Is Defender For Business any good?
Posted by Sufficient-Class-321@reddit | sysadmin | View on Reddit | 65 comments
Hi All, AV renewal time is coming up and have done my own research but wondered what the hive-mind here thinks about Defender for Business
On paper it seems like a no-brainer, we already have business premium licenses for some users, and per-endpoint it's cheaper than what we're using currently and since we're a MS environment it makes a lot of sense
However I'm getting that sinking feeling, if it's too good to be true then it probably is? Just wondered if there are any reasons we shouldn't go for it over our 'conventional' antivirus solution, or if anyone has run into any major issues with it
hb_2410@reddit
Business pre͏mium has Safe Links & Safe Attachments. Attachments get opened in a sandbox and checked on behavior not signatures. Email is where threats land first and traditional AV just wont pick that up.
ASR rules default to audit mode and a lot of orgs leave them there forever. Let them run for 2-3 weeks. Then pull up the reports section in the XDR portal and start flipping them to block. Otherwise theyre just sitting there doing nothing.
Defender holds up fine against conventional AV. Configuring everything just takes real time. Once you get through that the licensing you already have covers it. We worked through the SKU differences with Trust͏edTech a while back and it helped clear up the tier confusion. The 300 device cap applies to Defender for Business so double check your count.
hb_2410@reddit
Business pre͏mium has Safe Links & Safe Attachments. Attachments get opened in a sandbox and checked on behavior not signatures. Email is where threats land first and traditional AV just wont pick that up.
ASR rules default to audit mode and a lot of orgs leave them there forever. Let them run for 2-3 weeks. Then pull up the reports section in the XDR portal and start flipping them to block. Otherwise theyre just sitting there doing nothing.
Defender holds up fine against conventional AV. Configuring everything just takes real time. Once you get through that the licensing you already have covers it. We worked through the SKU differences with Trust͏edTech a while back and it helped clear up the tier confusion. The 300 device cap applies to Defender for Business so double check your count.
Sweet-Sale-7303@reddit
I use defender for business. For all purposes it's defender for endpoint. It gives you a dashboard that tells you all the vulnerabilities out there for all software. It also tells you which one's affect your current environment. It's something that eset didn't give you when I was with eset.
Some products will integrate with it to make it even better. I like it and it's caught things that eset did not . To fully make use of it you have to dig into it but I think it's worth it .
I have heard that the dashboard with all the worldwide threats and newest attacks is something that others don't have. So if you care about that it might be worth it.
Tyler94001@reddit
Let's just say we have spotify installed, Google chrome, KeePass, and Adobe Acrobat
It will tell you in the Defender software any vulnerabilities that exist for those softwares, and if you have a device using a version of the software that is susceptible to that vulnerability?
Does it do patch management? Will it automatically update that software, or just alerts you and you manually do it?
Do you use a patch management software, or do you manually patch based on what defender shows?
Will defender at least allow you to patch Windows and keep it on the latest updates?
If you don't mind me asking, what does your software stack look like?
Any EDR other than defender? RMM? etc
Sweet-Sale-7303@reddit
Yes. it will do a scan on the devices then show you vulnerabilities of that software. Until Defender for business I didn't realize how many there were for other software. I use Intune and Defender for Business together on top of our Local Active Directory. We have been getting the licensing separate instead of going for a3 or e3. Ends up cheaper for us.
We are just using defender for business. I used to use the eset suite but the management of rit really sucked and Defender for business is catching a lot more stuff then eset ever did.
Wodaz@reddit
If you seer using Vulnerability management, do you find you need the 'premium' level of that console?
Sweet-Sale-7303@reddit
I am perfectly happy with the Vulnerability dashboard and Threat Analytics dashboard that comes with Defender for Business.
Norphus1@reddit
Defender is a good AV engine and as EDR solutions go, it isn't bad by any stretch of the imagination. However, Crowdstrike seems to be the solution that's in vogue at the moment. My company uses both for a sort of belt and braces combination.
Gartner seem to like both too: CrowdStrike Falcon vs Microsoft Defender for Endpoint 2025 | Gartner Peer Insights
Due_Programmer_1258@reddit
Curious about your implementation as this is probably the path we are going down too. Presumably you use CS as your primary and Defender in EDR block mode?
Djaaf@reddit
Yes, you can't really get rid of defender in Windows anyway, so you put it in passive mode and let crowdstrike take the wheel.
Both are good products, crowdstrike is a lot less verbose than Defender and the soar module is great too.
The only caveat I have with crowdstrike is for tablets. The battery optimisation in android can and will disable it and that's a right mess.
Norphus1@reddit
Yes, that’s right. I’m not in infosec though, so can’t really give you more details than that.
sgt_Berbatov@reddit
I have a real issue with trusting CrowdStrike given what happened before.
lostmojo@reddit
To me that’s the same as firing someone for a mistake. They learned a lot from their issue, they were communicating the issue to the public and working directly with Microsoft and their customers to get them up and running again. They learned from their mistake, owned it, and took care of their people.
If you think Microsoft has not made mistakes, just read the news on any random day. The difference is, cloudstrike actually supports their customers.
apple_tech_admin@reddit
I don't think that's quite the same thing. If someone on my team made a mistake that equated to large scale disruption at the level the Crowdstrike incident caused, I would absolutely terminate them. Crowdstrike isn't just some average company. Their product has kernel level access and their worldwide outage was inexcusable.
The trust issues are warranted.
lostmojo@reddit
You’re not going to like this but that’s the difference between a good boss and company and a bad one. You’re losing the talent, skills, and experience of that person for something everyone does. It’s a mistake. People learn from their mistakes. You now have someone who will never make that mistake again and has learned a valuable lesson. It’s valuable to you because you have someone on your team that has intimate knowledge of the error and what happened, and how to avoid it in the future. They can help share and identify that issue in the future and provide valuable training for new employees. It also removes the fear for their jobs, people are less afraid to lose their jobs over an accident; they won’t try to hide or lie about it. Embracing the ownership of mistakes and making sure to learn from them for not only the individual but the team and company as a whole helps avoid future mistakes all around. It never should be punitive, it should be embraced and positive learning experience.
admiralspark@reddit
You do realize Microsoft has had a single person make a single change that knocked out their cloud, three times, in the last month.
Everyone screws up.
FatBook-Air@reddit
I know a lot of folks who were on CrowdStrike who have dumped it in the past 6 months, mostly larger businesses. I don't think it's been because of the quality. I think it's mostly been because they are now tightening budgets and are going with Defender since it's already included.
sublimeprince32@reddit
CS = $$$$$$$$$
Norphus1@reddit
My company went in the opposite direction. We were MDE only, but Defender went into passive mode and Crowdstrike has taken over as the primary.
JwCS8pjrh3QBWfL@reddit
Make sure to enable "EDR in Block mode" in the Defender portal. It's a safety net.
Frothyleet@reddit
The reason that it feels too good to be true is that Business Premium is basically a loss leader for MS in terms of feature set. They're banking on you hitting the 300 user cap and having to double your spend on E-licenses
gihutgishuiruv@reddit
I think it’s partially that, and partially having millions of extra data sources to crowdsource their EDR
alexwhit80@reddit
We are giving it a go paired with Huntress.
GullibleDetective@reddit
Works great with atp
repooc21@reddit
I'm using Defender, passively. Primary is ThreatDown by Malwarebytes
BrentNewland@reddit
We have SentinelOne. We also have A5 licenses. They should work well together, but I did learn that Microsoft Defender has to be the program registered with Security Center to get full functionality with Microsoft's admin portals.
mohawk_man@reddit
Also what I'm doing. ThreatDown is great.
repooc21@reddit
Have you figured out how to keep your Microsoft Secure Score up?
NoEstablishment9123@reddit
I would use the defender instead of another EDR solution if you have already business premium for the users. Configuring it is a bit time consuming and lacks of several features like advanced hunting, but it most likely does the job and the server licenses are like five bucks a piece.
Avi_Asharma@reddit
Defender is much more mature now and it integrates with OS pretty well.
GiraffeNo7770@reddit
Yeah, its functionality these days can be considered on par with Windows itself.
...oh, wait...
badaz06@reddit
And yet, MS still quarantines their own alert messages...(SMH)
Kortok2012@reddit
Freak out about vulnerability in OpenSSL, continue installing vulnerable version in literally every default app
F7xWr@reddit
Yes, its already there just use it.
GeneMoody-Action1@reddit
It will save you as much as such a product can, the same as most others. Each have their own shtick, but most do 90%+ of the same thing. The integration is clean as as light as any. Products like these are like super accurate competition handguns, more accurate than almost everyone in charge of using it.
Worry about the robustness of your program, the accuracy of the auditing and policies, and let these systems pick the low hanging fruit all day.
ak47uk@reddit
I have been with ESET for a very long time but over the past couple of years have been moving those with Bus Prem licences to DfB with Huntress managed EDR and ITDR for extra layers and peace of mind. Add comprehensive Conditional Access policies and harden the OS using a good set of Intune policies and it's a pretty low cost way to add a lot of layers.
Pub1ius@reddit
Similar situation here. Currently migrating pretty much everything from ESET to DfB.
Visible_Spare2251@reddit
I'm also with ESET but have considered a move to DfB a few times. I do quite like ESET though. My only issue is that I get a lot of error messages from Macbooks that I'm often trying to clear.
Valdaraak@reddit
Defender for Business consistently ranks high on the AV list, if I recall. It's one of the few Microsoft products I can say is legitimately good at what it's supposed to do.
PurpleFlerpy@reddit
It's decent. But from the perspective of the one who has to work the alerts, alerting is shit. I also have to dig through multiple screens just to be able to run a scan on an endpoint remotely. If they matured their alerts and GUI like they matured the backbone, I'd be all for it.
Top_Boysenberry_7784@reddit
If I am looking for an EDR defender is definitely the answer as it usually can fit right into existing licensing strategies and works fairly well. In my opinion there are very few situations to not use defender unless you are going a step above to a MDR.
Mindestiny@reddit
Defender for Business is one of the highest ranked EDR solutions on the marketplace, and directly integrates with other MS security solutions like defender for cloud apps. If you're running the M365 stack it's an absolute no brainer, don't waste your time and money on third party AV/EDR. Works great on MacOS endpoints too
It's actually a more recent addition to the Business Premium licensing SKU (used to be an addon license or only included in M365 Enterprise SKUs), and the higher tiers of functionality are still individual SKUs but unless you're a massive enterprise you don't need to upgrade.
Wodaz@reddit
The fact that Microsoft added a PurView/Defender Suite for Business Premimum for $15.00, makes Business premium so perfect for under 300 users. Ediscovery, insider risk management, Defender for Identity, and Entra p2, for $15 on top of a $22 Business Premium Sku, makes such an "e5 lite" license at $37 per month. Many offices at under 300 users are fine with Windows Pro, instead of Enterprise, and dont use a lot of the other e5 features, and its $57 a month..
EX_Enthusiast@reddit
Defender for Business is generally considered solid its detection quality, EDR capabilities, and integration with the Microsoft 365 stack are strong, especially for the price. The main downsides people report are that the portal can feel noisy until you tune alerts properly and that onboarding non-Windows endpoints sometimes takes extra care, but operationally it’s stable and competitive with traditional AV. If you’re already a Microsoft shop, it’s usually a very cost-effective and capable upgrade rather than a downgrade.
JwCS8pjrh3QBWfL@reddit
The only hard part of non-windows endpoints is that you have to deploy 12 configuration profiles for Macs. It's well documented, just tedious. On Linux you just deploy the app, deploy the config, and that's it.
appelpip@reddit
Defender has 90+ settings in the AV engine, and with ASR and EDR fault localisation and discretionary exception management becomes very difficult due to the different policy control planes GPO/MEM/MDE portals.
Troubleshooting mode does make fault localisation easier but having worked with nearly every AV over 25 years MDE /EDR is constantly actioning of cloud telemetry so if your business requires a steady state environment predictable workload consider if you require cloud reputation. If you have fragile that break with oplocks EDR/MAPS may need to he disabled. If application binaries are not code signed then EDR becomes super vigilant and can invoke full scans. Very effective on end user productively endpoints exposed to mail and internet threats
Hel_OWeen@reddit
While Defender was mediocre on Windows 7 at best, starting with Windows 10 it has become a mature and solid product which can compete with all the other AV solutions out there.
IMHO a telling fact for this is that every AV software vendor started adding ~~crap~~ additional tools (VPN, password safe, children controls, safe browsing etc.) to their suites. Which to me means: their core product (AV engine/scanner) one has to pay for doesn't outperform the free MS product anymore. So when MS' business product offers more and the management tool (Intune) is good, it really is a no-brainer.
slimeycat2@reddit
Decent, but if you are small IT team with no SOC you may need help to monitor.
Jeff-J777@reddit
We need using Defender for years and no complaints. We have Business Premium licenses but pay for Defender Plan 2. Mainly we need it for our managed SOC to work with Defender.
For us it is not over chatty and about 85% of the alerts that come in are legit.
Before we switched to Defeder we had Symantec and some PCs with base Defender running. We got hit with Ransomware, all the Symantec PCs got hit. The base Defender PCs were just fine.
The_NorthernLight@reddit
We use Defender for our endpoints, but we overlap it with zorus for content blocking, and field effects for device security monitoring. We also use SentinelOne on our servers that can’t run defender.
denmicent@reddit
It works pretty well. We have CrowdStrike and run Defender passively, but I’d have no problem if we decided to switch fully to Defender.
excitedsolutions@reddit
The amount of things inside defender portal that light up reminded me what we were missing with all the 3rd party disconnected solutions. Coming from CrowdStrike, Rapid7, Carbon Black - yes it is quite good. Layering Defender for Servers with it truly makes it single pane of glass.
Cashflowz9@reddit
It is good and works well if you have the budget to staff someone monitoring managing and keeping up with that and all risky logins. Depending on size a dedicated resource is required sometimes.
doctorevil30564@reddit
We use Sentinel one. We only have two E3 licenses, everyone else has business standard licensed.
I had to configure S1 to be a bit paranoid so we get a lot more alerts than we were previously getting but it made my boss happy.
I have looked at defender with a lot of interest though.
I use the free version in conjunction with my licensed Malwarebytes software on my home PC.
WraithYourFace@reddit
In a similar boat. We use Sophos MDR Complete currently, but with the new Security SKU you can add onto M365 BP we thought of jumping ship (no complaints about Sophos). We're just getting more entrenched with SharePoint/Teams/Copilot the tight integration is a nice feature set.
You also get Identity included which is critical. I know Sophos has it now, but doesn't do anything for on-premises assessments. We use Crowdstrike ITDR (great product btw).
We were going to compliment it with a MDR provider as well since I'm the only person who would manage it.
spittlbm@reddit
We found Gravity Zone to be a little less admin-intensive and a little cheaper.
Top-Perspective-4069@reddit
Defender has a lot of bells and whistles but is a high quality EDR tool. The integration with the rest of the ecosystem makes a lot of things really easy.
kerubi@reddit
Defender is probably the most common due to it being ”free” in some license bundles (strange that EU has not forbidden that as anti-competitive in Europe yet). However since it is so common, developing avoidance for it is also high priority for attackers. But it checks the box, at least.
Top-Perspective-4069@reddit
It's included but not required. As I recall, the problems with anti-competition in the past were mostly around features you couldn't get rid of, like Internet Explorer being part of the OS.
TheCyberThor@reddit
What are you using currently?
Sufficient-Class-321@reddit (OP)
BitDefender GravityZone, it's not bad by any stretch of the imagination, just not particularly blown away by it
MXH_D@reddit
It’s a good solid option for AV. The firewall on the other hand is pretty basic.
QuietGoliath@reddit
Defender does the job well enough for the price - but you really do have to get into the guts in the admin console (and InTune) and fine-tune it if you're in a more complex environment.
bitslammer@reddit
This is what I've seen as well. I'm in a larger global org (80K users) and we ran Symantec/Carbon Black for years before going to Defender. the SOC team did extensive testing before the switch and have been nothing but pleased since then.
QuietGoliath@reddit
I'm running my 3rd estate with it after binning Sophos in 2020 - can't honestly say I'd go back to market to look for anything else just now.