Domain Env: Defender now or wait for MCP?

[Guest]

Hi group,

I’m trying to decide weather or not Windows Defender is sensible to pursue
for our domain environment of ~700 computers. In the course of looking at
this, I also found Microsoft Client Protection….

We are currently using AD 2003, and from what I’ve read, it _is_ possible to
install Defender via GPO, but the user will still see _some_ graphical
progress (def. downloads, etc…). That doesn’t sound very ZTI to me. It’s also
been made clear that Defender will not be centrally manageable. I have even
seen a newsgroup poster explaining Defender blocking his SMS client install,
which is of particular concern for me since we plan on rolling our SMS in the
very near future.

MS Client Protection, on the other hand, is the “target†package for our
situation. I understand that it includes all of the features of Defender, but
manageable, and probably neatly dressed for SMS. However, we already have a
working AV solution, and it’s difficult to justify abandoning a working
solution for something we’re going to incur additional expenses for.

…so, I’m stuck. Defender doesn’t look like roses in a managed environment,
and I _really_ want to avoid spending more money on software this year. Yet,
MS’s Anti-Spyware/Anti-Rootkit technology seems prudent.

General thoughts anyone?

 

[Bill Sanderson MVP]

I think you've laid things out pretty accurately, as far as I can see--those
are all thoughts I have had about this question. (I should say that I work
in an SBS environment--mostly 25 or fewer machines to a client office--so
management is easier, and MCP seems less likely to be an economical option.)

The one detail I'd quibble with is that definition updates should be
automatic and without UI (except perhaps balloons)--but that requires that
AutoUpdate reach either a WSUS server whose Admin has taken the right steps
to enable distribution of Windows Defender definitions, or Microsoft's
servers.

The issue of the user being able to block an SMS client install is dead
right, I believe.

Last I heard, the suggested route for getting further information about
possible beta opportunities with Microsoft Client Protection were to "talk
to your TAM (technical account manager?) " or other Microsoft rep associated
with your company.

There is a link from the Microsoft Client Protection home page to register
for a future beta:

http://www.microsoft.com/windowsserversystem/solutions/security/clientprotection/default.mspx

But I don't see any information indicating when that beta is likely to
become available.

Thanks for this thoughtful post--I'd love to see it repeated in .networking
as well--that's a group that other network administrators seem to read.

 

[Guest]

you said...
....":decide weather or not Windows Defender is sensible to pursue for our
domain environment of ~700 computers. ..

install Defender via GPO, but the user will still see _some_ graphical

Defender will not be centrally manageable. ..hich is of particular concern
for me .

MS Client Protection, on the other hand, is the "target" package for our
situation. I understand that it includes all of the features of Defender,
but> working AV solution, and it's difficult to justify abandoning a working
solution for something we're going to incur additional expenses for.
Defender doesn't look like roses in a managed environment,
and I _really_ want to avoid spending more money on software
MS's Anti-Spyware/Anti-Rootkit technology seems prudent.

General thoughts?"

====================================
THOUGHTS...I wonder if the beta anything is worth the hassl;e and time to
get it to work right on 700 machines when just keep up with my one is
causing me to reconsider its value...especiall;y given your comments...
Scott
====================================================