Microsoft product reviews

Review: Microsoft Windows Defender comes up short

Windows 10 anti-virus tool works well for consumer devices, but management quirks limit its enterprise usefulness.

shield protection
Henri Bergius (CC BY-SA 2.0)

Microsoft’s latest version of its anti-malware tool, Windows Defender, is a frustrating product to evaluate. Yes, it is perhaps the best antivirus tool to come from Microsoft, with a series of noteworthy improvements. Yes, it provides good enough protection for your family’s PCs. And yes, it could be your PC’s sole antivirus utility, if you are willing to accept its limitations.

However, once you examine the product in more detail, you will see why we cannot recommend it for enterprise use. And that is the frustration of this product: Microsoft is trying to do the right thing and offers a tempting feast, but ultimately offers an incomplete meal that is tough to digest.

We deliberately infected several Windows 10 PCs with a variety of malware samples. Each time, Defender found the infection and neutralized it automatically. A user literally has nothing to do to protect their computer. That’s the good news. The bad news is what happens under the covers and how an enterprise IT manager has to deal with Defender’s quirks.

Windows Defender is the natural successor to the Windows System Center Endpoint Protection (WSCEP) client that came with earlier Windows versions. However, there is no separate client for WSCEP now, because if you run Windows 10 and you have updated to the Anniversary Edition, Defender is included for free.

This new version of Defender contains several improvements, including protecting your OS after booting (called Early Launch Anti-malware), better user account control integration and protection, better post-breach detection, and a change in how the tool is managed.

The management process is a perfect example of the best and worst of Windows Defender. The simplest action is to do nothing and let Defender manage itself. Clearly, this is one of the reasons behind the design of the product: Microsoft wanted something that would protect the vast majority of unsophisticated users who don’t know or don’t care about their security posture. Defender will download signature updates as part of the normal Windows update process, eventually.

But that isn’t acceptable to most corporate users, who want to play a more active role in their endpoint security and don’t want to clog up their network pipes with multiple Windows updates. Microsoft has designed several ways for these updates to be realized, but all of them involve a series of compromises. These are similar to the ways that the Windows OS updates itself. You can set up a file share, use the Windows Server Update Services (WSUS) to distribute them across your local network, using the cloud-based Microsoft Update Server itself, or the Malware Protection Center portal page. All of these options are explained carefully on this Technet link.

Speaking of portals, you also need to register each user to the Advanced Threat Protection Portal to enable this feature. According to Microsoft, you need to be an Enterprise E5 customer to be eligible for this feature.

Most modern antivirus products automatically update their signatures with about three mouse clicks, at least upon initial configuration. With Defender, these updates are more painful and certainly more complex. You do need to read the fine print to understand how to manage it and configure its updates, depending on which of the methods outlined above you choose.

Speaking of updates, figuring out the actual version number of Defender is another frustration. All of my PCs reported different version numbers, such as 4.8.10240.16384 or 4.10.14393.0. And this is just the antimalware client version that is reported. There are other numbers for the main and network inspection engine versions and signature definition versions for antimalware, network definitions and antispyware. All of these version numbers are inconsistent, even after you apply the latest updates. Generally speaking, you want to be running Windows 10 OS version 1607 to get the most recent version.

Next, Defender is somewhat inconsistent as to whether it is actively protecting your PC or not, and figuring that out will require you to do some major detective work. For enterprise IT managers who already have plenty on their plates, this is perhaps the single biggest drawback to using Windows Defender.

There are several issues here: When Defender says it is active in its own Settings screen, that may not be entirely accurate. When you first install Defender, there are three slider switches (see below), for real-time protection, for cloud-based protection, and for virus sample submission:

Microsoft defender Microsoft

Defender settings screen

Defender actually has two different states: active and passive. Active means that it is the only antivirus tool installed on your endpoint and that it has been updated properly.

However, even if all three switches in the settings screen seen above are turned “on,” that doesn’t mean Windows Defender is actually active. You need to ensure that the various group policy settings in the Group Policy Management Console and System Center Configuration Manager Console have configured properly. Finally, you need to go to the Task Manager to see if its executables are running.

If that sounds like a lot of work to get things setup, you are right. You probably already use most if not all of these products to manage your Windows installation, but you will need to familiarize yourself with the various settings that are specific to the security policies.

If you skip any of these steps, or do them incorrectly, or forget that you have already a third-party antivirus installed (or if one of your users independently installs their own antivirus), Defender moves into what Microsoft calls its passive mode.

This means that Defender will “continue to run and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware,” (according to this Technet article). If you try to run Defender from the main Windows desktop during this time, it should tell you that it has been turned off.

So, running some other antivirus tool might force Defender to turn itself off. This issue isn’t entirely Microsoft’s fault, since antivirus tools are designed to avoid stepping on each other.

Once the offending third-party antivirus tool is removed, Defender will resume its normal activities. But lets say you have a lot of endpoints to manage, and some user installs SomeOddballFreeAV on one of them. You will have to track that down and fix that situation pronto if you are counting on Defender’s defenses.

The transition from active to passive Defender doesn’t always happen immediately. I installed the Sophos agent for its cloud-based Central Endpoint Protection service on my Windows 10 PC, and you can see from this screen shot that both it and Defender are running.

After several days, Defender turned itself off when it finally detected the Sophos client. When we called Sophos, they recommended using their newest AV tool, Intercept X. When I installed this latter agent, Defender shut off immediately. Sophos couldn’t explain this.

Windows task manager Microsoft

Windows Task Manager showing Defender and Sophos programs running concurrently.

There is another issue, and that is what happens if you actually want to turn Defender off. You can’t just flip any of the switches shown in the Settings or app interfaces. Instead, you have to run a series of registry hacks or go back to the changes you made in your various group policies. The TenForums folks have detailed instructions here on how to actually turn it off. This seems to me to be a major drawback: IT has enough issues with getting rid of user-downloaded apps as it is to have to hunt around for turning off something that is coming from Redmond.

Finally, Defender lacks the overall single pane of glass management screen that many endpoint products offer in spades. There are various management status screens on the various Microsoft portals, but you can’t see a single summary of your entire network and which PCs have been infected and remediated. Microsoft would claim this is a benefit – since you are using its existing management tools or group policies and don’t have to learn anything new – but I would disagree.

Taken together, these issues make Defender unacceptable for enterprise use. It is hard to track, hard to configure, hard to remove and hard to manage in a typical enterprise environment.

It might be all the antivirus that a home user needs, but when it comes to the business world, you are better off with something else.

Strom is the founding editor-in-chief of Network Computing magazine and has written thousands of magazine articles and two books on various IT and networking topics. His blog can be found at and you can follow him on Twitter @dstrom. He lives in St. Louis.

How we tested Windows Defender

I tested Defender on several different PCs: an older HP laptop, a more modern HP desktop, and several VMs that were either installed from the Windows 10 Anniversary ISO DVD or upgraded from the original Windows 10 installations. I then re-ran the Windows Update several times to ensure that all components were at their most current versions. (Running the update once usually wasn’t sufficient.)

To control Defender’s behavior on a typical enterprise network, I ran Windows SUS v3.0 SP2 server on a Windows Server 2008 r2 VM, which also required a full IIS installation, MS Report Viewer Redistributable 2008, and .Net Framework v2. (Specifications for getting this setup properly are described here.)

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022