AV Comparatives article on Microsoft Defender.

[YeOldeStonecat]

I've been a long time fan of the antivirus tests done by AV-Comparatives...unlike most other antivirus reviews that seem to cater to donations, pay to be reviewed, ends up being biased....AV-C seems to be good at "real world scenarios".

AV-C has tended to not show Defender in a good light....but that's changing, as Defender has certainly continued to evolve and get better.

Is Microsoft Defender enough on its own? The independent view.

Defender has improved a lot. But our latest test data, recent Defender CVEs and the shift to AI-scale vulnerability discovery raise a different question: what do you fall back on when one layer is not enough?

av-comparatives.org

Any "home users" that ask me which AV they should get, I tell them just to stick to Defender..no need for 3rd party.
For businesses...we need a "centrally managed" one....that also integrates with our RMM. We used to do Eset NOD32, Panda, BitDefender, Kaspersky, SentinelOne...and of late...have fully switched over to Huntress...which "plugs into" Defender and injects it with steroids. We also kick it up with the "Defender for Business" feature of M365 Biz Prem...just to get even more telemetry.

 

[britechguy]

Interesting in that their "Real World" testing has been placing Windows Defender in the top 10, consistently, for years now. So have a number of other testing labs.

I'm actually surprised that Microsoft hasn't made Windows Defender "integrateable" with RMMs and/or Microsoft 365 Tenants (and the latter is probably supported, but since that's not something I deal with at all routinely my knowledge is limited).

I've been advising residential and micro-business clients to stick with Windows Defender since fairly early in the Windows 10 era. That's when it rose into the top 10 in test results consistently, and never left, often beating out more respected third-party products.

None of these holds its relative position in the top 10 across testing cycles. They all move up and down a bit at times depending on exactly what's being tested on what date and time. But Windows Defender has consistently stayed in the top 10 and very often lands in the top 5.

 

[YeOldeStonecat]

It is more the RMMs that integrate with the AV. The one we use, SyncroMSP, actually can manage it now as an option.

 

[Sky-Knight]

I'm actually surprised that Microsoft hasn't made Windows Defender "integrateable" with RMMs and/or Microsoft 365 Tenants (and the latter is probably supported, but since that's not something I deal with at all routinely my knowledge is limited).

Microsoft’s naming conventions don’t make this easy.

Defender for Windows is the built in, free security platform included with Windows 11 and modern Windows Server versions. It provides antivirus and core OS level protections out of the box.

Defender for Endpoint, by contrast, is a licensed cloud security service. On modern Windows versions, you don’t install a separate agent because the MDE sensor is already built into the OS. Once the device is onboarded to your M365 tenant and the appropriate license is present, the advanced EDR and XDR capabilities simply light up. At that point, the device immediately begins integrating with the Defender XDR portal because the cloud components are already part of the platform. No additional installation steps are required. Onboarding and licensing unlock the full feature set.

RMM platforms can integrate with Defender for Endpoint, and many of them do. However, one of the core architectural principles of MDE is that all security telemetry and control remain inside the customer’s own Microsoft 365 tenant. Microsoft’s model is that the Defender XDR portal is the authoritative home for telemetry, analytics, and automated response. Third party tools can consume this data through APIs, but they are not intended to be the primary storage or control plane for it. In practice, this keeps ownership of the security data within the customer’s estate while still allowing external tools to integrate where appropriate.

It’s all about supply chain risk management at this point. But when you put those design philosophies up against Microsoft’s naming conventions, things get confusing fast.

Another idea that consistently throws people is the EDR / MDR / XDR terminology.

EDR = Endpoint Detection and Response
MDR = Managed Detection and Response
XDR = Extended Detection and Response

Different vendors use these terms differently, and Microsoft’s usage doesn’t line up with how many other vendors structure their stacks.

In Microsoft’s world:

EDR is the endpoint detection and response capability in Microsoft Defender for Endpoint.
MDR is a service layer delivered by Microsoft or a partner on top of Defender, meaning a SOC monitoring and responding using Microsoft’s tools.
XDR is Microsoft Defender XDR, which correlates signals across endpoints, identities, email, SaaS, and cloud workloads.

Then there's the fourth layer: Microsoft Sentinel the full SIEM and SOAR.

In other vendors’ worlds, the same acronyms often describe a different layering:

EDR is the endpoint agent.
XDR is that EDR extended to the cloud for central management and correlation.
MDR is a SOC monitoring that XDR platform.

Same letters, different meanings depending on who you’re talking to. Clear as mud.

 

[britechguy]

@Sky-Knight,

Great exposition of the issue(s). But, and no snark is intended, this is different than Microsoft's usual "clear as mud" naming conventions over the years in what way?

Windows Defender itself has been reused as branding for security solutions that were pure garbage up through what exists today. What in God's name is Outlook? [Always loved this article: Too many Microsoft Outlooks - we explain them all (last updated March 2026)].

I am really so glad I am no longer a part of the corporate world where I have to figure out what Microsoft's calling something this week or trying to make any sense about how its stuff fits together. Absolutely insane residential clients are a breeze to deal with compared to the acronym effluvium that's endlessly generated by Microsoft. I signed up for M365 Message Center Updates and I challenge anyone who receives these to claim they can make heads or tails out of anything but a very select subset of what they contain, depending on what their "area of practice" happens to be within an organization. And I certainly stopped believing that anyone at Microsoft (or anywhere, really) could possibly even have a coherent management overview of their entire product line. There are so many branches out to the the leaves on their product trees that no one could possibly keep track of most of them.

 

[timeshifter]

It is more the RMMs that integrate with the AV. The one we use, SyncroMSP, actually can manage it now as an option.

What flavor of Defender works with SyncroMSP now? In other words, what does the end customer need:

1 - Windows 11 Home
2 - Windows 11 Pro
3 - Windows 11 Pro with Microsoft 365 Business Standard
4 - Windows 11 Pro with Microsoft 365 Business Premium
5 - something else

edit: answering my own question:

Managed Microsoft Defender: Now Available With Syncro | Syncro

Take full control of Defender on all your managed Windows endpoints with Syncro’s new Managed Microsoft Defender add-on.

syncrosecure.com

announcement that links to the above page:

Managed Windows Defender Is Now Live!

Hey everyone - We’ve just brought Managed Windows Defender live! This lets you manage scan schedules, set Windows Defender Policies, bulk scan, and more, directly inside of Syncro. This is priced at $0.75 per endpoint. You can visit our blog article for more details:

community.syncromsp.com

 

[Sky-Knight]

@Sky-Knight,

Great exposition of the issue(s). But, and no snark is intended, this is different than Microsoft's usual "clear as mud" naming conventions over the years in what way?

It doesn't... that's the point. Microsoft's product catalogue remains a near impassable labyrinth.

But in this case I wasn't just trying to point out what Microsoft was doing, I was trying to point out what everyone else is doing too... because they're all doing the same things... differently.

EDR, MDR, and XDR... easy alphabet soup to define. The words are easy. But the solutions that map to the words are vendor specific... and every vendor, Microsoft included is confusing because they want to sell security in layers to get you to pay more instead of developing a cohesive product that's simple and effective.

 

[timeshifter]

This is interesting. But I wonder if it would be of value to any of my clients. I have hundreds of endpoints in Syncro. But when I think about Defender I'm not sure I've ever seen it do anything useful. Not that I don't think Windows users should have it on. But most "threats" in my mind are users enabling notifications in the browser or they install OneLaunch or some other goofy adware type program.

 

[britechguy]

But when I think about Defender I'm not sure I've ever seen it do anything useful.

Then you've either been very lucky (more likely) or are not paying attention.

People are still doing some really stupid things, particularly of the button or link-clicking variety, that would cause malware of all sorts to be installed. But the advent of "scan on download" technology on the part of virtually every security/antivirus suite, and instant quarantining/removal of such before it can ever touch anything, has been a godsend. Evidence of this having happened can be found in the logs on almost any machine I've ever touched. But when the damage is prevented, there's little use in looking for the evidence of prevention. These security suites are more akin to vaccinations than medication after the fact.

 

[Metanis]

Woody's newsletter this morning included an article on EDR by Brian Livingston. I don't think a link to my subscription page would work here, but his top 2 EDR suites were Bitdefender GravityZone and Microsoft Defender for Endpoint Plan 2.