Windows Defender Antivirus seem to be fully capable as functioning as the preferred and only antivirus solution

I had a session at the Microsoft Tech Summit 2018 in Stockholm, presenting the new Security Features in Windows 10 Fall Creators Update (1709). After the session, I had a handful of questions about Windows Defender Antivirus, and because I often get similar question, I will share my view on the capability of Windows Defender Antivirus.


  • Why pay for a yearly subscription from a third-party antivirus provider, when Windows Defender Antivirus seem to cover almost all threats?
  • Would you say that Windows Defender Antivirus is enough, or what benefits would companies, as well private individuals, gain from adding another antivirus solution?

By answering those questions, I am fully aware I am moving into holy grounds, and I should know as I spend ten (10) years managing a third-party antivirus solution, and I loved it – still do!

However, the short answer is: Yes!

The longer answer is: It depends.

Let me elaborate a bit further on these answers.

Keeping your PC safe with a trusted antivirus protection is your main concern. Using the built-in to Windows 10, Windows Defender Antivirus, gives you some benefits, hereunder automatic update using Microsoft Update technologies. However, there is a catch. To manage Windows Defender Antivirus, you need either System Center Configuration Manager or Microsoft Intune. By managing I am referring to reporting as configuration can be done in several ways, using:

  • Microsoft System Center Configuration Manager
  • Microsoft Intune
  • PowerShell
  • Windows Management Instrumentation (WMI)
  • Group Policy

It will be possible to monitor alerts using other means than Microsoft System Center Configuration Manager (SCCM) or Microsoft Intune, e.g. by using Windows Event Forwarding Server or Windows Analytics. However, these solutions will highly reduce your response time and will primarily give you some simple reporting.

The problem with antivirus, is the fact that most traditional antivirus solution is monitoring for file-based attacks and do nothing to prevent (or even detect) non-malware attacks, providing attackers with a point of entry that goes completely overlooked.

Traditional AV and machine-learning AV are designed to only identify threats when a file is written to disk or read from disk. Since they only look at the attributes of an executable file, they are completely blind in the face of attacks where no files are involved, especially when organizations are relying on legacy AV or traditionally Application Control as Microsoft Application Locker (AppLocker) or similar (I highly recommend Windows AppLocker).

Running legacy AV and machine-learning AV is not enough, you need to be able to monitors the activity of applications and services, including communications between processes, inbound and outbound network traffic, unauthorized requests to run applications, and changes to credentials or permission levels and monitor and analyzes the relationships among events.

With Windows 10 Fall Creators Update (1709), Microsoft introduced Windows Defender Exploit Guard (WDEG). As such, you can now audit, configure, and manage Windows system and application exploit mitigations right from the Windows Defender Security Center (WDSC) or using any of the configuration options mentioned above.

There are four features in Windows Defender Exploit Guard (WDEG):

  • Exploit Protection
  • Attack Surface Reduction (ASR)
  • Network Protection
  • Controlled Folder Access

Be aware all components but Exploit protection, does requeue Windows Defender Antivirus as your primary antivirus product.

To further increase the protection for devices that meet certain hardware requirements, you can use virtualization-based protection of code integrity with Windows Defender Application Control (WDAC).

And to tie a perfect knot I always recommend using Windows Defender SmartScreen, Windows Defender BitLocker, Windows Defender Firewall, Windows Defender Credential Guard and ensure end user do not have administrative privileges (at least on domain joined devices).

To get back to the questions that started this rant. I would recommend Windows Defender Antivirus any day, at a minimum you should consider the option if you already pay for the licenses. If you already have Microsoft System Center Configuration Manager (SCCM) and/or Microsoft Intune in place, it is a no-brainer, and you should consider using Windows Defender Antivirus over third party antivirus products.

However, I did state “It depends”. So, if you do not have a management option in place or you are running down-level versions of Windows, or even running Windows 10 prior Windows 10 Fall Creators Update (1709) I would recommend you keep your third-party antivirus product a little longer – and please be advised some Windows 10 (1709) features does require Windows 10 Enterprise Edition.

However, if you Windows Platform is based on Windows 10 Fall Creators Update (1709) or above and you are prepared to start using the new security layers which is built in to Windows you will get a rock-solid platform with multiple security layers, meaning if one layer gets breached the next layer is kicking in!

Microsoft Tech Summit 2018, Stockholm

I would like to say thank you to everybody who attended the Microsoft Tech Summit 2018, Stockholm. It was an awesome setup and a great event with lots of great sessions.

It is always a pleasure and an honor to get the opportunity to speak at a Microsoft event. So, thank you for attending and for making speaking at the event a great experience!
The session and slide deck were originally presented at Microsoft Ignite 2017 [Link).

Throughout the presentation updated information and links was used. Unfortunately, I am not allowed to share the slide deck, however as promised during the session, please find notes and links below.

Microsoft Tech Summit 2018, Stockholm, April 17 – April 18, 2018
Session name: What’s new in Windows 10 security? Raising the bar of security once again with the Fall Creators Update!
Session Code: BRK2037
Session room: C2
Session link: What-s-new-inWindows-10-security-Raising-the-bar-of-security

Notes from the field

  1. Get you Proof of Concept (PoC) started, enable Audit Mode for all solutions to start collecting insights
  2. Utilize a suitable solution for collecting Audit events from local event-logs e.g. using Windows Event Forwarding (WEF):
  3. STOP using Domain Admins accounts!
  4. Ensure to have local accounts protected, e.g. Administrator account by enabling random password solution, e.g. using Microsoft Local Administrator Solution (LAPS)
  5. Be prepared to respond to business complaints and be ready to remediate issues (have a “backup” plan)
  6. Start logging activity from your devices, see Security baseline for Windows 10 v1803 “Redstone 4” – DRAFT:
  7. Implement Security baseline for Office 2016 and Office 365 ProPlus apps – FINAL:
  8. Visit Windows Active Defense web site to start your test: