Microsoft 365 Defender – Review 2021

Almost all Microsoft customers have heard of Windows Defender, as some versions run on all Windows desktops back to Windows XP. But with Microsoft’s concerted efforts to move customers to its cloud services, the company has pushed its endpoint protection technology into the Microsoft 365 application store. Now called Microsoft 365 Defender, the tool is truly state of the art, including endpoint detection and response (EDR) features, active threat hunting and support for macOS, Linux, iOS and Android devices. Of course, Windows users get the best desktop support, while Microsoft 365 users are the real winners, as they also receive email scanning as part of the package. But while Microsoft 365 Defender has all the features needed to be at the top of the stack, Microsoft has done a surprisingly poor job of interface design. This keeps the current version behind our Editors’ Choice winners in the endpoint range: Bitdefender GravityZone Ultra, F-Secure Elements and Sophos Intercept X.

Microsoft 365 Defender pricing and plans

Aside from interface issues, Microsoft 365 Defender has a fairly competitive but somewhat intricate pricing scheme. For example, you can purchase the Microsoft 365 Defender P2 version, which includes EDR and other advanced features, as a standalone service for $ 5.00 per share. user per month. Alternatively, it is included in the Microsoft 365 E5 enterprise plan, the soup-to-nuts Microsoft 365 plan, which runs at $ 57 per. user per month.

If you read fast, the price of $ 5 per. user per month look great compared to the other solutions we have reviewed. But do the math, and it translates to $ 60 per user per year, making Microsoft 365 Defender the more expensive site. Our most expensive Editor’s Choice winner, Bitdefender GravityZone, starts similarly at $ 57.40 per share. user per years, although it is without advanced features like EDR, while Microsoft offers a lot of functionality in exchange for these dollars, you should still evaluate it carefully before you throw yourself down. all that money if you are not currently a Microsoft 365 customer.

More frugal companies will want the P1 version of Microsoft 365 Defender, which omits advanced features, including EDR. You can buy P1 as a freelancer for $ 3 per person. user per month, and it’s also part of the more price-conscious Microsoft 365 E3 plan, which costs $ 32 per month. user per month.

Even if you do not currently have a Microsoft 365 subscription, you may still have access to Microsoft 365 Defender. Customers who have purchased business licenses for Office 365, Windows 10 and Windows 11 will have access to Defender’s features and portal at no extra cost, as will customers with previous Defender endpoint offerings including Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps and Defender for Office 365 (Plan 2).

If you would like to evaluate the service yourself, a free and free 30-day trial is available (good for 25 users) for download from the Microsoft 365 website.

Get started with Microsoft 365 Defender

Ironically, getting started is the hardest part of using Microsoft 365 Defender. Microsoft Getting Started Documentation (available online) assumes that you already have a Microsoft 365 account and the ability to make changes to it. If you only want the endpoint section, it is also available as a separate registration.

Once you sign up, onboarding is easy if you know where to look, but knowing that is the hardest part. There is currently a lengthy transition as Microsoft is slowly moving old Defender functionality into the new version, so we found it difficult to find and use many features at the time of writing.

The best method we found was to navigate to Settings> Endpoints> Onboarding. Once there, you can download the onboarding script running on Windows 10 machines. Still, this procedure is a bit cumbersome, which was a big rejection considering that even some products that did not rate our Editors’ Choice designation, such as Kaspersky Endpoint Security Cloud and Vipre Endpoint Security Cloud, provide easy-to-use installers.

For macOS machines, the process is a little different, but equally cumbersome. Honestly, onboarding this way only seems really suitable for Windows-centric stores where you want to push the product out via Active Directory. For the average administrator, who may not be fully integrated into the Windows Server area, this is a big issue. Microsoft 365 Defender setup was annoying enough to be an essential thing in our book.

(Editor’s note: Vipre is owned by Ziff Davis, the parent company of

And Rollercoaster Interface

Using Microsoft 365 Defender is an up-and-coming experience. Once you have wormed your way through the installation process, you will find that the dashboard is something of a messy mess. It’s informative, but not in the sense that you want from an out-of-the-box experience. It’s about what you can do with the product, but it does not immediately provide the information you need about your network. We found that we swept the area clean and added only the blocks we wanted to see. Another annoyance is that you can suddenly and mysteriously end up on the old interface from time to time. Fortunately, when you end up there, you will also see a noticeable opportunity to automatically redirect you to the new site that we have hit.

Microsoft 365 Defender active alarm quick screen display

In the new interface, the left side of the page nicely shows your available options. Incidents & Alerts is the place where you will spend most of your time. This section identifies all active and resolved threats across all your detected and currently connected endpoints. The good thing about this, compared to the rest of the interface, is that it is well structured. Events are grouped so that a batch of infections does not resemble a series of discrete events. If they arrive at the machine via the same process, you will see it visualized in a survey hierarchy. If you drill into the study, you will get an EDR style graph that gives you the full pictures of how the infection started and what it affected. While other top-rated products do the same, such as Editors’ Choice winners F-Secure Elements and Bitdefender GravityZone Ultra, Microsoft 365 Defender does it clean with excellent on-screen explanations.

Microsoft 365 Defender EDR Management View

The threat analysis page is closely linked to incidents. It shows the most common threats in nature and whether they affect your network, and it provides fascinating insight into what may hit your network next time and which of your devices are vulnerable. Related to this is the Vulnerability Management section, which includes a dashboard that shows an exposure score and how it can be improved, and several pages for detecting and managing vulnerable software. For each of the vulnerabilities found, it provides remedial steps, if available, or links to the outdated software page so you can download updates. It also provides some useful information; so much, in fact, that it is somewhat overwhelming. It can easily lose someone who did not already know what to look for. It is definitely necessary to spend some time reading the documentation for this one, but there is plenty of power here.

Microsoft 365 Defender threat analysis and descriptions

While Microsoft 365 Defender’s threat and vulnerability management is top notch from a technical perspective, policy management is not. You get some granularity in how email is handled, but the general endpoint settings seem out of place and aimed at connecting with other Microsoft offerings, such as Intune, Secure Store, and Office 365 Threat Intelligence. These settings are also not handled with defined policies and are a global set. Due to the lack of a coherent process to restrict entities, set the level of protection and manage exclusions, Defender’s policy management seems like an afterthought.

Reports are another positive for the Microsoft 365 Defender interface as they are both colorful and helpful. Everything from device health and compliance to a comprehensive safety report is available. That said, they are somewhat buggy at the time of testing. Many reports generated errors or said that data was not available when there was plenty of data. We suspect this will get better with time and no doubt via more patches. Another minor issue is the inability to print these reports or convert them to a PDF, but it is not a deal-breaker.

Microsoft 365 Defender report and policy editor

Endpoint protection test

As with all of our other competitors, we ran Microsoft 365 Defender through our endpoint protection testing process. During the phishing attack, we tested 10 verified phishing links from PhishTank. When we used Microsoft Edge, all pages were reported as insecure by Microsoft Defender SmartScreen. When we tested Chrome and Firefox, they did not appear to be protected by this feature, which is quite typical of a Microsoft-geared product, but is nonetheless a brand against it.

Next, we used Metasploit’s Autopwn 2 feature to launch a browser-based attack on the system using a known vulnerable version of Chrome with the Java 1.7 runtime installed. Only attacks that would likely succeed in providing an external shell were launched automatically, and none of the attacks succeeded.

We then simulated performing a standard Meterpreter binary booklet at the end of Windows Calculator. The executable was not even allowed to copy to the desktop. We also tested a set of Veil 3.0-encoded Meterpreter executable files that included PowerShell, Auto-IT, Python, and Ruby. All were detected the moment they were copied to the desktop and we were unable to proceed with further access tests.

Eventually, we disabled the network connection on our virtual machine (VM), extracted a set of known malware-executable files called TheZoo, and tried to run them. Defender quarantined each of them before it had a chance to run, confirming that Defender’s signature-based detection worked well. There was a slight delay between implementing the malware and seeing the system respond, but we suspect this was the message that lagged behind the action that took place.

As a backup of our test results, we found that Defender has also performed well in MITER ATT & CK evaluations. It handled almost all the attacks and withstood several perceived threats from the real world.

Powerful but unpolished

Microsoft 365 Defender is a mixed bag. It has most of the elements of a winner, but it lacks enough polish to actually make it one. That said, if you’re already a Microsoft 365 user, you may already have access to it, which makes it worthwhile to see if it can meet your needs while Microsoft works to improve it.

You can be sure that it will protect your network from threats adequately, even though it tends to be a bit confusing at first. To me, this is a passport, but it should go on the watch list for future opportunities. So far, we prefer to stick to one of our Editors’ Choice winners: Bitdefender GravityZone Ultra, Sophos Intercept X or F-Secure Elements.


Leave a Comment