, Defender will run in passive mode. That means it's not constantly doing a scan, virus check, or malware check. Still, if you open an email, write a document, or load a USB key to copy files, it would scan in all those situations. But in passive mode, it scans once a day, I believe. It does a device discovery and it will tell you, "We found this software, we found these documents, you did have malware or a virus and it has been quarantined." And that's in passive mode.

If you put it in active mode, without the third-party virus and malware checkers, Defender for Endpoint will give you a software inventory and a timeline of every key that was clicked in case you had a bad actor that infiltrated your network or your machine. If an employee went to a rogue support site and downloaded some software, and let somebody in, it would alert me through UEBA: "There is unique behavior that we don't normally see from this person. They don't normally access this site. The alert would tell me which site had been accessed and that software had been downloaded. It would tell me the time it was installed and what it did—every keystroke. That's with Defender for Endpoint being active.

In active mode, it's great that it gives you so much information, but it does record every keystroke so you have a lot of logs. For my home business, I had to turn off quite a bit because the data that it does gather is every event and activity that happens on a server or laptop. For my little testing scenario, it was overwhelming.

I know what I have on my machines so that amount of data logging started to add up in the cost. That's the only downside to Sentinel and Defender that I can see so far: You have to log and store that data somewhere, and it normally stores it in the cloud, unless you have an on-premises SIEM that you can download those logs into directly and store things on your own hard drives.

I had a $200 credit with Microsoft Azure and I didn't pay attention to it and it ate up $179 of that credit in the first two days because I had Defender for Endpoint check DNS to make sure that I wasn't getting spoofed or targeted.

You have to keep an eye on the Sentinel and Defender for Endpoint storage.

I have been using Defender for Endpoint since about November, so about three months.

It's pretty stable.

With a browser or web-based system, it might confuse things, saying, "You don't have access," because you should have logged in with your admin credentials but you logged in with your standard user credentials because you are on the same desktop.

For my home business I just have basic support. I submit a ticket and they get back to me in a couple of days.

Positive

My company isn't off the ground yet, it's basically going to be a family medical practice run by my wife and me. I'm an IT guy and she's a nurse practitioner and, eventually, she wants to work for herself. I'm doing the background and since I do use it for my regular job, I'm doing this on my own labs as well with trial software or things I've bought subscriptions for. I've bought Microsoft E5 so a lot of it is out-of-pocket and on a shoestring budget.

The nice thing about Defender and Sentinel is that the cost is based on the data logs that you ingest from the Defender endpoints and data connectors. I don't have to buy a 25- or 50- or 1,000-user or enterprise license. I can buy one license at a time. For small mom-and-pop shops, that's very important. A lot of startups don't have that kind of budget for enterprise-wide scalability, especially when they don't have many devices in the first place.

Defender for IoT is an add-on to Defender for Endpoint. It's there, but you have to onboard it. I don't really have enough devices, other than my home base, but in a regular business it would find all the switches, routers, security cameras, monitors, printers, modems, and anything else you have attached. With Defender for Endpoint, you need to have an operating system—Linux, Windows, et cetera—to deploy it.

A refrigerator or a camera or a security device doesn't really have a Windows-based operating system on which to deploy the agent. So IoT, within Defender, will scan those devices, find them, and let you know that it found them. It does that out-of-the-box with Defender for Endpoint. If you want to see the actual operating system of IoT devices and get alerts that something is out of date or has vulnerabilities, you have to get a subscription to IoT, which I hope to do.

There's a lot to learn when it comes to using Defender for Endpoint to automate routine tasks and find high-value alerts. KQL is a structured query language for hunting. If I have data ingestion from M365 logs, Defender for Containers, Defender for Storage, and AWS, Defender for Endpoint or Sentinel will allow me to hook up connectors to pull all of those logs into a "master database" with different tables that contain those logs. There are routines that are already written that say, "If you're looking for this type of an event that started with this application that went to a SQL server that was stored on this server that was accessed from a laptop where the guy went through a browser and went to this particular rogue network," and they access all those tables in that master database.

KQL allows me to tap into each of those different tables and correlate like events or like data, and pull it all into an alert or a threat hunt. It's something to master. It's sort of like regular SQL, but there are a lot of tables and schemas and you have to know what the tables and headers and columns and fields are, and then the syntax. It does threat-hunting really well with the canned queries that it has. But if you're looking for something in particular, you need to learn KQL. A SQL Server database admin would know SQL and how to pull data out of tables and do joins, commits, and transaction rollbacks. KQL is on that same level where you have to be an expert in KQL to actually pull all that stuff together. It's quite the learning curve, but there are courses out there that teach you.

I've been doing systems administration and engineering server admin things for quite some time, a couple of decades since Windows came out, and a little bit before that. But jumping over into the security space for my home business, and putting all these things together with Defender and Sentinel, has been a learning curve. It has slowed me down a little bit. A while back, security was always an issue for security teams. Now that I'm working on my own company, I'm a one-man show. But at the same time, I know there are a lot of bad actors out there.

It provides good visibility in terms of the number of devices covered, users covered, and so on. With most people working from home for the past two years as a result of the pandemic, Microsoft has helped us improve our security. Because it's a cloud component, we have been able to have improved coverage for our remote users, which was a challenge when we were using traditional endpoint protection solutions. Microsoft Defender for Endpoint has enabled us to secure devices even when they are off of the organization's premises. It has added value to our organization and has helped improve and mitigate security risks across the organization.

I like the fact that it's prebuilt onto Windows and that it integrates with various solutions.

The Microsoft Defender for Endpoint dashboard gives you a very wide view. If, for example, a device is having some malicious activity, it will tell you who has logged into that device and the history of the activity such as whether the activity began because that particular user clicked a malicious link in an email. It is able to do this because Microsoft Defender can connect to the whole Microsoft 365 ecosystem. Thus, it can provide more visibility as compared to a standalone endpoint solution, which will only give you visibility with regard to the information collected on the client in which it is installed.

It provides a detailed level of visibility considering that it's prebuilt onto Windows. It's able to drill down into the processes, such as the DLL files that are running and the installation files from where the threat is emanating. It gives you a deeper threat analysis in comparison to that of other solutions I've worked with. Microsoft Defender is able to provide details such as whether it is a malicious file, the process that is executing a particular file, how it is initiated, the process number, the particular execution file that is running, and so on.

When it discovers a threat, it has its own inbuilt capabilities to prioritize the severity as low, medium, high, and critical. You can also intervene and assign a particular priority to an incident if the priority was not what you expected. Microsoft Defender gives you visibility not just from a threat perspective but also from a user perspective, for example, to identify the most high-risk users in an organization. It gives you the ability to prioritize the riskiest users and devices.

We use Azure AD Identity Protection, Windows Defender for Cloud, and Microsoft Defender for Office 365.

It is easy to integrate these solutions because Microsoft Defender for Endpoint gives you a central view of all of the security components in the organization. We have integrated these solutions to have one central dashboard.

Having one XDR dashboard has eliminated the need to look at multiple dashboards.

In terms of these solutions working natively together to deliver coordinated detection and response across our environment, Defender for Endpoint works natively well on its own Defender for Office 365. The full integrated visibility doesn't come natively enabled by default. As an administrator, you have to figure out where the configuration is and enable that configuration so that the events are captured by one solution and pushed to the central dashboard for security.

Microsoft has come a long way in terms of security and comprehensive threat protection. They've done quite a lot to mature their solutions. It's hard to find one vendor who covers your email security, cloud security, and endpoint security, giving you central visibility into all of it, and Microsoft is one of the major players at the moment.

Threat intelligence helps us proactively prevent attacks before they happen. Defender can pick up an activity that is happening across other tenants in the organization. You can then look at what controls you can put in place to prevent it from happening in your own organization. It's better to prevent an attack rather than to stop one that is already happening. This approach allows us to proactively put measures in place and be ready to respond in case an attack does occur. It keeps us more alert and prepared.

With Microsoft Defender for Endpoint, you can automate some of the incident response actions. However, we do have false positives that are picked up, and automation needs to be done sparingly. Automation of routine tasks does free up our admins, and they can focus on more strategic initiatives and improvements, and leave the day-to-day administrative duties to the system.

This solution has saved us time in terms of providing centralized visibility and not having to onboard agents when deploying. It has made management a bit easier because it can be accessed from anywhere and has made it a bit more convenient to manage the whole Endpoint protection activities. Our team is still quite lean, and the time spent on EDR activities has probably reduced by about 50%, freeing us up to catch up on other activities that we're following up on in the entire information security program.

Microsoft Defender for Endpoint has decreased our time to detect and our time to respond. Proactive alerts help you send notifications before something actually happens. That means you have more time at hand to quickly detect threats before they happen. If they do happen, it gives you all of the information you need to be able to quickly respond compared to traditional EDR solutions for which you may need to look for VPN production to access your tenant. The ability to automate the responses has also decreased the time it takes to respond to an incident by about 50% because even before the notification is received, the system would have begun to take the action that you had configured for the automation. That is, the response will begin without your intervention.

Automation is one of the areas that need improvement because if you fully automate, then there's a high chance that you're going to be blocking a lot of actual false positives.

With the XDR dashboard, when you're doing an investigation and you're drilling down to obtain further details it tends to open many different tabs that take you away from your main tabs. You can end up having 10 tabs open for one investigation. This is another area for improvement because you can end up getting lost in multiple tabs. Therefore, the central console can be improved so that it does not take you to several different pages for each investigation.

Microsoft keeps changing the name of the solution, and when we go to senior management to ask for a budget, they think you're asking for a different solution. It would be great if Microsoft could decide that Defender for Endpoint is the name and stick with it.

I've been using it for three years.

It's quite stable.

It's very easy to scale because it comes built-in with Windows 10, and you just need to enable it. This can be done on scale using group policies or through Endpoint Manager on cloud or Intune.

We have about 5,000 users.

The technical support is okay, and I would rate them at seven out of ten. It depends on the level of support that you have with Microsoft. If you have enterprise support, you'll get dedicated support, and your issues will be resolved much faster. That is, if you're able to pay for premium support, you'll get good, faster responses. If you have normal support, however, it may take a bit longer to get someone to look at an issue.

Neutral

We previously used Kaspersky Endpoint Protection. One of the reasons why we switched is the fact that traditional endpoint solutions tend to be monolithic. They usually run on an on-premises infrastructure. As a result, you have to deploy agents to all of the machines and to manage them, you have to be on the company's network or be able to access it through VPN. Also, those who work remotely will need to log into the VPN to receive updates. Often, those who don't need access to internal systems will go for months without logging into the VPN, which means that they will not pick up the updates.

We were also looking for a solution that was more cloud-friendly because the organization was moving towards the cloud with the emergence of remote work.

The initial deployment can be straightforward if you have Windows 10 Enterprise Professional because it will come preinstalled. All you will have to do then is to enable it. In our case, we wanted to enable a particular GP and encountered some complexities in terms of connectivity. It took us about six months to deploy it.

It's a SaaS solution, so you don't require much effort in terms of deployment. Once installed, there's very little maintenance required. We don't have to upgrade any agents; it's straightforward. It mainly requires administrative work from the console.

Our environment is across multiple branches in the organization with branches in different locations and countries.

We had a team of three with someone to configure the group policies, someone to look at the admin center on Microsoft, and someone to ensure that the traffic is allowed.

Because Microsoft Defender comes as an add-on, it can be a bit expensive if you're trying to buy it separately. Another option is to upgrade, but the enterprise licenses for Microsoft can also be quite a bit pricey. Overall, the cost of Microsoft Defender compared to that of other endpoint detection solutions is slightly higher.

If you have a big team, then you can go with a best-of-breed strategy where you have dedicated teams that are looking at your endpoint protection, email protection, network protection, and so on. You may have a SOC team as well that gets the events and incidents from all of the different teams, analyzes centrally and provides a general view from a security operations perspective. In summary, if you have a well-resourced, mature organization, then it may make sense to go for the best-of-breed strategy.

However, if you have an organization without a big security team, it makes sense to have a single vendor's suite. At times, it may appear to be a single point of failure, but in terms of management and usability, it's a bit easier to work with and deploy. It will give you some level of visibility that will cut across the different domains.

Overall, Microsoft Defender for Endpoint is a good solution, and it'll give you good visibility and protection. It's worth considering, and I will rate it at eight on a scale from one to ten.

I used MDE to investigate individual alerts. We were able to initiate AV scans on devices from MDE. That was our normal practice as soon as we pulled up an alert. My understanding was that it wouldn't slow down the throughput or the productivity of the endpoint device. We could theoretically isolate the device via MDE.

We also used Cloud App Security, Microsoft Defender for Cloud, and Azure Sentinel. At my last two organizations, they were in the process of moving from Splunk to the Microsoft security suite. It was standard procedure for us to install MDE on Microsoft Defender as the endpoint solution for every device. We didn't have anything on-premises.

I have experience with Microsoft Sentinel. We were transitioning toward using that as our SIEM. They encouraged us to learn the Kusto Query Language, which is extremely useful.

My organization was in the process of using Sentinel to ingest data from their entire ecosystem.

The solution was deployed across multiple departments and multiple locations in North America. It was deployed on a private cloud.

MDE eliminates the need to look at multiple dashboards, given it has only one XDR dashboard. It has a good user interface for looking at campaigns and the big picture as opposed to just one incident. They also have good graphics.

MDE decreased the time it takes to do detection and response. It allows us to quickly look at the timeline and see what caused the alert. In my organization, they wanted to know what caused the alert, not just whether or not it was a false positive. 

If there is malware on a device, they wanted to know how it got there. If there is malware on the device from another device in our environment, that is a huge deal. If someone clicked on something in an email or went to a suspicious website on their own, that is extremely important to determine quickly in our environment. It's very helpful to determine the level of the threat.

The investigation aspect is the most useful. It's user-friendly and has a good user interface. There's a universal search bar at the top of MDE. Plugging in the hostname brings up the page for the host. From there, we can see any alerts and an overview of the host, who it's assigned to, and who is logged into it.

I usually quickly go straight to the alerts tab and start investigating the alerts. It has a really great timeline function on it. It shows everything that occurred on the device and any connections it made on the internet or with other devices on the network. It shows activities like who logged in and who logged off. I could pull all of that through the timeline and figure out what happened and why it happened. The investigative capabilities are really good.

MDE provides pretty good visibility into threats. I would give it an A-. Overall, I was pretty impressed by it.

Sentinel enables us to investigate threats and respond holistically from just one place. Sentinel's security protection is pretty good. We had some alerts that we considered for a potential campaign. There were some instances when we had the AI perform an investigation for us, and it was pretty comprehensive.

MDE helps automate routine tasks. This was at a level higher than mine, but the automation seemed to work well for them. They had some queries and other tasks that they would schedule and set up alerts for.

MDE has also saved us time.

One of our main problems in cybersecurity is dealing with noise. If you look at the logs for any device over a 10-minute period, it's just too much information. The timeline on MDE is very good at whittling down the noise to find the answers to our questions.

I would like MDE to have the ability to isolate a certain amount of time on the timeline. Splunk has a better UI when it comes to isolating a certain amount of time. I need to know exactly what happened two minutes prior to and two minutes after an incident. I don't need to see half an hour's worth of information.

With Splunk, the UI is perfect. With just a couple of clicks of a button, it'll show us 30 seconds prior to and 30 seconds after an incident. The timeline for MDE is more difficult to understand.

After a failed log-in, Splunk shows when the event happened on the timeline down to a thousandth of a second. Theoretically, we could do that with the Kusto language, but that would mean changing the query every time. It's just not as user-friendly as it could be.

I used MDE for two years.

The stability is great.

I used Carbon Black and McAfee ePO in my previous organization, but they were in the process of moving everything to the Microsoft security solution.

Splunk was our main SIEM and alert system. It pulled alerts from different sources. When we received an alert, Splunk would quickly give us basic information, and then we would go straight to MDE. We received a lot more information from MDE's alerts than we did from Splunk.

I didn't spend a lot of time with Splunk. I normally input the hostname of the affected device that triggered the alert. I pulled all of the information from there, like the timeline of the event, the IOCs it had spotted, the name of the alert, and all of the other details. From there, I did a full investigation of the alert through MDE. I was very impressed with MDE. It gives great details, and it's very easy to use.

We didn't have dedicated personnel for any problems. We purchased full support with the license. Setup wasn't flawless, but there weren't any major issues.

I would rate this solution as eight out of ten.

If you have the money for it, I would recommend the Microsoft security solution.

I would recommend a single-vendor strategy if you have the money for it. I believe in defense in depth. Regarding endpoint protection, I think it's better to stick with one vendor. In my previous organization, they had conflicts between MDE and McAfee. McAfee would read MDE as a virus, and MDE would read McAfee as a virus.

The problem with endpoints is that if you have more than one solution, each of those solutions will see the other guy as a virus or potential virus. When it comes to endpoint protection, I would go with a single vendor.

The solution is used as an endpoint solution to provide a 360-degree portfolio around an endpoint. It acts as a next-gen antivirus. 

It’s included with the Microsoft licensing, so we don't need multiple licenses.

Microsoft is very effective in device control. If there is malware that is coming in, It is very quick to remove it. It doesn't let it gain a footprint on your drive, so that prevents further damage from happening to the endpoint.

This solution helps us prioritize threats across our enterprise. When we are looking at our current scenario, post-COVID, most of the employees of the clients that we are dealing with are remote. When it comes to remote, you can make sure that they're logging in to VPN, however, most of their time is online and we need a product that is actively protecting them even if a user is not on a VPN or a company network. This product integrates very well with Windows due to the fact that it's a Microsoft product. It's giving users the protection that they need while ensuring businesses don’t have to spend extra on licenses.

We are using other Microsoft products. Including CASB integrated with our endpoint. We’re also using Azure, for example, and Microsoft Defender for Cloud as well as Sentinel (although a different team manages it). We have seen a very hybrid kind of environment with one of our clients where they were using an on-prem solution throughout, and they were aiming to move to the cloud. It becomes very easy to integrate everything and move most of their infrastructure to the cloud. It does take time and effort, however, with everything integrated, you can get it done. Microsoft solutions also work natively together. That’s a big strength. Everything communicates seamlessly.

We have very good visibility on our endpoints. The level of information it throws back is helpful.

How long it takes to see the level of benefits will depend on the deployment. Our deployment took two months for one client. Within a month’s time, they started seeing the benefits. We had a substantial number of endpoints to roll out, however, we began to note benefits pretty fast.

Microsoft Defender for Endpoint helps automate the finding of high-value alerts. It still needs to mature a little bit. Overall, we are seeing very security-intensive products and Microsoft still has a lot to learn.

It helped eliminate having to worry about multiple dashboards. Now, we have one single dashboard where our team takes care of everything. That has been very helpful. It makes the team focus on one single product. That helps prepare us for potential threats before they hit. We get fairly decent visibility into what's happening. Since we have one single dashboard that is giving us all the information, it becomes very easy for the team to react to incidents as well.

Overall, the solution has saved time. Previously, while we were doing deployment, most of our time was spent figuring out how to handle the products that are not natively from Microsoft. We had to figure out how we could integrate to get the most out of our products. Now, with Microsoft, we have all the integrations present in one place.

On average, we’ve likely saved nine to 12 hours weekly just by having one single Microsoft dashboard.

We’ve saved money, too. Considering it comes under one existing license, we don’t have to spend money separately or buy another license to get all the features we need.

The solution decreased our time to detection and time to respond. Our turnaround is better. From the moment we receive an alert to the moment we close the case, we’ve seen a reduction of 18% to 20% overall.

The visibility of threats needs to improve a bit. It still has to learn a lot. Where we stand right now, compared to other products that are there in the market, they still have to work on their threat intelligence and the overall maturity of detecting the malware. Sometimes we have seen instances where they have wrongly identified the malware. That is something that we would really hope that Microsoft works on.

Microsoft has to improve the efficacy of the product further. When we are talking about a security product, there are minor frameworks and there are close to 145 different techniques that we are talking about. It broadly categorizes into types yet it doesn't drill it down to techniques, which gives us a very specific idea of what they are aiming for. 

I've been using the solution for the past one and a half years as a solution architect to design and deliver EDR solutions. 

The product is fairly stable. 

The solution can scale. We scaled up initially from 500 to 32,00 endpoints and it was fine. 

We've had to contact support in the past and found them to be very effective. They are knowledgeable in their approach. However, the tasks can be a bit time-consuming.

Positive

We are using CrowdStrike, Palo Alto XDR, and a lot of different products. The client using CrowdStrike may have moved to Defender based on the cost.

The initial setup was simple. 

There is a bit of maintenance required around data retention. It has a data retention period of 80 or 90 days depending on the configuration. We make it a habit of filing data for compliance purposes. Two to three people are normally involved with the maintenance aspect. It's not resource-intensive. 

We are the third party. We help clients implement the solution. 

We have witnessed an ROI. 

The product is very cheap compared to other options. It's very affordable, which is why Microsoft is gaining a foothold in terms of client acquisition.

We're a Microsoft partner. 

I'd rate the product seven out of ten. 

You can spend a lot of money to get a very specific security tool, however, if you don't have the money, Defender does a pretty good job for you.

In an enterprise setting, I use the product to protect workstations, and more recently servers, from all sorts of threats, including malware, viruses, trojans, etc.

Defender for Endpoint gives us greater visibility. Cybersecurity professionals always need that because what we don't see can get us into a lot of trouble. We also need visibility to be easily applied across platforms and with an improving ability to gather information from Linux or Mac-based end platforms. AWS and Google Cloud give better visibility, which we need from a security standpoint.

The other Microsoft security products we use are Defender for Cloud Apps, Defender for IoT, and Defender for Cloud.

The integration is pretty straightforward. It depends on a company's licensing and deployment team, and Microsoft makes it simple to integrate multiple solutions. It is easy to integrate into a test environment, though it depends on the infrastructure and networking team because they have to carry it out. Each company has different solutions; whether they are entirely cloud-based, on-prem, or hybrid, there's a lot of flexibility. Depending on the package, Microsoft is usually very helpful and available to assist with implementation and integration.

Coordinated detection and response between the solutions are essential. Depending on the company and its capabilities, it can sometimes be challenging to bring different tool sets to bear. For example, integrating endpoint protection, XDR, theme tools, CASB apps, and security from different companies can be very tricky. What Microsoft is doing in terms of easy integration makes their product an easy sell because it's critical to spend time doing the work of security rather than worrying about and dealing with integration. 

Threat protection is extensive; it covers most of the concerns we face as a company. I have limited experience with the IoT side, although I'll be working with that soon. Microsoft is thinking ahead and looking toward the future of protection, and I think they're on the right path. The comprehensive threat protection is there, and that results in a steep learning curve because an organization may have a whole bag of tools, some of which they may not use or need depending on the size of the enterprise. The extensiveness is impressive, and Microsoft is doing the right thing in attempting to cover all threat avenues. The necessary side effect of trying to cover every threat is not being the best in class at dealing with any one threat; more of a jack of all trades, master of none. It also increases the learning curve for analysts.  

The threat-hunting service is very useful for a security professional.

The ability to fine-tune specific policies to protect our enterprise is also advantageous.

The increasing deployment availability on different platforms and OSs is a good functionality.

Seamless integration with the Microsoft SIEM tool and other tools such as Splunk and Sentinel is excellent.

Defender for Endpoint provides good visibility into threats, and there is always room for improvement.  

The tool allows us to prioritize risk factors and fine-tune those based on our requirements as a company. That's extremely important because different companies face different threats from an enterprise point of view. Everyone is concerned about phishing, but only certain companies deal with personal health information, for example, and those dictate the security priority landscape. This functionality is one of the essential elements in an endpoint solution.

In Defender for Endpoint, we can create a certain alert logic to alert us on either high-value assets or individuals. With Sentinel integration, we can develop playbooks for the tool, which helps us gather the information for an investigation or automate a lot of threat intelligence searching. Endpoint has its standalone functionality in this respect; Microsoft does a good job providing sufficient threat hunting in each tool in case a customer only has one. Overall, the solution's threat-hunting and investigation resources are extensive.  

Eliminating multiple dashboards saves time. It may save between five and 30 seconds, but at the end of the day, if I've done eight investigations, that's minutes saved each month. That adds to hours of work saved by not having to deal with multiple dashboards.   

Our time to detect and respond decreased; even a few minutes saved by not searching through multiple dashboards helps. Threat intelligence also informs the end user if a website or link has a bad reputation. These features help reduce the time we spend investigating an incident or alert.  

My main issue with the tool is that there are too many menus. This causes a steep learning curve for those without training or unfamiliar with Defender for Endpoint. From an end-user perspective, the solution is there on the machine and does its job; it works seamlessly. However, as a security professional dealing with it behind the scenes, the learning curve can be steep, but not too steep. Still, it has taken some of my analysts up to a month to get familiar with the product.

Microsoft is slow to act on improving the threat intelligence elimination of false positives. They have a feed of indicators of compromise, which they are constantly updating, but some of the category intelligence is sometimes off base. Microsoft is working to improve that, but threat intelligence is vital; it's there, usable, and requires some fine-tuning and adjustment. That's good, although automated threat intelligence has room for improvement.

Threat intelligence is an area Microsoft needs to improve on; if a company only has Defender for Endpoint, that's their single point of truth regarding threats. Therefore, the tool must provide as much threat intelligence and automation as possible. Defender and Sentinel offer more options, but companies with only Defender need it to be improved.

A significant area for improvement is better integration with other tool sets in the industry. The solution integrates well with other Microsoft products, but only some environments have those products or the flexibility to adopt them. Microsoft Defender for Endpoint needs to integrate with different systems, for example, Cisco or other firewalls. Better integration with more cloud vendors would also be excellent, as not everyone will have Azure.

I've been using the solution for over 15 years. 

The solution is very stable, and that has improved with time. It used to be hard on the workstations, but we experienced those issues eight years ago. Microsoft always came out with a patch within a week or two, which would fix the problem. Nowadays, the tool is very stable; the only potential issue is if something happens on the cloud end, as the dashboards are cloud-based. That's something I've yet to personally experience, though.

The scalability is there, and there's always room for improvement. I need to incorporate more outliers, but the solution is easy enough to deploy that I can quickly onboard many workstations or servers. The product is an eight out of ten in terms of scalability.

Customer support responds rather quickly; it depends on the service level agreement, but they are pretty good about getting back to us and following up on any issues we may have. 

Positive

Most of the companies I've worked for used Defender for Endpoint. I have used different SIEM tools like Splunk and briefly used QRadar a long time ago.

I was involved in the deployment planning, but different teams did the actual deployment. I understand the deployment to be easy. 

In terms of maintenance, the solution requires updates from time to time, which are handled by the infrastructure team.

I would rate the solution eight out of ten. 

The infrastructure team has bi-directional sync capabilities set up and running well. It's essential when it comes to having hybrid cloud solutions and cloud solutions from different vendors. Various systems need to have seamless communication and shared issue reporting.  

Microsoft is increasing its data connectors, which is very helpful for ingesting data from different feeds, though some elements aren't fully fleshed out yet. How much data needs to be digested depends on the enterprise; every SIEM tool has a price to pay for how much data is ingested. The simple answer is that Sentinel allows us to ingest a ton of data, and that's vital. If we can't see a threat, we can't detect it and protect against it.  

Sentinel enables us to investigate and respond to threats from one place, which is very important for us. This is an area Microsoft has improved because we used to have to go to three different portals for our security picture. Now, everything we need to find can be seen in one pane of glass in Sentinel, whether we are looking at alerts or incidents.  

The comprehensiveness of Sentinel's protection depends on an organization's security program's maturity and capacity to leverage the solution. There's room for growth, but Microsoft is making good strides in the machine learning and AI portion of its product. The setup and fine-tuning of the tool play a significant role in how smoothly SOAR operates and whether it fulfills an organization's specific requirements. The default playbook may not fit with needs precisely, and staff with knowledge of Kusto Query Language are necessary for fine-tuning. A certain level of expertise is required to leverage Sentinel's sort and machine learning capabilities fully. 

I don't know how much Sentinel costs as I don't see the bills, but the biggest standalone SIEM and SOAR competitor is Splunk. Splunk does a better job but is also much more expensive; people often complain about the cost. I can't compare the value and pricing of the two as I need to know precisely how much they cost. Splunk is supposed to have changed its pricing model to become more affordable recently, and I wonder if Microsoft did the same with Sentinel. However, because Sentinel integrates with other solutions an organization may already use if they're a Microsoft shop, it makes it worth the price.

When it comes to a best-of-breed versus a single vendor security suite, it depends on the people higher up in the organization and usually comes down to cost. Everyone wants the best of the best, but only some companies are capable or willing to pay for that because it can be costly. Microsoft is trying to provide a pricing model that encourages customers to use a suite that seamlessly integrates with Windows and server OSs and increases integration with Linux and Mac OSs. That can provide a better ROI than getting the best of the best but having limited visibility and integration with other tools and the network. Microsoft leverages the security suite model as its selling point, and it's working for them. 

I advise potential customers to read up on the community boards and look into their specific needs. Defender for Endpoint is a good competitor for those looking for an EDR solution, and for those looking for a complete security suite, it's one of the better choices. The tool is competitive, but there are other choices if a company wants the best. Microsoft Defender for Endpoint is in the top three, only considering EDR, but for those looking for a line of products to protect their company and thereby make some savings, it's one of the premier choices.

Once we enroll devices, the Microsoft scanners scan them in the backend and find vulnerabilities for the devices. For example, if our Office version is outdated, or Chrome is an outdated version, or there are any vulnerabilities or security loopholes, they will be displayed in Defender for Endpoint. We go through those vulnerabilities and we try to fix them by creating group policies or by using Intune. If there are any security recommendations in Defender for Endpoint, we fix those assets.

It's the best solution for vulnerabilities. Most updates will be done by group policies in a big organization and everything will be maintained in that way. But with non-group policies, if it's not a hybrid environment, or they are only using cloud, or they're connected to Azure already, or they don't have AD, a lot of updates will be missed. That is a very difficult situation for handling vulnerabilities. In that situation, once we enroll the devices to Defender for Endpoint, all the vulnerabilities will be displayed on the dashboard and we can review them and fix them. In that way, we can stop most cyberattacks and close all the vulnerabilities and loopholes.

Before enrolling devices to Defender for Endpoint, we don't know what vulnerabilities or security loopholes are on those devices. Once we enroll devices we find a lot of vulnerabilities and we have been able to fix a lot of security-related issues. It has helped us a lot.

It is impacting our security score. Before we enrolled our devices to Defender for Endpoint, our security score was 58. When we enrolled 500-plus devices to Defender for Endpoint, our security score went down to about 42 percent. We then understood we need to maintain it above 50 percent, as recommended by Microsoft. We are trying to increase our security score by fixing those issues.

It shows how to fix a given vulnerability or security issue, providing step-by-step guidance. That saves a lot of time because if we didn't know how to fix a vulnerability, we would need to do some research and find the right document. That would take time. It is saving us 10 to 15 hours per month.

It finds the loopholes and vulnerabilities and shows you some security recommendations as well. Based on the requirements, we fix them. We don't necessarily need to fix all the vulnerabilities. For example, if an organization is using Office 365 and the accounts team wants Excel to be updated to version 16.2.0, some applications or some data will work only with that particular version, but some data will not be supported. In that situation, we don't want to upgrade MS Excel.

Integrating Microsoft solutions with other solutions is not that difficult. Microsoft provides documentation on how to integrate things, which is good. We get a lot of information from the Microsoft pages. Integration is very helpful for finding all the security-related stuff.

Defender for Endpoint has one dashboard with security-related information, vulnerability-related information, and basic recommendations from Microsoft, all in different tabs. That's helpful because if we want to fix only the recommended ones, we can go fix all of them, or if we want to work on the security-related ones, we can go to the security tab and work on all of them.

The solution's threat analytics is another tab and it is helpful for finding vulnerabilities, phishing emails, and spam emails. If we want to release them, we can release them. We will check IP abuse and whether the IP is related to brute force attacks. If we want to improve on something, we will send it to Microsoft to analyze it. Being proactive is important. As specialists, we need to review the recommendations from Microsoft on a day-to-day basis and fix them as much as we can. Day-to-day, we need to upgrade and make sure all the devices are up to date. That should not be done on a weekly or monthly basis.

Right now, the solution provides some recommendations on the dashboard but we don't have any priorities. It's a mix of all the vulnerabilities and all the security recommendations. I would like to see some priority or categorization of high, medium, and low so that we can fix the high ones first.

We have been using Microsoft Defender for Endpoint for one and a half years. 

I haven't seen any downtime. I don't see any issues with the stability. If there is any downtime, Microsoft will send a message on the dashboard and we can see any service issues.

Their tech support is very good. If we raise a ticket, they will respond within 15 to 20 minutes. If they don't know, they will do some research and come back to us. I love working with Microsoft

Positive

We used GFI Vipre. We switched because Vipre was not a Microsoft product, and we trust Microsoft. Between a third party and Microsoft, most people will choose Microsoft because the solution and the support are very good. We also have a client portfolio and we get a discount on the license.

The initial setup is simple. We run a script on the local machine and the device will be enrolled to Defender.

I completely configured Defender for Endpoint to be used in an automated way. We enrolled our devices to Intune and we configured Defender for Endpoint in Intune. Once we add our devices to Intune and to a group, those devices will be enrolled to Defender for Endpoint also. Enrolling takes around 24 to 48 hours.

Maintenance is pretty easy. Once we run that script, there are no complications while enrolling the devices.

The comprehensiveness of the threat-protection that Microsoft security products provide depends upon the license. Right now, we are using E5 licenses which cover every security feature. But if a small or mid-level organization uses an E3 license or Business Basic plan, not all the features are provided. The cost is high for E5 licenses, but if we go with the E3 license, most of the features are not covered.

We did some research and found other solutions. The support is very good for Microsoft. If we raise a ticket, within 15 to 20 minutes, we will get a response from the Microsoft support team regarding the issue. They keep an eye on it; every ticket is tracked. If we want, we can also escalate. With a third-party solution, we cannot get as much support as we can with Microsoft.

There are a lot of cyber security tools, so it depends upon the requirements. I'm not saying that we need to use only Microsoft. But when it comes to support, I don't know how the others do. Using a suite of solutions from Microsoft has benefits. Support is a very good one. The recommendations are also provided in the dashboard, and the SLA is 99.9 percent; we don't expect downtime with Microsoft.

We are not using Microsoft Sentinel. It will create alerts regarding VMs or storage but the cost is very high. Sentinel is not going to help much more when compared with Defender for Endpoint. Sentinel isn't preferable. It only creates alerts. There is not that much impact on the organization if it uses Sentinel also.

Microsoft Defender for Endpoint is a very good solution. I recommend using it.

It comes inbuilt with Windows Server and Windows 10, so we are using its latest version. It is deployed centrally on all the platforms, whether it is a virtual environment, a BYOD device, or an office device. It is deployed everywhere. 

All of our users are on Office 365. By default, every user is getting Office 365, and we are also incorporating this into data leak prevention. We have also enabled Azure Active Directory, so policies are deployed directly from our active directory. 

It has reduced admin overhead. Because it comes inbuilt with Windows, we don't have to deal with the complication of using a third-party solution. We stopped using Symantec Antivirus three years ago. Previously, we had to find a person who knew how to manage Symantec Antivirus. Now, we don't have that overhead. It is also less taxing on the admins because they don't need to license an extra software every year and then deploy and manage those licenses. Everything is seamlessly managed from a central application.

Our full backup is on OneDrive. We had deployed separate storage area networks to back up important data for off-site users, not on-site users. In the current scenario of work from home, users need to establish a VPN connection to run our backup system. When they are at home, we cannot back up their systems if they don't have good connectivity. We also can't tax their broadband connections. Incorporating OneDrive as a backup solution with Windows Defender and Windows 10 has helped us immensely. We were not prepared for having people working from home because we always worked from the office, and 100% office attendance was required, but due to the pandemic, people moved to their hometowns, and we could no longer manage those systems. It became a headache for us when people used to report that their Windows got corrupted. Because they were working from home and there is a big problem of electricity in India, if electricity is not there, the systems suddenly shut down, and the registry gets corrupted. All these things are difficult to handle when you're at a remote location and you don't have your eyes and hands on that particular location. In such times, Windows Defender became a very big helping hand in managing the recoveries of such systems. The backups managed from OneDrive were very helpful. It has saved hundreds of hours of restoring the system in case something goes wrong. There was an instance where a user opened a spam message, and a ransomware attack was done on that system. Because the backup is managed by OneDrive, within 17 hours, this user's whole laptop was recovered without physically working on that laptop. Because of slow connectivity, it took time, but we were able to recover. This is the best feature of having OneDrive backup on the fly and recovery on the fly. These 17 hours were peanuts as compared to the data that we were able to save. This is the best selling point of having OneDrive as a backup with Windows Defender and Office 365.

The best part is that it is built into Windows, whether it is a server base or a desktop base, which gives more control over the operating system. Because Defender, the operating system, and the Office solution are by Microsoft, everything is working like hand-in-glove. Its administrative overhead is less because a desktop user has already got some experience of how to handle a Microsoft Defender notification or administer it. While working on Windows 10, every now and then, users might have seen it popping up, and they know how to do certain things. So, it is not too taxing from an administration point of view where we have to tell users what to do. 

Centralizing policies and rolling everything out is done only from one console. We are able to provide restrictions based on what we want to filter, such as certain apps should not run and certain things should run. Because we are also into website development and code development, sometimes, users need to run certain software or their own build application, which is not possible to specify with an antivirus solution. With Defender, we can centrally deploy a policy where certain parts are excluded, and they can run their code in those particular parts. This is a very nice feature where we don't have to micromanage developers' PCs or exceptions.

Data leak prevention is something that our company requires, and it is incorporated in this solution. Because we are using Microsoft OneDrive, and it is easy to take the backup to OneDrive via Microsoft Defender.

It has helped in improving our security posture.

Its user interface (UI) can be improved. Currently, in the console, you have to dig down for certain things. They've got many different layers to get to things instead of having it all on the surface. You have to go three folds lower to get to specific functionality or click a particular option. It would be good if we can manage the console through menus and instead of three clicks, we can do things in one click. They need to change the UI and work on it in terms of a better user experience. For example, user management should be in one menu, license management should be in one menu, and backup management should be in one menu. Currently, if you click on a user, you will get some devices there, and some devices will be on the other menu. Its UI is complicated. In terms of functionality, everything is okay. We don't want anything to be changed in it.

We have been using this solution for three years.

It is highly stable. We don't even have to look into it to see if it has stopped working, or whether it is doing its job well or not. We have around 500 devices in our organization, and all devices do the regular login with the logs. It is immensely stable.

Its scalability is immense. There is no device, user, or policy limit. You install a device, and it is automatically configured because the policy is deployed from the centralized policy server or active directory.

We have around 500 devices in our organization, and all devices are using it. We have all kinds of devices such as laptops, desktops, notebooks, surface devices, etc. We also have in-house virtual servers on the AWS cloud and in-house physical servers. We also recommend enabling it for our client servers, and we configure policies for them.

Every person in our organization is using this solution. We have approximately 380 users. Its users include everyone from a new joiner to our management president. Last year, our strength was 260, and this year we have 380 users. We are growing, and by 2022, we should have more than 600 users. We are growing in a very good manner, and a group target is there. We are definitely going to grow.

We have been using Microsoft products since the commencement of Windows 95. We have rarely used their support because they make their products in a way that makes them easy to use. Sometimes, there are flaws and issues, and because we are also a Microsoft Partner, we get support on priority. They take a case at the level where they think it will be resolved, and if someone is not able to resolve it, it automatically gets escalated. 

We mostly use our in-house support. In the past 20 years, we have used their support twice. When I used their support last time around four to five years ago, they were really very helpful. They were good and very professional. I cannot comment on how their support is now with the current pandemic and people not working from the office. 

We were using Symantec Antivirus three years ago. When we were using Symantec Antivirus, users used to report that certain popups are there, and what should they do with them. They used to ask, "Is my system infected?" They used to panic on seeing those pop-ups. Most of them were unnecessary and would say that they need to have admin access or a particular software is trying to open a port. Because we are into development, it is a requirement of a developer to open certain ports and to make that application listen on certain ports. Such requirements were very difficult to configure in Symantec. It was difficult to make it understand that these ports are going to be used by developers, and they are going to be opened, and it is not a virus activity. Sometimes, the temporary folder of users used to get infected, and it used to give hundreds and hundreds of pop-ups. We didn't know how to close all those pop-ups in one go because they were not in a group. Imagine sitting and closing a hundred pop-ups. We had to click the Close button on each and every pop-up.

With Microsoft Defender, we can control notifications. We can tell which notifications should go to the users and which shouldn't go to the users and should be forwarded to the admin central console. In terms of user experience, users are happier with less annoyance of pop-ups that they used to get with Symantec Antivirus. They do not need to know each and everything that is going at the backend. Only the admins need to know certain things, and they should know them. With Microsoft Defender, users don't even get to know that they have an antivirus solution on their system because they never get any irritating pop-ups or notifications or slowness of the system. We configure everything from the backend, and we are managing their systems from one console, which is the biggest plus point of Microsoft Defender.

Its initial setup is very easy. It took us just a couple of hours to deploy it on remote devices.

Our implementation strategy was to deploy group policies and manage the DLP policies from the central console.

We did our own research, and because it was a lockdown, we had resources on our hands. We asked one of our system admins to look into the options and the policies that we need to deploy and what we need to do. He went over it for a month and trained the rest of the team. Within one and a half months, it was fully operational on each device, and my whole team was trained on it.

The whole job of its deployment was done by one person, and for maintenance, we have got a five-person team because we have 380 users across the clock and across the globe.

We have very much seen an ROI.

Licenses depend upon what you are looking for and what kind of security do you want to implement. There are costs in addition to the standard licensing fees.

When we used to buy Symantec, we used to spend on 100 licenses. We used to spend approximately $2,700 for those many licenses, and they came in packs. To add one more license, I had to buy a pack with a minimum of 10 licenses. I had to spend on nine extra licenses because I can't get a single license, whereas when we go for Microsoft, we can get as many licenses as we want.

If I have 100 users today, and tomorrow, I have 90 users, I can release my 10 licenses next month. With any other software vendor, you buy licenses for one year, and you have to stick with that. If today you have 100 licenses, and tomorrow, you have 50, you have already paid for one year's license. You can't go back and tell them that I don't require these 50 licenses because I have lost my 50 users, but with Microsoft Defender, licensing is on a monthly basis. It gives you both options. You can go yearly and save on it, or you can go monthly. You will, again, save on it. It is very fair everywhere.

My advice is, "Try it, and you will love it." If you go for any other product, you will have to manage everything separately, which becomes an overhead. You will have a separate console, separate licensing, and a separate vendor. You will also get a piece of software that is going to have a layer in between the operating system and your applications, whereas Defender incorporates itself onto the layer where the operating system is sitting. So, you don't tax your resources to manage a product that is already incorporated into all systems. Everybody knows how to use Windows and Defender, so the learning curve is also not there. It is very easy, and it offloads a lot of things such as tech requirements, separate licensing requirements, and separate vendor management. 

I am not advising you to go ahead and discard whatever you are using. You should implement it in a test environment and see what your requirements are because the requirements will definitely impact the licensing. If your requirements are met, and then compare the time required to manage Defender versus the current solution that you are using. You should compare how many hours are you putting in managing both solutions with a different skill set. Only after such evaluation, you should deploy it. 

The biggest lesson that I have learned from using this solution is to always keep it simple. Don't complicate.

I would rate Microsoft Defender Antivirus a nine out of 10. If they can make the UI more systematic, I can give it a 10 out of 10.