Compromising on higher security often gives rise to increased complexity and reduced usability. Due to encryption, certificates, security codes, strong passwords, and malware scanning on disk or network are all factors that increase complexity and require good management solutions.

As per my experience, antimalware products that scores very high and provides high security make the machine run so slow that it's a pain to try doing anything productive on it. Then, there isn't really a good balance between performance and safety, but you want to be safe too.

With System Center Configuration Manager 1610 version, there is a new feature with Endpoint Protection named Cloud Block Level; this is a brand new undocumented feature that basically lowers the bar to get malware blocked. Now, this is great; it means we can adjust the protection level in the Endpoint Protection policy. So, why don't we just set it to highest protection without thinking any more about it? Well, this feature needs to be carefully adjusted and developed by Microsoft, or else we just might catch too many False Positives, and we don't want that either, right? But the good thing about this is that Microsoft is really working and putting their effort into improving System Center Endpoint Protection and Windows Defender capabilities to detect and fight malware. Setting this to maximum will result in blocking much more malware code, which is a good thing, but you need to be aware of the fact that it will happen to block some software that shouldn't be blocked.

However, I think Microsoft is courteous enough to inform us about this and will not enforce a big change in the feature like this. It will make it something that you can adjust by giving enterprises more control on how aggressive they want us to be in protecting them.