We primarily use the solution for security. For most clients, we deploy the solution for security purposes. Some clients just deploy it as part of Microsoft. Some haven't fully set it up even though they've paid for it. Some may be deployed and set it up and then have it disabled.
Sole Proprietor at Core-Infosec
Works natively with detection and response across the whole environment but not the strongest solution on the market
Pros and Cons
- "Integration between Microsoft products is very easy."
- "If a threat actor comes in, and creates a global administrative account, they can gain access to everything and whitelist then block everything else. Having everything, including Defender, under one brand is like having all of your eggs in one basket."
What is our primary use case?
What is most valuable?
They've grown the solution into an XDR EDR type of solution. It's nice. Everyone is going in the same direction. There are good process flows and features that make permissions and setup easier if clients are all under Microsoft.
If you get it set up correctly, it just works.
It does help us prioritize issues. It depends on how the user has it set up, however. You can make a very nice pane of glass. It depends on who it's set up for and what they are doing with it. Some people throw the Windows Defender EDR solution out there and walk away. It does you no good if you're not sitting there watching it, monitoring and setting it up to get the feeds and the alerts and everything else.
It integrates really well with other security tools. That's something they've done very well. Integration between Microsoft products is very easy. It also works well with API plugins, etc. It works natively with detection and response across the whole environment. There may be pieces that may be tuned or integrated correctly. However, it's all pretty seamless.
The threat protection is pretty comprehensive.
Defender helps automate routine tasks and find high-value alerts. It's a one-stop shop. You can do integration, for example, with Microsoft Teams. It depends on the business you want to run. A mom-and-pop shop may not need so many tasks sent to very specific people. For larger enterprises, having the same tool across the board makes it very easy.
Defender Endpoint does help prepare for potential threats before they hit. When you're looking at signature-based AV, Defender, just like everyone else, will pick up something known. However, when it comes to user behavior analysis, that's a bit more complicated.
We've saved five hours or less per month in terms of saving time.
I might help clients save money, depending on the size of the organization. With Defender, you are just paying for licensing. It's all moved to the cloud.
What needs improvement?
If a threat actor comes in, and creates a global administrative account, they can gain access to everything and whitelist then block everything else. Having everything, including Defender, under one brand is like having all of your eggs in one basket.
Since they are linked to the operating system, they should have good visibility on what is malicious and what is not. They should be at the forefront in that area. However, they are doing what everyone is doing - especially in threat sharing. Pretty much any EDR solution has the same intelligence. Microsoft should go further since they do develop so much underlying infrastructure since they've "built the house" they should know everything about it. They should be more intuitive.
For how long have I used the solution?
I haven't been using the solution for too long. I've started using it recently. However, Defender has been around for years.
Buyer's Guide
Microsoft Defender for Endpoint
April 2025

Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.
849,190 professionals have used our research since 2012.
How are customer service and support?
Technical support is always good. There are different levels you can pay for. I personally have never had to use support for the Defender product. Getting really good technical support depends on what partner level you are.
Which solution did I use previously and why did I switch?
I'm also familiar with Sentinel and CrowdStrike. I do move my clients towards third parties and don't necessarily try to set them up under just Microsoft.
Inherently, everyone is using the trend intel. They share and ingest threat information. The intel is there. Some organizations may do it a bit better if you were ranking them. However, Microsoft's job isn't necessarily security. They have cloud infrastructure, et cetera. Unlike CrowdStrike, where security is their bread and butter. For Microsoft, Defender has always been the last on their list in terms of priorities.
What was our ROI?
Calculating ROI would depend on what your overall security posture is for your entire organization. If you are just trying to do PCI compliance, you may be opening yourself up to threats down the line. Also, if you are never updating, et cetera, you might be a target for ransomware. However, if you take the time to diversify and watch your systems regularly, you will see more ROI.
What's my experience with pricing, setup cost, and licensing?
The solution is cost-effective as it is on-cloud. You don't need to accrue costs related to hosting.
The pricing is fair. However, it depends on what you are trying to buy and what size your organization is.
What other advice do I have?
I'm a Microsoft partner.
This solution does not make my top five.
As far as relatively decent, I'd say they are okay. I'd rate it seven out of ten. However, it's always the number one thing threat actors are targeting.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner

Cloud Security Engineer at Theos
Helps us be more proactive about security with suggestions on how to improve
Pros and Cons
- "Defender's analytics are much better than CrowdStrike's."
- "The documentation could be better. When they update their manuals, sometimes they refer to products by their old names, so it is a little confusing. For example, the documentation might still say "Advanced Threat Protection" instead of Defender for Endpoint."
What is our primary use case?
I am using Defender for one of my customers.
How has it helped my organization?
We use Defender with Sentinel, so we can see everything from one dashboard. You can also use the 365 security portal to manage all your Microsoft solutions, but Sentinel covers the entire estate. It has automation features, but I am not the one who configured that. A separate team does that for the customer.
Defender helps us be more proactive about security with suggestions on how to improve. It provides a Microsoft security score for 365 and Azure, both of which are helpful.
Defender saved us time. I believe it saved the customer some money, but I could not provide exact figures.
What is most valuable?
Defender's analytics are much better than CrowdStrike's. It has the ability to intelligently learn and respond to threats. We conducted a simulated ransomware attack to test it, and Defender detected it faster than CrowdStrike.
My customer is also happy with Defender's interface. It helps them prioritize threats across their environment. We also use Sentinel and Defender for Cloud. I also tested a VM deployed with Defender that reports back to the 365 portal. It's easy to integrate Microsoft security solutions. All of the solutions work in concert, and they're synchronized. I have no problems with integration and can see the entire landscape. The protection is comprehensive. I'm impressed. I have no complaints about the product.
The bidirectional sync with Defender for Cloud is crucial. If I check the other side of the signal, I can update the source of the alerts. It's vital to have a bidirectional connection for analysis and feedback.
What needs improvement?
The documentation could be better. When they update their manuals, sometimes they refer to products by their old names, so it is a little confusing. For example, the documentation might still say "Advanced Threat Protection" instead of Defender for Endpoint.
For how long have I used the solution?
I have used Defender for Endpoint for three months.
What do I think about the stability of the solution?
I rate Defender a nine out of ten for stability.
What do I think about the scalability of the solution?
Defender scales well.
How are customer service and support?
I rate Microsoft's support a nine out of ten. They were impressive. Microsoft has excellent support engineers.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I previously worked with CrowdStrike Falcon. Defender is more effective because it identifies more threats than Falcon.
What other advice do I have?
I rate Microsoft Defender for Endpoint a nine out of ten. If someone asked me whether a best-in-breed or single-vendor strategy was better, I would say there's no right or wrong answer. It's better to use one vendor from an integration perspective because it's easier to set up.
A single-vendor approach also simplifies support. For example, if you use CrowdStrike, you might be using Splunk as your SIEM. When you open a ticket with CrowdStrike, they will only be able to answer questions about their own products.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Microsoft Defender for Endpoint
April 2025

Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: April 2025.
849,190 professionals have used our research since 2012.
Principle IT Support Engineer at a retailer with 201-500 employees
A robust, straightforward, and intuitive tool that's easy to manage from the admin center
Pros and Cons
- "Defender for Endpoint is a robust solution that works well out-of-the-box."
- "Our team's knowledge of the solution needs to be improved, and Microsoft could do a better job conveying the necessary information to users. We could proactively use the tool more and explore capabilities we are not yet utilizing."
What is our primary use case?
Our primary use case is anti-malware and virus protection for our machines. We don't operate a network as such; our setup is almost entirely in the cloud.
We use the solution across multiple departments and teams, with about 400 total end users.
How has it helped my organization?
Around 90% of our estate is Mac, so we rarely have security alerts, but we get daily reports. The solution lets us proactively advise users about security concerns, especially when downloading files.
What is most valuable?
The solution is a Microsoft built-in tool, so it's very straightforward to use and monitor from the admin center, it's intuitive.
As with all antivirus software, the benefits of using it far outweigh the risks of not having it. Protecting our estate, machines, and users is essential. We can take action quickly, for example, when a user downloads something suspicious and step in before the threat escalates. As an organization, we have encrypted files and data it is vital for us to protect.
Defender for Endpoint is a robust solution that works well out of the box.
We can monitor and manage our security picture from one dashboard, and that's one of the primary reasons we use the solution. Our machines are enrolled on Microsoft Intune, which further simplifies management. With the E5 license, everything is in the same place; that makes our job easier and allows us to be more proactive when confronting threats. Not having to log in and out of different systems to manage devices is an excellent improvement to our operation.
The solution's threat intelligence helps us prepare for potential threats and makes us more proactive. We have the information required to warn our users of threats, including malicious links and phishing emails. The product gives us an accurate picture of the threat landscape, enabling us to adapt our strategy to protect our most sensitive and vital data.
There is a difficult balance working in IT, as we don't want to put all our eggs in one basket; if one system goes down, we are compromised. We want the flexibility and reliability offered by different specialized solutions, but that complicates management. With Defender for Endpoint, we don't need to worry about machines slipping through the gaps and remaining unprotected because the product is connected to the user account and pushed by the tenant. There is no agent, and the solution isn't intrusive; the user doesn't even know it's there. Other vendors I dealt with in the past required clients to be installed and updated, with potential problems coming in if the client isn't up to date. This isn't an issue we have with Defender.
What needs improvement?
Our team's knowledge of the solution needs to be improved, and Microsoft could do a better job conveying the necessary information to users. We could proactively use the tool more and explore capabilities we are not yet utilizing.
For how long have I used the solution?
We have been using the solution for about six months.
What do I think about the stability of the solution?
The solution is stable; Microsoft goes down very rarely. It happened just a few times over my career. If it does go down, the impact is significant.
What do I think about the scalability of the solution?
The solution is very scalable. Microsoft makes that easy, and we plan to increase our Defender for Endpoint usage.
How are customer service and support?
I've only contacted Microsoft support a few times, and they were always helpful. I don't have any issues with the support; they're good.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We previously used Symantec Endpoint Security. It was somewhat clunky. The engineers found it too intrusive as it required a client to be installed, dramatically slowing down the machines. We switched to Defender for Endpoint because it's part of the Microsoft suite, and we can use it across platforms for Windows and Mac.
How was the initial setup?
The initial setup is straightforward. Initially, we didn't use the E5 licensing, so it was a basic cloud setup with a license per user. Now we have our own tenants, and we're deploying E5 licenses, and Defender for Endpoint comes as part of the license. A user activates the app in the Office 365 tenant, and that's the setup.
The initial deployment didn't take very long; it was just a tick box exercise. We are moving tenants, so we're giving everyone a new E5 license when they move over. It's quick and easy to assign licenses via a tool we have, which provides users with access to the entire Microsoft suite, including Defender for Endpoint.
Five people were involved in the deployment, all of them IT staff.
I'm not directly involved in taking care of the solution, but it seems lightweight in terms of maintenance. Most of the updating is end-user-driven; users are prompted to restart their machines to stay up to date with security patches.
What was our ROI?
As we have only been using the solution for six months, I don't think we've seen an ROI yet. I imagine in another two years, we will see a return.
What's my experience with pricing, setup cost, and licensing?
AV solutions are pretty expensive because they are necessary, not just for protection, but many businesses need them to comply with regulatory bodies and receive accreditation. We recently purchased an E5 license, which gives us access to the entire Microsoft suite. I would say the pricing is competitive; most tools of this kind are similarly priced. There are minor differences between the competitors, but they aren't spectacularly different. Defender for Endpoint makes sense because all our solutions are in the same place, paid for with a single license. The subscription price is around £50 per user per month, though it may have increased slightly.
Which other solutions did I evaluate?
We evaluated Sophos Intercept X and Kaspersky Endpoint Security for Business.
What other advice do I have?
I would rate the solution an eight out of ten.
Defender for Endpoint helps us automate routine tasks, but I don't specifically know what kind of automation it does or what we use it for, as the InfoSec team is responsible for that.
No solution is completely foolproof, but the configuration has a large part to play in the quality of the protection.
We have been in business for two years, so we're a relatively small and young company. Nevertheless, it's vital to have protection against malicious actors. The threat landscape we face today is complex and diverse, so our threat protection needs to be up to par. That's the benefit of using the product; we need to protect our data, and having a tool that informs us of potential threats is excellent.
As an end user, the solution didn't personally save me time, but I imagine it did for the InfoSec team who deal with it directly. The security reporting will all be in one place, and we don't have to go to the marketplace to look for separate tools to fulfill different functions.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Centralized device management, advanced threat detection, and it's cost-effective
Pros and Cons
- "We apply the DLP policies across a range of endpoints and it is very accurate when reporting vulnerabilities, including those in email attachments."
- "It would be helpful if they included XDR features, on top of the EDR functionality."
What is our primary use case?
We are using this product as part of our EDR solution, and we use it in conjunction with CrowdStrike. We are a solution provider and this is one of the products that we deploy for our clients.
How has it helped my organization?
This product has features that improve our security posture including good vulnerability detection, maintaining endpoint devices, and unified management. The management feature allows us to manage all of our devices from a single location.
The advanced techniques used by Microsoft Defender are improving our user experience. Our users used to complain that they didn't need certain features, but this was because the legacy antivirus and other EDR solutions were hampering their usage. Nowadays, vulnerability detection is very effective and they are comfortable with the security, as well as the administration, giving them a better overall experience.
What is most valuable?
The most valuable feature is threat detection. We have been notified of viruses and threats of problems such as ransomware attacks.
The Cloud App Security features are useful.
We apply the DLP policies across a range of endpoints and it is very accurate when reporting vulnerabilities, including those in email attachments.
Microsoft Defender integrates well with Office 365.
Especially these days, with the COVID situation, this product helps us to better reach our users and solve problems. For example, we no longer need to ask them to bring in their laptop to check for and address issues. We can apply policy, automatically define rules, and remedy problems using the central management features.
What needs improvement?
It would be helpful if they included XDR features, on top of the EDR functionality. It would improve the capabilities, as XDR solutions are doing better.
For how long have I used the solution?
I have been working with Microsoft Defender for Endpoint for almost a year, with the E5 licenses.
What do I think about the stability of the solution?
Stability-wise, it is responsive and I don't see any drawbacks. They have additional features that make it a little more robust.
What do I think about the scalability of the solution?
Scalability-wise, considering the integration that they have, it's good. For example, it can be integrated with Azure Sentinel. We have two or three people who work with managing and deploying this product.
We deploy across Qatar and currently have about 68,000 endpoints protected with Defender. Our usage will increase based on the number of clients we have that buy the product. Ultimately, it depends on the licensing model.
Which solution did I use previously and why did I switch?
Prior to working with Microsoft Defender, we used CrowdStrike and SentinelOne. We switched because these other products are standalone, and require that we install and maintain them manually. Microsoft Defender is unified and comes as part of Microsoft 365, which makes it easier to set up and manage.
The advantage that these other products have is the XDR features.
How was the initial setup?
The initial setup is straightforward. We deploy this product using Microsoft Intune, which is very helpful. It took us one month to deploy approximately 5,000 users. We had a specific plan that we followed for the implementation.
What about the implementation team?
I completed the deployment.
What's my experience with pricing, setup cost, and licensing?
This product offers cost-effective threat protection, which integrates with Office 365 and has unified endpoint management features.
We currently use the enterprise-level, E5 licensing scheme. It is a complete bundle that includes the Microsoft 365 products, the Zero Trust solution, and Microsoft Defender.
The E5 license is the one that I recommend because it comes with Cloud App Security, which is a good thing to have on top of Microsoft Defender. It means that you can monitor any threats, sign-in attempts, and other resources whether on the cloud or on-premises.
What other advice do I have?
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
ICT&CyberSecurity Services Team Lead at a comms service provider with 501-1,000 employees
Scalable, has XDR capabilities, and integrates well with Microsoft products
Pros and Cons
- "I've started to test it from the security point of view. There are plenty of features that are interesting, but at this time, the XDR functionality is most valuable. It is endpoint security on steroids."
- "I miss having an executive dashboard or a simple view for viewing things. Everything is extensive in this solution. Everything is configurable and manageable, but the environment of Microsoft 365 has about 13 administrative dashboards, and in each of the dashboards, there are a gazillion things to set up. It is good for a large enterprise, but for a 200-seat client, you need to see 5% of that."
What is our primary use case?
We have been using it in our test environment. On the customer side, we are using the small business variant of the tool. So, we are using Microsoft Defender for Endpoint and Microsoft Defender for SMBs. They're pretty similar, but the one for SMBs is a little lighter.
In our test environment, we have access to 50-seat licenses for everything. So, we are making sure that we are technically in a good place before we begin to offer this kind of solution to our clients. In addition to our solutions, we are delivering services to our clients. So, when we sell an SMB or enterprise Microsoft license, we are able to do the migration, management, and other things for a client.
How has it helped my organization?
It works well with different solutions from Microsoft. If a company is using Microsoft 365 package, this security addition is easier to implement and manage because it is from the same vendor. You have greater visibility because they are from the same vendor. Microsoft probably also has larger visibility on the endpoint itself because of its own operating system.
It provides good visibility into threats. I would rate it a seven out of ten in terms of visibility.
Its threat intelligence is helpful for preparing for potential threats before they hit and taking proactive steps. We can manage our own images, and we can also inform the client to patch certain things.
What is most valuable?
I've started to test it from the security point of view. There are plenty of features that are interesting, but at this time, the XDR functionality is most valuable. It is endpoint security on steroids.
It allows you to prioritize threats across the enterprise, which is very important because the SLAs are different for different cases. If the error is critical, you must act now. If something is just informal, it can be done in weeks.
What needs improvement?
I miss having an executive dashboard or a simple view for viewing things. Everything is extensive in this solution. Everything is configurable and manageable, but the environment of Microsoft 365 has about 13 administrative dashboards, and in each of the dashboards, there are a gazillion things to set up. It is good for a large enterprise, but for a 200-seat client, you need to see 5% of that.
A simplified SIEM would work so that we don't have to use everything on the Sentinel, which is great by the way, but Sentinel is too expensive for our kind of market. It is an enterprise product. It is not an SMB product.
For how long have I used the solution?
We have been using it for half a year in our test environment.
What do I think about the stability of the solution?
It is good. It is stable. Once you set it up, it works, but we haven't tested it on a large time scale. The solution itself is pretty young. We'll see how stable it will be in the next few years.
What do I think about the scalability of the solution?
It is very scalable. We hope to increase the usage of the product. It is being used only by our team for now at multiple locations. It is for laptops in the office and other networks and also for mobile devices. A few tech guys in our department are testing everything that could happen on the client side, and that's it.
How are customer service and support?
I didn't use their support for this solution, but the knowledge base, training, and documentation are pretty good. I would rate it a nine out of ten.
How would you rate customer service and support?
Positive
How was the initial setup?
It is complex. You need to first have a list of computers. Then, you need to set up the plan for these computers, and then, you need to deploy it and apply it. There are too many steps to deploy this kind of solution because it is a Microsoft native solution.
In terms of the implementation strategy, first, you need to have a view of the inventory. You have to have knowledge of what is already installed on an endpoint. You don't want to cause any clashes with some other endpoint security vendor. So, you need to know your devices. The next one is to prepare the package and then decide to deploy it via Intune or via MSI, through group policy.
In terms of duration, you can deploy it on one computer in minutes. If you are deploying it on a thousand computers and everything is set up correctly, it can be done in a few hours, but if everything is not set up correctly, it can take up to a day or a week.
It took a month for us to realize its benefits from the time of deployment. It takes some time to understand the settings, portal, etc.
It has not yet saved any time. It has only consumed my time for now because I need to learn and do the training and PoCs, but it is an investment for the future.
What about the implementation team?
The number of people required for deployment depends on the size of the client or the company. I can do it by myself if I have a client with 100 seats, but if there is a corporation or enterprise in several locations, we need to involve the local IT people to confirm everything is okay, etc.
It doesn't require any maintenance, but it requires somebody to take care of the consequences. You can implement endpoint security and just have it there. You don't have to maintain the solution itself, but you need to take care of the alerts. You need to take care of the patches and other things. The number of people required depends on the size of the client.
What was our ROI?
It hasn't saved us any money yet. It might save in the future, but it depends on the pricing of Microsoft because there are several different parts of the Microsoft solution.
What's my experience with pricing, setup cost, and licensing?
Everybody would like to see a lower price on everything. The Slovenian market is basically an SME market with clients having up to 100 seat licenses, comprising 90% of the company. They're very price sensitive. So, the price could be cheaper.
Any additional costs depend on the basic license of the client. There could be additional costs. If somebody needs Plan 2 of Defender for Endpoint, if I'm not mistaken, it is only available as an add-on. It is not included in any license, not even in the E5 license. So, there are some things at an additional cost.
Which other solutions did I evaluate?
We are always open to suggestions and newer and better things. We are constantly looking around for similar solutions and testing them. Microsoft is the biggest player. Everybody uses something from Microsoft. So, it is a logical next step. For an MSP, by having everything from one vendor or everything under one umbrella, managing clients is easier. This is the main reason for exploring this solution.
At the moment, we are using the Cynet XDR solution, and we also tried SentinelOne. We are going to put it in our portfolio in the following months, but mostly, we are comparing everything to Cynet because we have more clients on Cynet.
In comparison to other solutions that we are using, Microsoft Defender for Endpoint has not decreased our time to detect and time to respond much.
What other advice do I have?
In my opinion, from the management and maintenance point of view, it is better to go with a single vendor, but from the security point of view, multiple vendors on multiple layers could work better than one vendor. If one vendor is breached, then everything goes, but if you have several layers with several vendors, and only one is breached, you have other vendors.
My advice to those evaluating Microsoft Defender for Endpoint is to stick with it and train themselves. They should know the solution and try it as much as they can. Microsoft is on the right path here.
It helps to automate routine tasks and the finding of high-value alerts, but we haven't yet implemented automation. We are planning to implement it, but at this time, because of a small number of clients, it is easier to do it manually. We just look into the alerts and resolve them one by one. We don't have a few thousand alerts per day, per week, or per month. So, it is manageable to handle them manually.
It would help us to eliminate looking at multiple dashboards and have one XDR dashboard, but we haven't yet managed to do that.
I would rate it an eight out of ten. I would have rated it a ten, but it is a pretty pricey solution.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Technology Consultant at a computer software company with 51-200 employees
A very solid security system with advanced hunting capabilities and great stability
Pros and Cons
- "It's a very solid security system, and the advanced hunting and everything really lets you dive deep into things."
- "I would just like them to have more consistency, and that's a comment that's across the board with Microsoft. They change things a lot."
What is our primary use case?
The solution is used for endpoint detection and response, however, it also has vulnerability management. I don't use that as much as the endpoint detection and response. I use it in combination with Cloud App Security and Endpoint Manager.
What is most valuable?
The most valuable feature is the fact that, if you have the M365 E5, it's included and everything is in the bundle.
It's a very solid security system and the advanced hunting and everything really lets you dive deep into things.
What needs improvement?
Overall, they're doing a much better job. However, recently, they added the Azure Defender. When you use the Azure Defender licenses, you're already enrolled.
I prefer that they had the old interface that was not combined with compliance, and still, they've changed that to make it better. I would just like them to have more consistency, and that's a comment that's across the board with Microsoft. They change things a lot.
For how long have I used the solution?
I probably started diving into Microsoft Defender about two years ago.
What do I think about the stability of the solution?
Stability-wise, I have not had another product that has been as stable and has had fewer issues. It's amazing.
What do I think about the scalability of the solution?
The solution is scalable. For example, I helped a 12,000-person company put it in and automated it without any issue.
How are customer service and support?
In terms of technical support, I have not had to call them related to anything on Defender for Endpoint. I'm a CSP, so I'm calling and I'm getting different assistance than, say, a home user. That said, at the same time, it really depends on if you're getting level one or level three support.
How was the initial setup?
The initial setup is very straightforward. There's a lot of people putting it in that don't understand it, however. They're not using device groups and auto-remediation settings.
I do a lot of security reviews as well, and what I find is that, although it works well out of the box, there are missing components. Another thing is that people will basically use the product, and yet, not set up the integrations with Cloud App Security and Endpoint Manager. When they do that, they're not getting the full functionality of it. I, on the other hand, know the system, so I see people often having trouble with it. If people are trained or go through training, they would be able to get the full functionality out of it.
What was our ROI?
I can't give numbers, however, for the price, when you're increasing from an E3 to an E5 license, the amount of features you get eliminates a lot of other systems. Therefore, you do get a pretty good ROI. On top of that, you only have one management system and one reporting system. Overall, the numbers have been quite impressive.
What's my experience with pricing, setup cost, and licensing?
I don't know the standalone costs. It is my understanding that the M365 E5 is $56 a month or something close to that pricing. That would be for the full suite. Just Defender might be $8 a month. I can't say for sure.
What other advice do I have?
I'm a consultant. I primarily work with Microsoft and I do the threat management and check vulnerabilities on the database. I'm looking for something that is not super expensive yet covers vulnerability management and where you can pick the products, and pick alerts, and you get a weekly digest report, just so that we can better manage everything.
I work with pretty much all of the 365 products. I'm pretty widely experienced in Defender. I work for a managed service provider. I'm one of the people that's, besides having my Microsoft Azure architecture, Azure security, Microsoft 365 expert level, plus M365 security knowledge. I focus on Azure and M365 security.
For Microsoft Defender, the product is cloud-based, therefore it is managed and it's updated constantly.
I would advise users to take advantage of Microsoft integrations. I would suggest that they put it all together, so they can use it as a full bundle.
I'd rate the solution at a ten out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
EMEA IT Infrastructure Manager at a consumer goods company with 5,001-10,000 employees
Works well as part of an overall security solution and has no impact on end-users
Pros and Cons
- "Defender has very little impact on the end-user and the agent works quite well with a minimal impact on the client and server."
- "Cortex... has good investigation capabilities, out-of-the-box, in case there is an event that you'd like to investigate. It's quite convenient. Microsoft has those capabilities as well, but you need a bit more training on the product to get the basic information that you can get out-of-the-box with Cortex."
What is our primary use case?
We use it for endpoint security.
How has it helped my organization?
When looking at the ecosystem as a whole, security-wise, Microsoft provides a complete solution with the E5 Security suite. Microsoft has a big advantage because Defender knows how to interact with the CASB and all the other security components that you have. Overall, that makes the management of the environment much easier. It's easier to understand what's going on, to become aware of risks, and to take action.
What is most valuable?
- Defender has very little impact on the end-user.
- The agent works quite well with a minimal impact on the client and server.
- It's very easy to deploy it.
For how long have I used the solution?
We did a trial of Microsoft Defender for Endpoint for about three months, and now we are in the process of rolling it out.
How was the initial setup?
We have about 4,300 users of Defender and it took two days to have it fully deployed. With Cortex it took some time. With Cortex, we had some 500 clients that we had to investigate because for some reason they did not get the agent immediately and we had to do some tweaking to get it to all the end-users.
What about the implementation team?
We used consultants for the deployment of both Cortex and Defender.
Which other solutions did I evaluate?
We gave Palo Alto Cortex XDR a try and we are now in the process of removing it and going to Microsoft Defender for Endpoint. I have experience with both of them.
Cortex has quite good management capabilities that give IT organizations quite a good picture of attempted cyber attacks. It has good investigation capabilities, out-of-the-box, in case there is an event that you'd like to investigate. It's quite convenient. Microsoft has those capabilities as well, but you need a bit more training on the product to get the basic information that you can get out-of-the-box with Cortex.
The onboarding process with Defender is much easier. In two days we were able to deploy it to our whole organization. Cortex is much more cumbersome. But the onboarding process is not the issue. A more important difference is that once you have security risks that you would like to mitigate, Cortex more easily gives you information regarding the threats. Microsoft gives you exactly the same information, but you have to know how to dig a bit more and do some manual steps that, with Cortex, are more straightforward.
The main issue that we had with Cortex, and the reason we decided to roll back and go to Defender, is that Cortex has a horrible impact on the performance of the system. For an enterprise-level organization, it kills the system. Users were complaining that when moving between emails in Outlook it would take a lot of time, creating a lot of delays and timeouts. Web browsing and every action on their computers took much more time than usual with Cortex.
What other advice do I have?
I would rate Defender a nine out of 10, while Cortex XDR is a five out of 10.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
IT Engineer at a real estate/law firm with 201-500 employees
Effortless updating, full operating system integration, and secure
Pros and Cons
- "Microsoft Defender for Endpoint is beneficial because we are using Microsoft Windows and all the core solutions are made by Microsoft, such as the authentic platform, operating system, and antivirus protection. It is a heterogeneous environment. We had to use third-party solutions before and update everything separately. For example, the policy for antivirus. With Microsoft Defender for Endpoint, when Microsoft Windows receives updates it will update with it. This is one main advantage of this solution."
- "Microsoft Defender for Endpoint can improve by making the reporting faster. It takes some time to reflect back to the administration portal of what has been updated. For example, out of 100 Computers, approximately 90 computers received updates, but when you check the administration portal over one or two days, you will only see 75, even though 90 were updated."
What is our primary use case?
Microsoft Defender for Endpoint can be used for protecting personal information and file in my organization.
How has it helped my organization?
The solution has saved us time by not having to install separate third-party antivirus solutions.
What is most valuable?
Microsoft Defender for Endpoint is beneficial because we are using Microsoft Windows and all the core solutions are made by Microsoft, such as the authentic platform, operating system, and antivirus protection. It is a heterogeneous environment. We had to use third-party solutions before and update everything separately. For example, the policy for antivirus. With Microsoft Defender for Endpoint, when Microsoft Windows receives updates it will update with it. This is one main advantage of this solution.
What needs improvement?
Microsoft Defender for Endpoint can improve by making the reporting faster. It takes some time to reflect back to the administration portal of what has been updated. For example, out of 100 Computers, approximately 90 computers received updates, but when you check the administration portal over one or two days, you will only see 75, even though 90 were updated.
For how long have I used the solution?
I have been using Microsoft Defender for Endpoint for approximately one year.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
Microsoft Defender for Endpoint has been scalable.
We have more than 200 users using this solution in my organization.
Which solution did I use previously and why did I switch?
Previously we used McAfee and Symantec Endpoint. Every five years we change the solution. However, this time we changed to Microsoft Defender for Endpoint because we wanted a unified platform.
How was the initial setup?
When you install Microsoft Windows 10, Microsoft Defender for Endpoint comes with it. There is no installation of the solution other than installing Windows 10. It saves time because you do not have to use any new kind of policy or deployment.
What about the implementation team?
We have a team of three that do the management of the solution.
What's my experience with pricing, setup cost, and licensing?
The solution comes free with Microsoft Windows 10.
What other advice do I have?
I rate Microsoft Defender for Endpoint a ten out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros
sharing their opinions.
Updated: April 2025
Product Categories
Endpoint Protection Platform (EPP) Advanced Threat Protection (ATP) Anti-Malware Tools Endpoint Detection and Response (EDR) Microsoft Security SuitePopular Comparisons
CrowdStrike Falcon
SentinelOne Singularity Complete
Cortex XDR by Palo Alto Networks
Fortinet FortiClient
Cisco Secure Endpoint
Symantec Endpoint Security
HP Wolf Security
Trend Vision One Endpoint Security
Trellix Endpoint Security
Kaspersky Endpoint Security for Business
Intercept X Endpoint
ESET Endpoint Protection Platform
Check Point Harmony Endpoint
Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Compare Microsoft Windows Defender and Symantec Endpoint Protection. How Do I Choose?
- Which product would you choose: Microsoft Defender for Endpoint vs Cortex XDR by Palo Alto Networks?
- What do you think of the integration of Azure AD Services, Defender for Endpoint, and Intune as comprehensive security solutions?
- CrowdStrike Falcon vs Microsoft Defender ATP: Comparison of features and performance
- How does Microsoft Defender for Endpoint compare with Crowdstrike Falcon?
- Running Carbon Black Defense Along with Windows Defender
- How is Cortex XDR compared with Microsoft Defender?
- Which offers better endpoint security - Symantec or Microsoft Defender?
- How does Microsoft Defender for Endpoint compare with Carbon Black CB Defense?
- How would you compare between Microsoft Defender for Endpoint and Tanium EDR?