What needs improvement with Microsoft Defender for Endpoint?

I think the overall portal of Microsoft Defender for Endpoint could be improved; sometimes there's moving around to different spots and it's a little hard to navigate, so getting used to that was perhaps the biggest hurdle.

One of the things that I think can be improved or added to a future release of Microsoft Defender for Endpoint is the timing, specifically the delivery of updates for Microsoft Defender for Endpoint, not just a product update, but also the signatures and so on within itself. The actual product updates have caused a little bit of disruption that could be avoided, so I think that customers need to have more granular controls as to when updates can be deployed versus more done from a top-down deployment perspective.

Overall, I would evaluate the Microsoft support level that I receive at probably about a seven, but that depends on the day. It has been spotty. We have had issues where the urgency level of the Microsoft support is not as high as ours, especially during a data breach or potential data breach situation. We have had issues with some of the offshore support being lackluster. One specific thing that comes to mind is we were on a support call with our CISO on the call, and the Microsoft agent, who did not actually work for Microsoft, is one of the vendors that Microsoft uses for support, said, "Just to set expectations, my lunch break is in an hour and I am going to go away then." For us, it was already ten o'clock at night and we had been working on this for a couple of hours, trying to get a security engineer on with us. For him to tell us that he was going to go away and have lunch, it was, "Okay, but go find somebody else if you need to." It was just the lackluster approach, and it seemed like he did not really care. We seem to get a lot of this when we get non-Microsoft support. I can identify areas for improvement with Microsoft Defender for Endpoint, as it is kind of a convoluted mess to try to take care of false positives. Especially when they have been identified as false positives but they keep going off over and over again. It is great for my pocketbook because it generates a lot of on-call action, but I would really prefer more sleep at two o'clock in the morning than dealing with false positives. I would say that the unified portal for managing Microsoft Defender for Endpoint is suitable for both teams as they are all in there. It would be great if they would stop moving things around and renaming things, which makes sense. The new XDR portal is pretty nice. Being able to have it central again inside of the regular Security Center without having to open up two windows is helpful. Overall, I think it is pretty good. There is always going to be something that could be improved, such as alerting and the ability to modify alerts would be a little bit helpful to have. Being able to add more data into the alerts and turn off alerts that are not as useful would be beneficial. It is hard to say what the quantitative impact the security exposure management feature has had on our company's security, because a lot of it is kind of subjective. I think we are sitting at around a fifty percent score still, and a lot of it is just kind of unusual circumstances that we cannot really implement without breaking the organization.

The end user can whitelist some applications, and it goes to the system admin to approve. I believe this is how Microsoft Defender for Endpoint can be improved in the new release.

I would appreciate agentic protection as an additional feature in the next release to protect the agents that the business creates. I believe there could be more integration with third parties that can be improved.

Microsoft Defender for Endpoint could be better in the support on the Linux side. My Linux administrator complains sometimes that it does not work well with Linux servers, so if they could improve that, it would be helpful. My Linux administrator said something specific that some of the libraries do not work well. He has to go in and tweak things because it blocks certain things and breaks things. He has developed a special script that he built on Ansible to deploy it. He has a way around it, but he was not happy about it. As a product, Microsoft Defender for Endpoint is pretty good. If you are in the Microsoft ecosystem, it makes complete sense to go with those products. We have Entra ID, Azure, and most of the Defender products, except for a couple where we are pretty new, especially on the cloud side. Our security team has been looking at it from different angles. The other problem we saw them mentioning is that we were hoping Sentinel would work as our aggregator tool because we have vulnerabilities coming from about ten different places and tools. We need something that will look at everything and consolidate and say that instead of these one hundred vulnerabilities, we should focus only on these ten that apply to us. Microsoft is not doing a really good job of aggregating. If they could improve on that, it would be excellent because they have a huge ecosystem with Microsoft Defender for all these different things. It would be great if they made something that understands the entire environment and could say that even though something may be a high vulnerability, if it does not connect to the internet in our environment, then it is actually low. That would give us the entire view from end to end.

My experience managing the unified endpoint settings in Microsoft Defender for Endpoint is progressing, as it's continuously improving, although there are still some things where I think they don't quite match up or are a bit hard to find or understand. I think it's getting much better, and I appreciate it a lot, although I still believe there are some things that could be improved, and I hope they will be on the roadmap someday so I can be extremely happy.I think Microsoft Defender for Endpoint is a great product that can be even better. I believe if Microsoft makes some changes or progresses further on the roadmap, there will be no product that can challenge Microsoft Defender for Endpoint, particularly because of its integration with Entra ID and the Microsoft ecosystem. I hope they reach that point and take one more step to make the perfect product, as right now it's a really good product.

There is some functionality that is not quite there yet.

I do not have anything that I can think of regarding how Microsoft Defender for Endpoint can be improved or any additional features that should be included in the next release.

Microsoft Defender for Endpoint is very good, but one suggestion is that in some products, we may need to configure security-related settings, whereas Microsoft Defender for Endpoint works completely differently, providing automatic recommendations and actions that we may need to perform ourselves. Regarding the pricing of Microsoft Defender for Endpoint, during the last three years, we set up the product and sold it, but we faced difficulties because Microsoft pricing is always the same. For example, whether I purchase Microsoft Defender for Endpoint for one year or for the next three years, the pricing remains constant with no discounts available. In contrast, competing products offer reduced pricing for long-term commitments, which makes it difficult for us in that environment. Microsoft should consider this option to remain competitive, but otherwise, everything else is fine.

The log searches for Microsoft Defender for Endpoint are pretty difficult to navigate. It needs a better UI or more intuitive search and filter mechanisms to make it easy to get through and filter through all the data logs.

Microsoft Defender for Endpoint can have more options and more AI capabilities in the future, because everything keeps changing.

One area that needs improvement is the integration cost of logs with external solutions like Sentinel ( /products/sentinel-reviews ), which can be expensive. Additionally, Microsoft could allow storing logs locally within the Defender panel to reduce costs. It would also be beneficial if policies could be configured without relying on Microsoft Entra ID ( /products/microsoft-entra-id-reviews ), allowing for better integration with local directories.

I believe that vulnerability management could be improved by making it easier to pull reports and providing more detailed information on how Microsoft Defender for Endpoint detects vulnerabilities. Our partner vendor mentioned that these updates might get more granular in the future.

The only issue is that our mobile endpoints do not have Defender installed for part of them. An additional feature that could be included in the next release is free Copilot.

The major area for improvement is the integration with a managed service provider. We use Microsoft partners to help govern the platform, and as part of an alliance, we want to gather data from each tenant and combine them for a complete view. This process has been complicated, though it has gotten better. We see the possibilities in terms of visibility into our attack surface, but we haven't been able to enforce all the insights we can get from it. We have multiple endpoints, and we want to look for signals across tenants.

Defender for Endpoint is complex, and the documentation is detailed. At the same time, it's hard to navigate sometimes. You have to go through tons of documentation to find what you want.

There is a need for improvement in reducing false positives. Defender flags vulnerabilities based on registry keys or temporary files that are not necessarily vulnerabilities. This creates a lot of false positives. There could also be better clarity in navigating through the GUI to identify and resolve vulnerabilities. A disconnect exists between the subject-matter experts and Microsoft's Level One support teams, causing delays in issue resolution. Repeated interactions are necessary due to Level One's lack of tools and knowledge, hindering efficient problem-solving and negatively impacting our experience with Microsoft support.

Sometimes, there are difficulties in downloading a file considered as malicious. We encounter a bug that requires several attempts to download, which is a bit of a challenge.

If a threat actor comes in, and creates a global administrative account, they can gain access to everything and whitelist then block everything else. Having everything, including Defender, under one brand is like having all of your eggs in one basket. Since they are linked to the operating system, they should have good visibility on what is malicious and what is not. They should be at the forefront in that area. However, they are doing what everyone is doing - especially in threat sharing. Pretty much any EDR solution has the same intelligence. Microsoft should go further since they do develop so much underlying infrastructure since they've "built the house" they should know everything about it. They should be more intuitive.

In terms of improvements for their technical support, a focus on enhancing response times could be beneficial.

The product itself does not necessarily need improvement, but the support and implementation of the product are the disaster cases. Instead of being able to go back to Microsoft and ask how to do something, we have to work with a vendor who does not exactly know how to do that and has to go to Microsoft to say, "How do we do this?" so that they can answer our questions. There are a lot of things in relation to various compliance standards such as CIS. The primary levels of support of Microsoft do not know or cannot implement that. Working through vendors is time-consuming. It is a painful process to get back to them to get the answers.

The product should reduce updates since it is hard to keep up.

The interface isn't necessarily intuitive to a nontechnical person. You can get stuck in the little endpoint security portal. Sometimes, if you uninstall a competitive product, the end user doesn't always know if it's running or if they're protected even though it's silently running. There could be a notification, widget, or something that's resident on the screen for at least a bit, especially if you're doing remote support. You want to talk them through it, but sometimes, we're not allowed to look at the PCs we support. I'd like them to improve visualizations for people higher up the reporting chain, such as potential purchasers, directors, VPs, and CEOs. They have little time. They want to see red, green, and yellow lights or some other type of visualization. It would be great to have this functionality out of the box without a lot of custom development. We're learning about the AI Security Co-pilot. I'm unsure how it integrates, but I'd like to see it integrated. I'm an administrator, so I don't look at the logs constantly, but patching is critical. I would love to see the percentage of PCs patched in a given period. Reporting and alerts are crucial issues. When an alert needs to be triggered, we'd love to see some events flush up. We often have to wait for and do a report until we find what we're looking for. It would be nice to sort of set it and forget it or have a community board of plugins that we could download and say, "Here's the meantime to resolution for x, y, or z policy or some policies that we could potentially integrate.

Microsoft Defender for Endpoint's licensing is confusing. It has conflicting information on the website. We also faced integration issues with other systems. It makes laptops slower than traditional antivirus systems.

Defender for Cloud Apps is one of the most significant products that Microsoft could improve. We've encountered several limitations with Defender for Cloud Apps, such as the inability to create custom cloud applications and add URLs. These features would be valuable for the scoping feature in Defender for Cloud Apps, as each application can currently only have one scope. It cannot have multiple scopes, meaning that an application cannot be blocked for some device groups and allowed for others. This is another limitation we've encountered frequently. The technical support is slow to respond. The product development team makes frequent changes that affect the stability of the solution.

Microsoft Defender for Endpoint should include better automation that will make it faster to detect the latest threats happening across the world. The solution should also generate an automatic report for any investigation before I generate a report. The solution's cost could be improved as it is an expensive tool.

Some of the integrations that Defender should include involve the use of the web app. Utilizing the web app implies that the Defender API should be accessible through mobile devices as well. For instance, if there exists a mobile application, it would be beneficial. Let's imagine a scenario where I'm traveling and I receive a new alert. With a Defender mobile application, I could easily isolate the threat, conduct an investigation on my mobile device, or even automatically escalate or assign the alert to my engineers. There are certain third-party apps that haven't been integrated with Defender. I would be delighted to witness the integration of those apps with Defender for Endpoint. The deployment of Defender for Endpoint should be made smoother via Intune.

There are alternative solutions that offer a greater range of dashboard insights when compared to Microsoft Defender for Endpoint. The solution needs better integration with third-party vendors. The analysis that identifies the threats and remedies them can be enhanced in a future release.

Microsoft Defender for Endpoint sometimes fails to detect malware incidents, and when it does manage to stop them, we only receive a notification stating that the issue has been resolved. Unfortunately, we are not provided with any information on how the solution resolved the incident. Microsoft Defender for Endpoint does not offer default templates for alerts, requiring us to configure everything ourselves to avoid numerous false positives. The pricing needs to be improved.

When there is a significant amount of malware, I believe that Microsoft Defender for Endpoint may not be as effective as other firewall solutions. I tested Microsoft Defender for Endpoint and found that it allowed me to download files infected with malware from certain sites, and its protection did not work as expected in that aspect of my work. I suspect this is because I use a GRAPH file with a password, and the solution only detects a file when it's related to clean files or open files. It doesn't seem to recognize encrypted log files that require a password for access. Microsoft Defender for Endpoint does not assist in automating routine tasks or identifying high-value alerts. Therefore, we had to turn to other solutions like Cortex XDR by Palo Alto Networks. Additionally, Microsoft Defender for Endpoint lacks the capability to upload a list of IPs for blocking. Microsoft Defender for Endpoint is effective for validating work, but not ideal for investigations. As a result, our experts have to dedicate more time when investigating threats using Microsoft Defender for Endpoint compared to other solutions. The zero-day detection, as well as the sandboxing for unknown malware and URL detection, needs to be improved. These settings were not functional when we tested the solution.

The automation could be simpler on the mitigation side. It has a learning curve. Otherwise, it's pretty easy.

The documentation could be better. When they update their manuals, sometimes they refer to products by their old names, so it is a little confusing. For example, the documentation might still say "Advanced Threat Protection" instead of Defender for Endpoint.

Creating antivirus profiles for Linux is a more challenging task compared to other operating systems. The profiling method currently in use is not very user-friendly and has ample scope for improvement.

The solution has minimal customization options, especially compared to Mandiant, so we want to see more scope for customization. A single portal for customization would also be a welcome addition. A high level of expertise is required to maximize visibility into threats as the tool provides the data, but it isn't crystal clear. Other products are more straightforward and user-friendly, so admin and management-level staff can easily understand the root cause of a threat, which isn't the case with Microsoft. The threat detection and response are there, but significant expertise is required if we want the same level of visibility provided by third-party tools. There are some issues around ingesting data from MS Sentinel. If we configure Purview, then our compliance is configured for our entire Microsoft tenant, but the integration isn't easy, and there are some known challenges. We can't see all the data in one place, so we have to log into different portals to access various data, and this needs to be more straightforward. We want to see a single portal with one URL, so those with the appropriate credentials can gain access and see the big picture regarding the threat landscape.

In active mode, it's great that it gives you so much information, but it does record every keystroke so you have a lot of logs. For my home business, I had to turn off quite a bit because the data that it does gather is every event and activity that happens on a server or laptop. For my little testing scenario, it was overwhelming. I know what I have on my machines so that amount of data logging started to add up in the cost. That's the only downside to Sentinel and Defender that I can see so far: You have to log and store that data somewhere, and it normally stores it in the cloud, unless you have an on-premises SIEM that you can download those logs into directly and store things on your own hard drives. I had a $200 credit with Microsoft Azure and I didn't pay attention to it and it ate up $179 of that credit in the first two days because I had Defender for Endpoint check DNS to make sure that I wasn't getting spoofed or targeted. You have to keep an eye on the Sentinel and Defender for Endpoint storage.

I haven't used the product in nearly eight months. I use it on my device, but I haven't used it at an administrative level. Previously, with Microsoft Defender, we used to have certain problems with the Mac machines, but later on, they came up with various ways so that we could use the MDM solution to do the job. They provided pretty good support. Their engineers came and tried to figure out the solution. I'm not too sure of its current capabilities, but I'm pretty sure they are doing a good job on Windows and Mac. However, I'm not sure whether they covered Linux. If I remember correctly, Microsoft Defender didn't have anything proper on Linux back then, but if they have improved it from that aspect, it would already be ticking all the boxes.

After scanning, there are false positives so sometimes you need to manage the results. Also, we would like to see more tools for managing on-premises security. A lot of companies have their own on-premises infrastructure and want to move to the cloud. Sometimes, we have the tools, like Defender, to manage security in the cloud, but because we are so focused on the cloud, we forget the fact that we need to be sure about the security of the on-premises environment, specifically Active Directory. I know it's tricky, but I'd like to see them add some tools for a really good dashboard to introduce the fact that we also need to be careful about on-premises. A lot of companies have their Active Directory on an on-premises physical server. When they start the journey of moving to the cloud, especially to Azure, they use Microsoft Defender to do device management, especially servers and computers. But to improve security monitoring it would help if we could monitor on-premises, especially identity. Usually, when hackers hack into an environment, they use tools to get the identity of a person. If we had tools to integrate with Defender, it would help improve security.

It should support non-Windows products better. Microsoft is now one of the leading vendors in the security area. So, they should be product-independent.

I would like MDE to have the ability to isolate a certain amount of time on the timeline. Splunk has a better UI when it comes to isolating a certain amount of time. I need to know exactly what happened two minutes prior to and two minutes after an incident. I don't need to see half an hour's worth of information. With Splunk, the UI is perfect. With just a couple of clicks of a button, it'll show us 30 seconds prior to and 30 seconds after an incident. The timeline for MDE is more difficult to understand. After a failed log-in, Splunk shows when the event happened on the timeline down to a thousandth of a second. Theoretically, we could do that with the Kusto language, but that would mean changing the query every time. It's just not as user-friendly as it could be.

Automation is one of the areas that need improvement because if you fully automate, then there's a high chance that you're going to be blocking a lot of actual false positives. With the XDR dashboard, when you're doing an investigation and you're drilling down to obtain further details it tends to open many different tabs that take you away from your main tabs. You can end up having 10 tabs open for one investigation. This is another area for improvement because you can end up getting lost in multiple tabs. Therefore, the central console can be improved so that it does not take you to several different pages for each investigation. Microsoft keeps changing the name of the solution, and when we go to senior management to ask for a budget, they think you're asking for a different solution. It would be great if Microsoft could decide that Defender for Endpoint is the name and stick with it.

My main issue with the tool is that there are too many menus. This causes a steep learning curve for those without training or unfamiliar with Defender for Endpoint. From an end-user perspective, the solution is there on the machine and does its job; it works seamlessly. However, as a security professional dealing with it behind the scenes, the learning curve can be steep, but not too steep. Still, it has taken some of my analysts up to a month to get familiar with the product. Microsoft is slow to act on improving the threat intelligence elimination of false positives. They have a feed of indicators of compromise, which they are constantly updating, but some of the category intelligence is sometimes off base. Microsoft is working to improve that, but threat intelligence is vital; it's there, usable, and requires some fine-tuning and adjustment. That's good, although automated threat intelligence has room for improvement. Threat intelligence is an area Microsoft needs to improve on; if a company only has Defender for Endpoint, that's their single point of truth regarding threats. Therefore, the tool must provide as much threat intelligence and automation as possible. Defender and Sentinel offer more options, but companies with only Defender need it to be improved. A significant area for improvement is better integration with other tool sets in the industry. The solution integrates well with other Microsoft products, but only some environments have those products or the flexibility to adopt them. Microsoft Defender for Endpoint needs to integrate with different systems, for example, Cisco or other firewalls. Better integration with more cloud vendors would also be excellent, as not everyone will have Azure.

One major item for improvement is the ability to add exceptions. We can add some exceptions, but not at the level we need to. The second major area for improvement involves enhanced capabilities for different operating systems or platforms. That is, even though we have coverage for different operating systems or platforms such as Linux, we don't get all of the controls and enhanced capabilities that are available with Windows devices. Reporting could also be improved because, at present, we get limited results at times. For example, in an environment with more than 100,000 devices, you may just get 10,000 results when you run a report.

Right now, there's a portal for Azure, portals for Microsoft Office, and portals for endpoints. It would be good to have only one portal and integrate everything.

There is complexity in accessing the dashboard. Microsoft security suite has a different URL per service or per application. If there was one single place of information, that would help. They should bring back the feature of a dedicated proxy device for communication to the cloud. As of now, all the agents are required to send the logs directly to the cloud. There should be a solution where you can put a proxy and all the logs are consolidated, like a forwarder.

They're in the process of pulling more things together. They can continue with the integrations and provide a better way of seeing the impact of security changes, especially on the endpoint side. Before we actually flip the switch, we should be able to see the impact of security changes on the business or business applications. It would prevent breaking any business applications.

Right now, the solution provides some recommendations on the dashboard but we don't have any priorities. It's a mix of all the vulnerabilities and all the security recommendations. I would like to see some priority or categorization of high, medium, and low so that we can fix the high ones first.

If there were more template queries in the library, that would make it much easier. They could have basic things, like, "Where's the IP for this user?" or, "What file was downloaded from this user?" If there were more of those basic queries that would help. I haven't seen basic ones, but there are a lot of advanced queries, where people need to know the KQL language to understand them. I'm still learning so that's why I'm providing that feedback.

There are some areas in the proactive threats that are just overwhelming the SOC, so we've had to turn those off until we can figure out how to filter out the false positives. Otherwise, there's no point in using it, as our SOC would be overwhelmed. Their choice would be either to run down every false positive, which would take their attention away from other things or to start ignoring positives, which defeats the purpose of having alerts. The threat intelligence is too overwhelming right now. The amount of time it takes to sort through and figure out proactive solutions and prioritize—if there was an imminent threat and we just relied on that—means the bad actors would have already had a chance to get to work. It also hasn't eliminated having to look at multiple dashboards. That's one of the running jokes with the Microsoft products: They keep hinting at a single pane for everything, and they're getting better, but they're still pretty far away from that. That would be revolutionary if Microsoft could figure out how to run all their security stuff through a single pane. They would have people lined up with money in hand, but they are not there. They're not close to it. For them to even talk about it right now is disingenuous. Microsoft is better than that. The single biggest thing that Microsoft needs to do is figure out how to pull everything together so that all their security products can be accessed through one dashboard; one place where all of that information can be gathered and looked at by people with the appropriate access permissions. The other thing that they need to figure out is how to move away from the amount of scripting that needs to be done with a lot of their products and move into a GUI. That's especially true because there is difficulty getting people with scripting skills, especially when you get into the Kusto Query Language and putting together tables through scripts. If that could be done with a point-and-click, that would be a notable achievement.

One thing that was lacking in Defender was web filtering. Its web filtering wasn't as comprehensive. Sophos was a little bit better than Defender for blocking URLs or installing programs. In terms of additional features, we have more features than we use. We haven't really had a chance to dig too deep into it.

I would like to see Sentinel better integrated with the rest of the security technology within one portal.

It makes your Surface devices hot. It is resource-intensive. It strains your CPU, not more than other file scanners around, but it also does a lot more. When you are transmitting files or data, it is continuously scanning the traffic and analyzing it bit by bit to see what's going on, and that, of course, is costly in terms of CPU. It is CPU intensive, and if you are on battery, it drains your battery fast. That's the only drawback that it has. They're continuously improving it. You can compare it with Teams. About a year ago, the codex and the presentation of the Teams application were not very well optimized, and if you were using the Teams application, it used to drain your battery. It still drains your battery, but they have improved it a lot, and it is a lot less CPU intensive after one year. They're working on Defender for Endpoint to make it less CPU intensive.

I would like to see integrations with other products, such as Spunk and other CM solutions. That would create possibilities for me, and for a SOC, to consolidate all events in an older console, not one provided by Microsoft but provided by a third party, and use it to create more insights. Examples of such insights might be the need to create a new policy or the need to mitigate an attack happening now. This type of ability would create a new business case, one that doesn't only use Microsoft solutions.

In Microsoft Defender for Endpoint, the devices still need to mature a little more when compared to other AV solutions. Microsoft Defender for Endpoint is not as robust, and you cannot customize it much, so that's a challenge. These are the rooms for improvement in the product. Microsoft Defender for Endpoint is still being improved. I would say it's still in the development stage. Daily, Microsoft is getting feedback from the customers, so they are modifying the product based on the feedback and requirements of the customers. It's an ongoing process, and as a consultant, I'm in a much better shape, from a consultant point of view, in terms of speaking with customers. What I'd like to see in the next release of Microsoft Defender for Endpoint is a single console where you can manage all the policies, Intune, and the EDR capability that can be managed through Intune. There should be a single portal for that to make it more convenient for the security consultant engineer to work with. Right now, I have to hop between different controls. Even the tenant attach feature needs to become more mature in Microsoft Defender for Endpoint because it's just very basic. The concept is good, but it's very basic, so it requires more effort for the engineer to configure.

There is always room for improvement. They can improve it on the online protection front since people nowadays are moving online and working from home. That would be a good thing to focus on.

The biggest issue I had with Microsoft Defender for Endpoint was the antivirus and ransomware. I wanted central visibility over all the machines that we operate.

I'd like to see more integration in the next release and the solution should be file protected.

I want Microsoft Defender to have the ability to deal with some issues automatically, so I don't need to address that issue manually.

The technical support could be improved.

Microsoft Defender for Endpoint could improve by providing more user-friendly dashboards. They may be complicated for some. In a future release, they should add a feature for patch management.

In terms of the architecture of the management infrastructure, we found that other technologies are more simple. Microsoft Defender could be simpler too. Plus, Microsoft's philosophy is that they leverage the technology they have already built in Windows or any other services within Windows. So, it is good from that standpoint, but it also becomes a bit cumbersome when it comes to the dependency. Having dependency on many things can be a weakness sometimes because you add up more points of failure to the services. Whereas the other vendors are doing the limited thing, and that's why they're not comparable in prices, but their solutions basically aren't dependent on Microsoft's other services or anything else. They're more dependent on their agent. With Microsoft, it is not just the agent. It is the operating systems that aren't working well. The technology won't give you the desired output. So, that's something that Microsoft may need to improve: making services more independent wherever possible. That's something of their philosophy. When they build something on their OS layer, they add on technologies, and then there's something for the ISV. That's their strategy, but we keep arguing with them that they have to compare the dependence as other vendors are doing. From the Microsoft end, the design working depends on the health of other services and other components of the operating system. Whereas if you compare it with the Symantec technology, just the agent health has to be there. That's the case with McAfee as well. They build up their products on developed agents only.

Microsoft Defender for Endpoint can improve by providing more and different types of reports.

Microsoft Defender for Endpoint could improve by making the reporting better.

What I'd like included in the next release of Microsoft Defender for Endpoint is more integration with different platforms.

It can be perfect and be better. It can always be better in the position. It performs well, but could still be better.

The solution could always be more secure.

We had some issues where phishing and malware were not detected and were allowed to pass unless I mentioned it or we forced the phishing or malware to be blocked, I can't rely on that alone. Phishing and Malware detection could be better. Technical support needs improvement.

In my experience, I only need the client dashboard in the cloud and in the server. For my dashboards in the cloud, I can set up and see everything. I can check alerts, e.g. I'm alerted when something happens, but when my client is offline, and I want to look for something offline, e.g. directly on his computer, I'm not able to see everything. My client's computer needs to be online for me to be able to see the information I need, and this is an area for improvement. There should be integration of this solution with client dashboards. I need to see some of the dashboards directly from the computers of my clients, rather than just their cloud dashboards. If the dashboard is only viewable from the cloud, I will not be able to view it when the computer is offline. What I'd like to see in the next release of Microsoft Defender for Endpoint is a better UI. Another suggestion to improve this solution is having endpoint protection offline, e.g. I'll set up a file on Microsoft Defender for Endpoint and all the network, so my ISP goes in and out through the Defender server. Rather than just being on cloud, they must make an appliance for on-premises deployment.

An additional feature I'd like to see in the next release is for this product to be more flexible when integrating with third-party systems. Another feature I'd like to see in this product is the sandbox, particularly a third-party sandbox. This feature will help us give better service.

Sometimes, there are different skews. In a basic skew, they should have basic log analysis without the need to integrate with any third-party or SIEM solutions, like Sentinel. This would make it so much easier for users who don't have log collection or log analysis.

One area where the product could be improved is that I don't think it can be used all by itself, if you are working with a business. If you are using the laptop as a business, you need to add an extra protection with this solution. The solution could be more friendly for end-users, with different type of scans or scheduled scans for it. The antivirus database update could be a cloud protection instead of waiting for the database to be updated every now and then.

The solution could be even more secure and provide an even higher level of security.

The solution can be more user-friendly.

There are likely some technical improvements or features that could be added, however, I cannot say, off the top of my head, what they would be.

Overall, they're doing a much better job. However, recently, they added the Azure Defender. When you use the Azure Defender licenses, you're already enrolled. I prefer that they had the old interface that was not combined with compliance, and still, they've changed that to make it better. I would just like them to have more consistency, and that's a comment that's across the board with Microsoft. They change things a lot.

Everything can always be improved. Improvements would depend on the client. Monitoring can always be better, onboarding can be a little bit faster, log collection could be easier, they could streamline the dashboard. They could maybe split it up into different workspaces and have the ability to segment groups a little bit more.

The solution could improve by providing more integration.

The dashboards could be better. There's a suite of different products that play together and enhance security and receive signals from different parts of the product suites. When you are trying to look into that sort of depth on a dashboard, or across various dashboards, it can be difficult to obtain a comprehensive overview as it's so divided. The initial setup can be a bit complex. Beyond that, I'm not involved in the day-to-day operation. There may be others that can offer more insights.

There are a few caveats, things we have run into. It's not easy to create special allowances for certain groups of users. It can be a little heavy-handed in some areas where Microsoft has decided to lock a feature out, meaning they make it hard to make an exception. I'll give you two examples. One company we work with needed to use about 20 different thumb drives for about 20 users. To make that exception for them was very difficult. In fact, you can't really make an exception. But what you can do is allow them to use it and, while it will still alert, you can actually suppress those alerts. Another example was where a group needed to be able to go in and manipulate their PC ERP settings. To make an exception for them was also a difficult process. A lot of people have suggested that Microsoft should not, by default, make it so difficult by locking your ability to make exceptions. Another issue is that when you implement this it is not a single solution in and of itself. You have to implement what are called security baselines for each platform. But Microsoft does not have security baselines, other than for its own products. That means that when you want to do a security baseline for say, iOS or Android, you have to depend on other security organization's recommendations and set the security controls to create those security baselines for other platforms. You would typically use CIS. But when it comes to iOS, it's a real pain. iOS requires you to create a security baseline for every version of iOS. Android does not.

I think the solution needs to be more on par with other antivirus products in the market. It should be able to deal with any threats so additional security would be helpful.

What I've heard from the customers is that the anti-malware engine is not up to date. So, sometimes, it may not detect such threats. I, however, haven't got any data to show for this. Its licensing can be better. Currently, customers with the E3 license cannot use many features, and they would like those features to be available. With Windows 10 E5, Microsoft is phasing out all the functionality. They have also made a lot of changes recently where you can also buy add-ons for Defender ATP, but for Office 365, ADT, and other stuff, you still require E5 licensing. If they can improve its licensing, it would definitely be helpful in implementing the features from the security point of view. E5 definitely has more features from the security point of view. I would like Microsoft to have some kind of direct integration for USB controls. They have GPO and other controls to control the access of the USB drives on devices, but if there is something that can be directly implemented into the portal, it would be good. There should be a way to control via a cloud portal or something like that in a dynamic way. USB control for data exfiltration would be a good feature to implement. Currently, there are ways to do it, but it involves too many different things. You have to implement it via GPOs and other stuff, and then you move or copy those big files via Defender ATP. If there is a simple way of implementing those features, it would be great.

We encountered some misbehavior between Microsoft Office Suite and Defender. We had issues of old macros being blocked and some stuff going around the usage of Win32 APIs. There is some improvement between the Office products and Defender, and there is a bunch of stuff that you can configure in your antivirus solutions, but you have several baselines, such as security baselines for Edge, security baselines for Defender, and security baselines for MDM. You have configuration profiles as well. So, there a lot of parts where we can configure our antivirus solution, and we're getting conflicting configurations. This is the major part with which we're struggling in this solution. We are having calls and calls with Microsoft for getting rid of all configuration conflicts that we have. That's really the part that needs to be improved. It would be cool to have just one interface or only one or two locations where you configure the stuff. Currently, they have three locations where you can configure your antivirus. Three locations are too much, and there is too much conflict. It is not a one-to-one configuration. There are some configuration settings that you can only do in SCCM. You don't find them in MDM. So, it's not always one-to-one. The last point of improvement is related to the quality of service that Microsoft provides. The quality of service that Microsoft provides should be improved.

Integration with third-party vendors could be better. It would be better if it integrates with other protection solutions or other products outside of Microsoft. Nowadays, anti-virus protection doesn't really have to be planned as overall protection for your environment in terms of security. There are really different avenues that bad actors can take to wreak havoc on your machine. We don't just use anti-virus. That's really like a traditional way of doing it. We have different kinds of protections. We have our advanced threat protection for email, and we have advanced threats analytics for domain controllers for servers. We use all those.

At times, the other antivirus products are now doing AI, in terms of understanding the behavior of the system and determining when there's an anomaly. This is something that Defender can improve on.

In terms of improvement, they update the platform it seems quite a bit. Every month something is in a new spot or something changed somewhere. There should be less of that.

Lowering the price would be an improvement.

There is room to improve the security of the solution. We have plans to add an email security solution because this solution does not provide us with what we want.

One area for improvement is that, because it comes out-of-the-box, it does not interact well with many applications we have developed in-house. There is no way to exclude them because it interacts with everything on the endpoint. One of the issues is lagging: the in-house-developed applications suffer from this and they become slow. For a big enterprise, it is important that they include a feature so that we can exclude these applications. Another area where it could be improved is that, while it collects a lot of data, it misses some data, which is important, such as the hardware version of the endpoint and the AV signature version. I think this improvement is in the Microsoft pipeline already but it is not in the solution yet.

I personally haven't experienced any pain points, but some of my coworkers feel that it isn't secure enough. It would be nice if they could guarantee that we'll always be safe and secure with them.

The interface could be improved.

Some integration components for Mac should be added. We use both Windows 10 desktops and Mac desktops, but presently, the Mac component is still lagging a bit behind. However, I think this is a temporary case.

Its interface can be improved a little bit. We would like to have some sort of centralization. It should have something like a central server that is managing all the other clients. There are solutions from Kaspersky or ESET NOD32 that are really doing this kind of thing currently. We would like to see something similar from Microsoft.

Its price could be better.

They have to improve the email scanning where email is coming from somewhere other than our private network. The scanning is slow when it is working with incoming emails. Often, I can see the email but the scanning process is not finished and I cannot open the attachment. In general, the scanning has to be faster.

The integration of the defense features is something that they are working on but it still needs improvement. In the next release, I would like to have additional features integrated with DNS security and DNS resolution. It will add to the solution and work more like a firewall. If they integrate with the EDR then it will benefit this solution. I would like ATP to be integrated with the EDR as one single license.

While have been using this solution for two years, I am not completely knowledgable. Due to license restrictions, we cannot use all of the features that are offered. I am not sure if I will be using this product in the future because of the price. I would like to see better pricing for this solution in the future.

The GUI is very complex, particularly for normal users who work on it. It could be more user friendly. For future improvements, I'd be looking at internet security which we don't have as Microsoft does not distinguish whether a site is malicious or not. Kaspersky is very good at that but not Microsoft. It would be a big advantage for them if they were to include it.

I would like to see better integration with their other security products to give better visibility from a higher level. Integrating with email, Azure, identity management, and other security applications, putting them all together, would be very good. The first level of technical support is not very useful and it sometimes takes time to escalate to somebody more knowledgeable.