Microsoft Defender for Endpoint Reviews

Microsoft Defender for Endpoint can be used for system protection. For example, anti-virus, malware, and EDR.

The most valuable feature of Microsoft Defender for Endpoint is that it is embedded into the Windows system. Additionally, the performance is good and simple to maintain.

Microsoft Defender for Endpoint is secure but when it comes to security all solutions could improve security.

I have been using Microsoft Defender for Endpoint for a couple of years.

Microsoft Defender for Endpoint has been stable in our usage.

We have more than 5,000 users using this solution.

We are quite satisfied with the support.

We use many solutions in our company, such as Panda, Trend Micro, McAfee, Microsoft, and FireEye.

There is no installation required.

We have a five-person technical team that supports this solution.

The solutions price could be cheaper.

I recommend this solution to others.

I rate Microsoft Defender for Endpoint an eight out of ten.

In the past, I needed two, three, or four apps to do my job. With Microsoft Defender for Endpoint, I have all the resources on one site. I can check what the threats are and if the computers need to be updated or if they reboot with various apps. It's very helpful for us. For example, I have colleagues who use different versions of a certain programming software. With this tool, I can check whether they need to update the app because an older version might have a lot of bugs. I can check which applications need to be updated or uninstalled.

I have a lot of alerts set up as well. For example, all our users are here in Mexico. If we get someone connecting in the UK or Venezuela or Colombia, we get an alert. I then know I need to change the password and use two-step authentication.

And I get a message when a new threat comes up or I need to do updates to different tools. This is helpful because threats are always working in innovative ways. These are very important messages for us.

Defender for Endpoint saves me a lot of time because I have all the alerts and information in one application. It also saves money because when you lose information due to an attack, you lose a lot of money on the reconfiguration of the sites or the information or on the recovery of a backup or a server. It's very important to have a tool like this. It saves a lot of money. The cost-benefit is very good.

It's a very complete application. I have all the controls in one site. I can track emails, attacks, and threats, and I can research information. I really like this configuration because I have all the information in place. It was very easy for me to configure it to show me all the things that I need in one dashboard for monitoring.

The visibility into threats is very good. I can track the threats very easily in this application. I have also used Trend Micro and it's more difficult to do with that solution. With Defender, I have all the information and I can follow all of the steps and do my job. It's really easy and very impressive.

I also use Microsoft Endpoint Manager to control all our laptops and cell phones. I take care of all those policies in that solution. In addition, I use Microsoft Azure and Microsoft Exchange, as well as Teams and SharePoint. I have integrated them all into one environment. All the solutions are integrated into one solution and that makes my job easier. Integrating them is really easy because you have one platform to configure all of them. In the role of the global manager, I can make all the changes in these solutions. And the process for connecting all these apps is very easy.

I have two different environments, two different types of accounts. I have accounts for administrators and corporate employees, but I also have accounts for students. I can't split these types of accounts. I need a separate configuration for both. I don't have access to the laptops or computers of the students, so I can't deactivate the alerts from the students' machines. I get a lot of alerts from their machines. I need to research how I can get alerts for only the administrative machines.

I have been using Microsoft Defender for Endpoint for three years.

The stability of Defender for Endpoint is very good. I haven't had trouble with it.

The scalability is pretty good. It's easy to scale it.

I have different locations here in Mexico, with about 300 users here and two or three in the UK, depending on the travel schedule.

I have contact with a Microsoft partner here in Mexico as well as directly with Microsoft. If the partner doesn't have a solution, I can contact Microsoft support.

The support is very quick in communicating. Usually, with one mail or one call, the problem is resolved.

Positive

I used Trend Micro and Symantec in the past to research threats, like viruses and malware, but for me, Defender for Endpoint is the better solution. It's very easy to integrate all the tools and gives me a lot of information in one place. It's very easy to detect an attack or email threat.

I also get all the alerts on my cell phone. Because I have all the alerts, if one of my colleagues in the IT area makes a change, I have all the information. That makes it very easy to maintain.

For me, the pricing is very good, but for management it's very expensive. Other solutions are less expensive. But when I present all the information and all the reports they say, "Well, it's expensive, but the cost-benefit is very good."

If you have all the information, and you are clear about what solutions your business needs, and Microsoft has all that information, the change is very easy. It's a very good solution.

I am a SOC analyst and I use Microsoft Defender for Endpoint to investigate endpoints in our environment and malicious activity.

The visibility into threats that Defender provides is excellent. The logs I receive are quite comprehensive, allowing me to see what is happening on each endpoint, including the running processes and generated alerts. It does a pretty good job of detecting when certain events occur, which helps me stay attentive to potential issues. Overall, it offers significant visibility.

Defender does a good job in helping to prioritize threats across our entire enterprise because it provides me with context by distinguishing between high and medium threats.

We also utilize Azure Sentinel, Defender for Cloud Apps, Defender for Identity, and Office 365. These solutions are integrated together, and whenever one of them receives an alert, it is sent to the main alert queue. I would give the integration an eight out of ten.

Sentinel allows us to collect data from our entire ecosystem. We primarily use it for the network firewall logs, but it can also handle other types of logs.

Sentinel does an excellent job of providing us with comprehensive security protection and visibility into security alerts and incidents. It informs us about policy violations, such as foreign user sign-ins and sign-ins from multiple or different devices, among other things. Therefore, it offers greater visibility beyond just phishing alerts.

Microsoft Defender for Endpoint has significantly improved our organization by identifying the activities of individual users and effectively hunting for any threatening activities they might engage in. For instance, if a user downloads a malicious file or clicks on a malware-infected link, the software can promptly detect and mitigate the issue on the server.

Defender helps to automate routine tasks and the identification of high-value alerts. Sentinel aids in the automation process by allowing me to address the issue of numerous false positives. Specifically, I automated the handling of certain false positives that originated from a particular IP range. This IP range was generating false positives due to a flagged server, even though the server itself was not actually malicious. In such cases, Sentinel proved to be beneficial as it facilitated the automation and removal of unnecessary noise.

Microsoft Defender for Endpoint has helped save us the trouble of looking at multiple dashboards by providing a single XDR dashboard.

Microsoft Defender for Endpoint has been instrumental in saving us time, especially by identifying true positives instead of wasting time on false positives.

I enjoy using the live response feature, which allows me to remotely access different endpoints and investigate malicious files, such as malware that people may have downloaded, and other related issues.

Threat intelligence has the potential for improvement, particularly by integrating more sources. This will enable us to accurately identify when a domain or an IP is malicious. If we could obtain information from external sources, it would reduce the need to use different open source tools to verify whether a domain or IP is malicious or not.

I have been using Microsoft Defender for Endpoint for a year and a half.

Microsoft Defender for Endpoint is stable. I have only experienced one crash.

Microsoft Defender for Endpoint proved to be scalable in our environment, supporting over 500 endpoints.

I have also used Splunk. Splunk is more modular and portable, allowing us to integrate it with a wide range of different tools. In contrast, features of Defender and Sentinel, such as those provided by Microsoft, do not integrate well with as many other options.

I would rate Microsoft Defender for Endpoint a nine out of ten. It provides me with greater certainty regarding malicious activity compared to Splunk, which demands much more analysis. Defender for Endpoint performs a significant amount of work in terms of identifying and validating malicious elements. This saves us from having to read and interpret a large number of logs. It takes care of the interpretation and conducts about half of the log analysis on our behalf.

I still have to conduct threat intelligence on my own, such as open-source intelligence. I don't automatically search VirusTotal for things, but I still end up doing my own source searching.

I'm part of a team that does governance and consulting for migration from Symantec Endpoint Security to Microsoft Defender for Endpoint.

I haven't really seen anything in the solution that is an improvement over anything else. It's just that as we move to Microsoft cloud, it makes sense to look at some of the other products that sync between onsite and cloud. It's a stretch to say that it has inherently improved things.

You have endpoint security to keep your devices safe. That's the feature that we're interested in.

The visibility into threats is good.

There are some areas in the proactive threats that are just overwhelming the SOC, so we've had to turn those off until we can figure out how to filter out the false positives. Otherwise, there's no point in using it, as our SOC would be overwhelmed. Their choice would be either to run down every false positive, which would take their attention away from other things or to start ignoring positives, which defeats the purpose of having alerts.

The threat intelligence is too overwhelming right now. The amount of time it takes to sort through and figure out proactive solutions and prioritize—if there was an imminent threat and we just relied on that—means the bad actors would have already had a chance to get to work.

It also hasn't eliminated having to look at multiple dashboards. That's one of the running jokes with the Microsoft products: They keep hinting at a single pane for everything, and they're getting better, but they're still pretty far away from that. That would be revolutionary if Microsoft could figure out how to run all their security stuff through a single pane. They would have people lined up with money in hand, but they are not there. They're not close to it. For them to even talk about it right now is disingenuous. Microsoft is better than that.

The single biggest thing that Microsoft needs to do is figure out how to pull everything together so that all their security products can be accessed through one dashboard; one place where all of that information can be gathered and looked at by people with the appropriate access permissions.

The other thing that they need to figure out is how to move away from the amount of scripting that needs to be done with a lot of their products and move into a GUI. That's especially true because there is difficulty getting people with scripting skills, especially when you get into the Kusto Query Language and putting together tables through scripts. If that could be done with a point-and-click, that would be a notable achievement.

I have been using Microsoft Defender for Endpoint for about a year and a half.

The solution is solid. 

The biggest "catch" is that clients do not always want to implement systems according to the manufacturer's best practices. There's always friction if the client has in mind one way it should be, but it was designed differently.

In our case, we're talking about a big company that is used to being a big enough client that the vendor will change what they do to accommodate them. Microsoft does not have to. That's not a criticism of Microsoft. It's just that Microsoft is big. They are not a little regional provider. They will not change something in their product that's distributed globally to accommodate a client with a non-standard way of wanting to implement something. There's friction with that. 

I do not see that as friction with Microsoft because of Microsoft, I see it as the friction of a client that takes a solution from a huge provider but sometimes has the mindset that they want the attention that comes when they purchase a solution from a small provider.

When it comes to technical support, I have found Microsoft to be outstanding. The answers are not always what people want to hear, but the answers are legitimate. I do not have any criticism of Microsoft on that.

Positive

We previously used Symantec Endpoint Security.

Aside from the possibility that some forward-thinking people see us having more of a presence in Azure, and the logic of using a Microsoft product that goes along with that, I have no clear idea what prompted the switch. That is not a poor reflection on Microsoft. It's just that whatever motivated moving from a solution that was working fine to another solution is beyond my knowledge.

We have about 180,000 endpoints and they are distributed globally. It took us about six months to do the rollout. As we did that, we figured out various aspects that needed to be tweaked or changed for the best.

I doubt, at this point in the migration, that there is going to be ROI. I do not have enough information on that to really make an accurate determination. I think the biggest payoff is going to come in the future, as we throw more and more resources into cloud and we need to have some continuity with systems in the cloud and onsite.

First, have an understanding of Microsoft's best practices. Second, understand that Defender for Endpoint is part of the operating system. It is not a "bolt-on," like most antiviruses are. There are going to be some differences in how Defender interacts with an operating system, compared to an external solution. Be prepared for that.

It helps prioritize threats across an enterprise to some extent, but we haven't delved that deeply into that part of Defender yet.

The solution hasn't saved us time but I'll qualify that with the fact that we are in migration, moving to a new system, which is Microsoft, and that always takes more time and effort, as we work through the teething troubles. That is not necessarily a reflection on Microsoft. It's a reflection that anytime you move from one system to another, it takes a while before the teething troubles are smoothed out.

If a security colleague said to me that it's better to go with a best-of-breed strategy rather than a single vendor security suite, I would say there are pros and cons. It would have to be a discussion about what they need to achieve and their thoughts on why a particular solution would seem best. On a high level, there are good and bad reasons for all kinds of solutions. Without having a clear understanding of what is trying to be achieved, it's really difficult to say whether one is particularly good or bad.

We use it for endpoint detection and response.

The agent is installed on the endpoint, on the laptop or desktop, but it's a SaaS solution.

One feature that has proven beneficial is the Threat and Vulnerability Management module of Defender for Endpoint, which provides information on the vulnerability of all the endpoints. We don't have to run active scans via network scanners. It is built-in. That has proven to be helpful, although we're still in the early phases. We have identified vulnerabilities that were in our organization for too long and nobody knew about those machines and the vulnerabilities on them. From a vulnerability remediation point of view, it has been quite helpful to us.

One of the features which differentiates it from other EDR providers is the Automated Investigation and Response, which reduces the workload of SOC analysts or engineers. They don't have to manually investigate each and every alert on the endpoint, since it does so automatically. And you can automate the investigation part.

In addition, there are several features that have helped to improve our security posture at the prevention level, such as the attack surface reduction controls and the exploit prevention control. The attack surface reduction comes with the solution, out-of-the-box. There is Application Control as well, which is kind of difficult to implement, but once you are through the pain of designing and implementing it, it is one of the very good features to have. These tools are some of the things that are missing from other vendors' products, as I have worked with McAfee, Symantec and Carbon Black.

One area for improvement is that, because it comes out-of-the-box, it does not interact well with many applications we have developed in-house. There is no way to exclude them because it interacts with everything on the endpoint. One of the issues is lagging: the in-house-developed applications suffer from this and they become slow. For a big enterprise, it is important that they include a feature so that we can exclude these applications.

Another area where it could be improved is that, while it collects a lot of data, it misses some data, which is important, such as the hardware version of the endpoint and the AV signature version. I think this improvement is in the Microsoft pipeline already but it is not in the solution yet.

I have been using Microsoft Defender for Endpoint for around one and a half years.

It has been quite stable up until now. It does not break. Microsoft is developing on it quite frequently and more and more features are coming in, but overall it is quite stable. It does not break that often.

As we have moved away from Microsoft Defender Antivirus and to the EDR solution, we have seen very few issues so far that users have faced with this. There have been very occasional performance issues for some users, but they have been very rare.

Scalability is one thing which, I think, Microsoft is working on, because it is not yet very scalable. What it provides out-of-the-box is all it has. Any big organization needs customization, but the customization of it and running customized things on top of it are areas where it is lagging. That something Microsoft needs to work on. Examples include running custom playbooks or customizing the events which it is collecting.

We are protecting 100,000 endpoints with this solution. We may increase usage, but there is no plan for that as of yet.

Microsoft technical support is good.

Before Microsoft Defender for Endpoint we had Carbon Black. But when I came onboard, Defender for Endpoint had already been chosen.

The setup process is not very complex, but it is also not very straightforward. It depends what solutions you have. If you have everything set up, which is usually the case for big organizations, then it is pretty smooth. But if there are some things that are not set up properly in the organization, like certain parts of the infra or the cloud onboarding, then it becomes cumbersome, not the installation part, but in setting up the backend which it needs.

Our implementation strategy was that we started with a few pilot machines, to onboard Defender for Endpoint. We noticed that we had around 70 to 80 percent failures. It was a learning phase and we identified the root cause of those failures. There are some settings in Defender AV that need tweaking when you want to onboard Defender for Endpoint. We struggled to tweak those settings, but once that was done, it went pretty smoothly for the next couple of pilots. Then we encountered another roadblock which was related to an OS version dependency.

Overall, it took us about one month to onboard the solution, but we are weak in infra.

We had our consultant from Microsoft for the implementation. The engagement went on for three to four months. But one thing we noticed from this project was that it did not need a consultant. It was not that difficult to do. Maybe we did not get an expert consultant because, for solving issues, he also took time.

In addition to doing onboarding, we wanted our third-party integrations, but that was something they could not do because they were Microsoft. We had to do that ourselves. Over that three or four months, we realized that we didn't need them.

Microsoft consultancy is good and bad. If you get good consultants, they are really good. But sometimes you get consultants who are not expert enough in their domains and you don't get enough from them.

We have not seen ROI yet, but we are hopeful that in the future it will provide that.

One of the differences between other solutions I have used and Microsoft Defender for Endpoint is that the latter is not yet enterprise-ready to the same extent that the other vendors are. Other vendors provide a lot of customization when it comes to integration, which every big organization requires. No big organization depends on one particular tool. Defender lacks that at this point.

Defender for Endpoint is marketed as an endpoint detection and response tool, but for others who are looking at onboarding it, they should take it as a holistic tool that provides AV, EDR, and vulnerability management all in one. However, it does not provide very good integration with third parties.

We primarily use the solution for security. For most clients, we deploy the solution for security purposes. Some clients just deploy it as part of Microsoft. Some haven't fully set it up even though they've paid for it. Some may be deployed and set it up and then have it disabled. 

They've grown the solution into an XDR EDR type of solution. It's nice. Everyone is going in the same direction. There are good process flows and features that make permissions and setup easier if clients are all under Microsoft.

If you get it set up correctly, it just works. 

It does help us prioritize issues. It depends on how the user has it set up, however. You can make a very nice pane of glass. It depends on who it's set up for and what they are doing with it. Some people throw the Windows Defender EDR solution out there and walk away. It does you no good if you're not sitting there watching it, monitoring and setting it up to get the feeds and the alerts and everything else.

It integrates really well with other security tools. That's something they've done very well. Integration between Microsoft products is very easy. It also works well with API plugins, etc. It works natively with detection and response across the whole environment. There may be pieces that may be tuned or integrated correctly. However, it's all pretty seamless.

The threat protection is pretty comprehensive.  

Defender helps automate routine tasks and find high-value alerts. It's a one-stop shop. You can do integration, for example, with Microsoft Teams. It depends on the business you want to run. A mom-and-pop shop may not need so many tasks sent to very specific people. For larger enterprises, having the same tool across the board makes it very easy.

Defender Endpoint does help prepare for potential threats before they hit. When you're looking at signature-based AV, Defender, just like everyone else, will pick up something known. However, when it comes to user behavior analysis, that's a bit more complicated. 

We've saved five hours or less per month in terms of saving time.

I might help clients save money, depending on the size of the organization. With Defender, you are just paying for licensing. It's all moved to the cloud. 

If a threat actor comes in, and creates a global administrative account, they can gain access to everything and whitelist then block everything else. Having everything, including Defender, under one brand is like having all of your eggs in one basket.

Since they are linked to the operating system, they should have good visibility on what is malicious and what is not. They should be at the forefront in that area. However, they are doing what everyone is doing - especially in threat sharing. Pretty much any EDR solution has the same intelligence. Microsoft should go further since they do develop so much underlying infrastructure since they've "built the house" they should know everything about it. They should be more intuitive.

I haven't been using the solution for too long. I've started using it recently. However, Defender has been around for years.

Technical support is always good. There are different levels you can pay for. I personally have never had to use support for the Defender product. Getting really good technical support depends on what partner level you are. 

I'm also familiar with Sentinel and CrowdStrike. I do move my clients towards third parties and don't necessarily try to set them up under just Microsoft.

Inherently, everyone is using the trend intel. They share and ingest threat information. The intel is there. Some organizations may do it a bit better if you were ranking them. However, Microsoft's job isn't necessarily security. They have cloud infrastructure, et cetera. Unlike CrowdStrike, where security is their bread and butter. For Microsoft, Defender has always been the last on their list in terms of priorities.

Calculating ROI would depend on what your overall security posture is for your entire organization. If you are just trying to do PCI compliance, you may be opening yourself up to threats down the line. Also, if you are never updating, et cetera, you might be a target for ransomware. However, if you take the time to diversify and watch your systems regularly, you will see more ROI.

The solution is cost-effective as it is on-cloud. You don't need to accrue costs related to hosting. 

The pricing is fair. However, it depends on what you are trying to buy and what size your organization is. 

I'm a Microsoft partner. 

This solution does not make my top five.

As far as relatively decent, I'd say they are okay. I'd rate it seven out of ten. However, it's always the number one thing threat actors are targeting. 

I am using Defender for one of my customers. 

We use Defender with Sentinel, so we can see everything from one dashboard. You can also use the 365 security portal to manage all your Microsoft solutions, but Sentinel covers the entire estate. It has automation features, but I am not the one who configured that. A separate team does that for the customer. 

Defender helps us be more proactive about security with suggestions on how to improve. It provides a Microsoft security score for 365 and Azure, both of which are helpful. 

Defender saved us time. I believe it saved the customer some money, but I could not provide exact figures.

Defender's analytics are much better than CrowdStrike's. It has the ability to intelligently learn and respond to threats. We conducted a simulated ransomware attack to test it, and Defender detected it faster than CrowdStrike. 

My customer is also happy with Defender's interface. It helps them prioritize threats across their environment. We also use Sentinel and Defender for Cloud. I also tested a VM deployed with Defender that reports back to the 365 portal. It's easy to integrate Microsoft security solutions. All of the solutions work in concert, and they're synchronized. I have no problems with integration and can see the entire landscape. The protection is comprehensive. I'm impressed. I have no complaints about the product.

The bidirectional sync with Defender for Cloud is crucial. If I check the other side of the signal, I can update the source of the alerts. It's vital to have a bidirectional connection for analysis and feedback. 

The documentation could be better. When they update their manuals, sometimes they refer to products by their old names, so it is a little confusing. For example, the documentation might still say "Advanced Threat Protection" instead of Defender for Endpoint. 

I have used Defender for Endpoint for three months. 

I rate Defender a nine out of ten for stability. 

Defender scales well. 

I rate Microsoft's support a nine out of ten. They were impressive. Microsoft has excellent support engineers.

Positive

I previously worked with CrowdStrike Falcon. Defender is more effective because it identifies more threats than Falcon.

I rate Microsoft Defender for Endpoint a nine out of ten. If someone asked me whether a best-in-breed or single-vendor strategy was better, I would say there's no right or wrong answer. It's better to use one vendor from an integration perspective because it's easier to set up. 

A single-vendor approach also simplifies support. For example, if you use CrowdStrike, you might be using Splunk as your SIEM. When you open a ticket with CrowdStrike, they will only be able to answer questions about their own products. 

It's an AV and EDR. The AV is integrated with the OS and, once you onboard the devices through a portal, it also functions as an EDR.

The main reason it has improved our organization is that it is integrated with the entire Microsoft 365 suite. We get a lot of functionality and a centralized way of operating or controlling all the devices in the environment.

The solution automates routine tasks and the finding of high-value alerts. That helps a lot. I worked with a different product before and, if we wanted to check if a specific application was affecting our organization, we had to get the application details and then search in the EDR console or on the devices for those application details. But with Defender for Endpoint, you can simply put the application details in a query and run it, and that becomes a customized detection. I don't need to check for the same application again and again. I can get an alert whenever it pops up again.

There is integration with all the products, whether Defender for Cloud or Microsoft Purview or Office 365, so we have a centralized console. There is a sync so that you can get all the alerts in different portals on a single portal. That consolidation makes things easier because we don't have to navigate to multiple portals to check for all the information. Before, we used to only get basic details, like the title or the category of a particular alert. But now, since it is also syncing with Sentinel, we don't need to go to the Defender portal. We can view the entire alert story and related devices, or potentially affected devices, and which devices could be the next targets.

Another advantage is that the threat intelligence helps us proactively prepare for potential issues before they strike. There is an option to check for vulnerabilities and that is not only limited to our organization or the license we bought. We have one filter that will show all the potential threats in the market or that other customers might have reported. We can view them and the steps they have followed. There are all the CVD details that are not affecting our organization, things that are still new in the market, and it will give the remediation steps for them as well.

In terms of deployment, management, and manual efforts, it has saved me a lot of time. Previously, I would review each alert. That meant, during a given week, that I would be on alerts for three or four days, and only then would I go on to other things. It has saved me a couple of days a week because of the automation and auto-suppress rules, which are configured to automatically resolve an alert and trigger an email to me that the alert has come up and the action has been taken.

Because it has been integrated with the OS, we get the entire software inventories, and we even get access to the registries. Those are the primary features. We also have something called advanced hunting, which uses SQL tables to list out all the details of the device and that is also used for threat hunting.

Defender for Endpoint also helps prioritize threats across our enterprise, and we have an option for customized detections, which is an additional feature that differentiates it from other products. The customized detection helps us identify threats.

I would like to see improvement from a management perspective. We have had to depend on Intune for certain tasks.

I would also like to see additional features related to device control. For now, it has all the common features that other EDR and AV products offer, but device control is missing. Device control means automatically syncing the devices without any dependency on other products, like Intune, SCCM, or even Azure. If it could sync between products after only adding it to one product, that would be great.

I've been working with Microsoft Defender for Endpoint for close to one year.

It is stable.

It is also scalable. 

Since it's an AV and EDR, you can use it at any location and on all the platforms, including Android and iOS.

Support depends on the support contract you have. The Premier support contract is comparatively efficient.

I would rate their support at eight out of 10. Sometimes, because they have multiple teams, there could be a delay with a ticket going to a wrong team. But once it is routed to the correct team, we get good support.

Positive

I worked with one similar solution, which was VMware Carbon Black Cloud. Defender for Endpoint has the advantage because Carbon Black is a third party to the OS. That is going to create a lot of additional work to manually deploy things, check the installation, see if it's parsing. There could also be compatibility issues. Because Defender is integrated with the OS, you don't need to do those manual tasks to install the product or work through the compatibility issues.

It is pretty straightforward to deploy. There isn't any manual effort, even if you are a new customer and migrating from a different product to Defender. All you need to do is get a license and the credentials to log in.

In the back-end, if we were to deploy the new tenant, it would be on Azure, and there are a series of steps to follow, nothing complex. It's just a GUI. You just need to give the device count and the geographical location. It takes four to five people for the deployment. 

Once the deployment is done, you don't need to constantly monitor it, but four people would be good for operations: two people to manage the devices and configuration, and the other two to review the alerts that are coming and analyze the vulnerabilities. Once a month you should review and update the software. Other than that, there is only maintenance when there is an issue. The signatures are updated automatically.

You can manage the devices on-prem, but if you want the EDR solution, it's completely cloud. You still have the option to control the devices on-prem through SCCM or any other integration, but ideally, it's cloud-based. The back-end portal is on Azure, but the console or tenant for users or management is a different portal. It's not on the Azure portal, it's a different URL.

The time it takes to see benefits depends on the end-users' requirements or which products they want to integrate it with. In my case, after two or three months I felt like I had found the good things to integrate it with and had a centralized way to manage them.

The solution has saved us money compared to the other products we use, but it depends on the situation. If there are multiple integrations, you have to get the licenses for those as well. But in our case, comparatively, we have saved money.

We did consider other options, CyberArc and Trellix (which is the new name for McAfee products). But the ease of using Defender for Endpoint and the reduction in manual efforts are why we went with it. Also, collecting and reporting on the data was easier.

The visibility into threats that the solution gives us is the same as other EDR products. But one advantage I have noticed, because I have experience working with a couple of other EDR products, is getting the complete device registry information. If we want to query anything or look into the complete alert or vulnerability details, we can get to the core. We don't need to depend on getting access to the device. We can do it from a centralized console.

I've seen a lot of people saying that they are looking for feature X but it's not there in the product. Most EDR products function in the same way, but they call features by different names. My advice would be to consult with Microsoft's Fast Track support engineers. They can guide you and explain every feature. Go for that first and then implement it.

I would definitely recommend Defender for Endpoint because going with a third party would require a lot of maintenance. For smaller companies, Defender for Endpoint would be more cost-efficient than requiring more headcount to do more maintenance.