-
Pros
- Included with Microsoft 365
- Powerful endpoint detection and response (EDR) features
- Excellent threat analytics and investigative capabilities
- Escalation for professional remediation of threats
- Lots of good documentation
-
Cons
- The interface can be confusing
- Setup is not intuitive
- Significant learning curve
- Expensive
Microsoft 365 Defender Specs
Apple macOS Client | |
Endpoint Detection and Response (EDR) | |
External Device Control | |
Firewall | |
Full Audit Log | |
Linux Client | |
Malicious Website and Anti-Phishing Defense | |
Manage by Group | |
Patch Management | |
Policies Target | Device |
Root Cause Analysis | |
Windows Client |
Most every Microsoft customer has heard of Windows Defender, since some version runs on every Windows desktop back to Windows XP. But with Microsoft's concerted effort to move customers to its cloud services, the company has pushed its endpoint protection technology into the Microsoft 365 application barn. Now called Microsoft 365 Defender, the tool is truly state of the art, including endpoint detection and response (EDR) features, active threat hunting, and support for macOS, Linux, iOS, and Android devices. Windows users, of course, get the best desktop support, while Microsoft 365 users are the real winners since they'll also receive email scanning as part of the package. But while Microsoft 365 Defender has all of the features necessary to be at the top of the heap, Microsoft has done a surprisingly poor job at interface design. This keeps the current version behind our Editors' Choice winners in the endpoint space: Bitdefender GravityZone Ultra, F-Secure Elements, and Sophos Intercept X.
Microsoft 365 Defender Pricing and Plans
Interface issues aside, Microsoft 365 Defender has a fairly competitive though somewhat convoluted pricing scheme. For example, you can buy the Microsoft 365 Defender P2 version, which includes EDR and other advanced capabilities, as a standalone service for $5.00 per user per month. Alternatively, it's included in the Microsoft 365 E5 enterprise plan, the soup-to-nuts Microsoft 365 plan that runs to $57 per user per month.
If you're reading quickly, that $5 per user per month price might look fantastic compared to the other solutions we reviewed. But do the math, and it translates to $60 per user per year, which makes Microsoft 365 Defender on the pricier side. Our most costly Editor's Choice winner, Bitdefender GravityZone similarly starts at $57.40 per user per year, albeit that's without advanced features like EDR, While Microsoft offers quite a bit of feature oomph in exchange for those dollars, you should still evaluate it carefully before plunking down all that money if you're not currently a Microsoft 365 customer.
More frugal businesses will want the P1 version of Microsoft 365 Defender, which leaves out advanced features, including EDR. You can purchase P1 as a standalone for $3 per user per month, and it's also part of the more price-conscious Microsoft 365 E3 plan, which costs $32 per user per month.
Even if you don't currently have any Microsoft 365 subscription, you may still have access to Microsoft 365 Defender. Customers who have purchased enterprise licenses of Office 365, Windows 10, and Windows 11 get access to Defender's features and portal at no additional cost, as do customers of previous Defender endpoint offerings, including Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Defender for Office 365 (Plan 2).
If you want to evaluate the service for yourself, there's a standalone and free 30-day trial version available (good for 25 users) for download from the Microsoft 365 website.
Getting Started With Microsoft 365 Defender
Ironically, getting started is the hardest part of using Microsoft 365 Defender. Microsoft's getting-started documentation (available online) assumes you already have a Microsoft 365 account and the ability to make changes to it. If you only want the endpoint portion, that is also available as a separate sign-up.
Once you're signed up, onboarding is easy if you know where to look, but knowing is the hardest part. There's currently a lengthy transition as Microsoft slowly moves old Defender functionality into the new version, so we found locating and using many features difficult at the time of this writing.
The best method we found was to navigate to Settings > Endpoints > Onboarding. Once there, you can download the onboarding script that runs on Windows 10 machines. Still, this procedure is somewhat tedious, which was a big turn-off, considering that even some products that didn't rate our Editors' Choice designation, such as Kaspersky Endpoint Security Cloud and Vipre Endpoint Security Cloud, provide easy-to-use installers.
For macOS machines, the process is slightly different but similarly cumbersome. Honestly, onboarding this way only really seems suitable for Windows-centric shops, where you'll push the product out via Active Directory. For the average administrator who might not be fully embedded in the realm of Windows Server, this is a big ask. Microsoft 365 Defender's setup was annoying enough to be a significant ding in our book.
(Editors' Note: Vipre is owned by Ziff Davis, the parent company of PCMag.com.)
A Rollercoaster Interface
Using Microsoft 365 Defender is an up-and-down experience. Once you've wormed your way through the installation process, you'll find the dashboard is something of a cluttered mess. It’s informative, but not in the sense that you would want from an out-of-the-box experience. It’s all about what you can do with the product, but it doesn't immediately provide the information you need about your network. We found ourselves sweeping the area clean and adding back only the blocks that we wanted to see. Another annoyance is that you can suddenly and mysteriously wind up on the old interface from time to time. Fortunately, when you do end up there, you'll also see a conspicuous option to automatically redirect you to the new site, which we turned on.
In the new interface, the left-hand side of the page neatly lays out your available options. Incidents & Alerts is where you’ll spend most of your time. This section identifies any active and remediated threats across all your registered and currently connected endpoints. The good part about this, compared to the rest of the interface, is that it's well-structured. Incidents are grouped so that a batch of infections doesn't look like a series of discrete events. If they arrive on the machine via the same process, you’ll see that visualized in an investigation hierarchy. If you drill into the investigation, you’ll get an EDR style graph that gives you the full pictures of how the infection started and what it affected. While other top-ranked products do this too, such as Editors' Choice winners F-Secure Elements and Bitdefender GravityZone Ultra, Microsoft 365 Defender does it cleanly, with excellent on-screen explanations.
The threat analytics page is closely tied to incidents. It shows the most prevalent threats in the wild and whether they affect your network, and it offers fascinating insights into what might hit your network next and which of your devices are vulnerable. Related to this is the Vulnerability Management section, which includes a dashboard showing an exposure score and how to improve it and several pages for discovering and managing vulnerable software. For each of the vulnerabilities found, it gives remediation steps, if available, or links to the out-of-date software’s page so that you can acquire updates. It provides a variety of helpful information, as well; so much so, in fact, that it’s somewhat overwhelming. It could easily lose someone who didn’t already know what to look for. It’s definitely necessary to spend some time reading the documentation for this one, but there’s a lot of power here.
While Microsoft 365 Defender's threat and vulnerability management is top-notch from a technical perspective, policy management isn't. You do get some granularity in how email is handled, but the general endpoint settings seem out of place and geared toward connecting with other Microsoft offerings, such as Intune, Secure Store, and Office 365 Threat Intelligence. These settings are also not handled with defined policies and are a global set. Lacking a cohesive process for restricting devices, setting the level of protection, and managing exclusions, Defender's policy management seems like an afterthought.
Reports are another positive for the Microsoft 365 Defender interface, as they are both colorful and helpful. Everything from device health and compliance to a comprehensive security report is available. That said, they are somewhat buggy as of the time of testing. Many reports generated errors or stated that data wasn’t available when plenty of data was. We suspect this will get better over time and undoubtedly via several patches. Another minor gripe is the inability to print these reports or convert them to a PDF, but it’s not a deal-breaker.
Endpoint Protection Testing
As with all our other contenders, we ran Microsoft 365 Defender through our endpoint protection testing process. During the phishing attack, we tested 10 verified phishing links from PhishTank. When we used Microsoft Edge, all of the pages were reported as Unsafe by Microsoft Defender SmartScreen. When we tested Chrome and Firefox, they did not seem to be protected by this feature, which is fairly typical for a Microsoft-geared product but is nonetheless a mark against it.
Next, we used Metasploit's Autopwn 2 feature to launch a browser-based attack against the system using a known vulnerable version of Chrome with the Java 1.7 runtime installed. Only attacks that were likely to succeed in granting a remote shell were launched automatically, and none of the attacks succeeded.
We then simulated executing a standard Meterpreter binary tacked onto the end of Windows Calculator. The executable was not even allowed to copy to the desktop. We also tested a set of Veil 3.0-encoded Meterpreter executables that included PowerShell, Auto-IT, Python, and Ruby. All of them were detected the moment they were copied to the desktop, and we were unable to proceed with any further access tests.
Lastly, we disabled the network connection on our virtual machine (VM), extracted a set of known malware executables called TheZoo, and attempted to run them. Defender quarantined each of them before it had the chance to run, confirming that Defender's signature-based detection was working well. There was a slight delay between deploying the malware and seeing the system react, but we suspect this was the notification lagging behind the action taking place.
Backing up our test results, we found that Defender has also performed well in MITRE ATT&CK evaluations. It handled nearly all of the attacks and stood up to several noted real-world threats.
Powerful But Unpolished
Microsoft 365 Defender is a mixed bag. It has most of the elements of a winner, but it lacks enough polish to actually make it one. That said, if you are already a Microsoft 365 user, you may already have access to it, making it worth a look to see if it can meet your needs while Microsoft works to improve it.
You can be confident in knowing that it will protect your network from threats adequately, even if it tends to be a bit confusing at first. For me, this is a pass, but it should go on the watch list for future options. For now, our preference would be to stick with one of our Editors' Choice winners: Bitdefender GravityZone Ultra, Sophos Intercept X, or F-Secure Elements.