Windows Defender Antivirus seem to be fully capable as functioning as the preferred and only antivirus solution

I had a session at the Microsoft Tech Summit in Stockholm, presenting the new Security Features in Windows 10 Fall Creators Update (1709). After the session, I had a handful of questions about Windows Defender Antivirus, and because I often get similar question, I will share my view on the capability of Windows Defender Antivirus.


Why pay for a yearly subscription from a third-party antivirus provider, when Windows Defender Antivirus seem to cover almost all threats?

Would you say that Windows Defender Antivirus is enough, or what benefits would companies, as well private individuals, gain from adding another antivirus solution?

By answering those questions, I am fully aware I am moving into holy grounds, and I should know as I spend ten (10) years managing a third-party antivirus solution, and I loved it – still do!

However, the short answer is: Yes!

The longer answer is: It depends.

Let me elaborate a bit further on those answers.

Keeping your PC safe with a trusted antivirus protection is your main concern. Using the built-in to Windows 10, Windows Defender Antivirus, gives you some benefits, hereunder automatic update using Microsoft Update technologies. However, there’s a catch. To manage Windows Defender Antivirus, you need either System Center Configuration Manager or Microsoft Intune. By managing I am referring to reporting as configuration can be done in several ways, using:

  • Microsoft System Center Configuration Manager
  • Microsoft Intune
  • PowerShell
  • Windows Management Instrumentation (WMI)
  • Group Policy

It will be possible to monitor alerts using other means than Microsoft System Center Configuration Manager (SCCM) or Microsoft Intune, e.g. by using Windows Event Forwarding Server or Windows Analytics. However, these solutions will highly reduce your response time and will primarily give you some simple reporting.

The problem with antivirus, is the fact that most traditional antivirus solution is monitoring for file-based attacks and do nothing to prevent (or even detect) non-malware attacks, providing attackers with a point of entry that goes completely overlooked.

Traditional AV and machine-learning AV are designed to only identify threats when a file is written to disk or read from disk. Since they only look at the attributes of an executable file, they are completely blind in the face of attacks where no files are involved, especially when organizations are relying on legacy AV or traditionally Application Control as Microsoft Application Locker (AppLocker) or similar (I highly recommend Windows AppLocker).

Running legacy AV and machine-learning AV is not enough, you need to be able to monitors the activity of applications and services, including communications between processes, inbound and outbound network traffic, unauthorized requests to run applications, and changes to credentials or permission levels and monitor and analyzes the relationships among events.

With Windows 10 Fall Creators Update (1709), Microsoft introduced Windows Defender Exploit Guard (WDEG). As such, you can now audit, configure, and manage Windows system and application exploit mitigations right from the Windows Defender Security Center (WDSC) or using any of the configuration options mentioned above.

There are four features in Windows Defender Exploit Guard (WDEG):

  • Exploit Protection
  • Attack Surface Reduction (ASR)
  • Network Protection
  • Controlled Folder Access

Be aware all components but Exploit protection, does requeue Windows Defender Antivirus as your primary antivirus product.

To further increase the protection for devices that meet certain hardware requirements, you can use virtualization-based protection of code integrity with Windows Defender Application Control (WDAC).

And to tie a perfect knot I always recommend using Windows Defender SmartScreen, Windows Defender BitLocker, Windows Defender Firewall, Windows Defender Credential Guard and ensure end user do not have administrative privileges (at least on domain joined devices).

To get back to the questions that started this rant. I would recommend Windows Defender Antivirus any day, at a minimum you should consider the option if you already pay for the licenses. If you already have Microsoft System Center Configuration Manager (SCCM) and/or Microsoft Intune in place, it is a no-brainer and you should consider using Windows Defender Antivirus over third party antivirus products.

However, I did state “It depends”. So, if you do not have a management option in place or you are running down-level versions of Windows, or even running Windows 10 prior Windows 10 Fall Creators Update (1709) I would recommend you keep your third-party antivirus product a little longer – and please be advised some Windows 10 (1709) features does require Windows 10 Enterprise Edition.

However, if you Windows Platform is based on Windows 10 Fall Creators Update (1709) or above and you are prepared to start using the new security layers which is built in to Windows you will get a rock-solid platform with multiple security layers, meaning if one layer gets breached the next layer is kicking in!


Windows Defender Antivirus in Windows 10 and Windows Server 2016:

Windows Defender Exploit Guard:

Windows Defender Application Control:

Protect derived domain credentials with Windows Defender Credential Guard:

Windows Defender Firewall with Advanced Security:

Windows Active Defense:

What is a Non-Malware (or File less) Attack?

Microsoft Tech Summit 2018, Stockholm

I would like to say thank you, to everybody who attended the Microsoft Tech Summit 2018, Stockholm. It was an awesome setup and an great event with lots of great sessions.

It is always an pleasure and a honor to to get the opportunity to speak at a Microsoft event. So thank you for attending and for making speaking at the event a great experience!

The session and slide deck was originally presented at Microsoft Ignite 2017. Throughout the presentation updated information and links was used. Unfortunately I am not allowed to share the slide deck, however as promised during the session, please find notes and links below.

Microsoft Tech Summit 2018, Stockholm, April 17 – April 18, 2018 [Link]

Session name: What’s new in Windows 10 security? Raising the bar of security once again with the Fall Creators Update!

Session Code: BRK2037

Session room: C2

Session link:


Hardening the system and maintaining integrity with Windows Defender System Guard

Windows Defender Application Guard overview

Testing scenarios using Windows Defender Application Guard in your business or organization

Windows Defender Application Control

Windows Defender Exploit Guard

Reduce attack surfaces with Windows Defender Exploit Guard

Troubleshoot Attack surface reduction rules

Windows Defender Exploit Guard requirements

Each of the features in Windows Defender Exploit Guard have slightly different requirements:


Windows Defender Antivirus Real-time protection

Exploit protection

Attack surface reduction

Network protection

Controlled folder access

Table 1. Windows Defender Exploit Guard requirements

What’s new in Microsoft Intune Week of March 12, 2018 – New Windows Defender Exploit Guard settings—1631893—

Protect important folders with Controlled folder access

Windows Defender Advanced Threat Protection – Intelligence-driven protection, detection, and response

Big news in our drive to eliminate passwords: FIDO2 / WebAuthn Reaches Candidate Recommendation status!

Enable Microsoft Windows Hello for Business in your organization

Enable Windows 10 Multifactor Authentication with Windows Hello Multifactor Device Unlock & Microsoft Intune

Notes from the field

  1. Get you Proof of Concept (PoC) started, enable Audit Mode for all solutions to start collecting insights
  2. Utilize a suitable solution for collecting Audit events from local event-logs e.g. using Windows Event Forwarding (WEF):
  3. STOP using Domain Admins accounts!
  4. Ensure to have local accounts protected, e.g. Administrator account by enabling random password solution, e.g. using Microsoft Local Administrator Solution (LAPS):
  5. Be prepared to respond to business complaints and be ready to remediate issues (have a “backup” plan)
  6. Start logging activity from your devices, see Security baseline for Windows 10 v1803 “Redstone 4” – DRAFT:
  7. Security baseline for Office 2016 and Office 365 ProPlus apps – FINAL: 8. Visit Windows Active Defense web site to start your test: