Microsoft Defender for Endpoint ships in two plans. Plan 1 is endpoint protection. Plan 2 adds endpoint detection and response, threat and vulnerability management, automated investigation and response, and managed threat hunting through Defender Experts.
Microsoft Defender for Endpoint is the EDR product on the Microsoft security stack. Plan 1 covers next generation antivirus, attack surface reduction, and basic device control. Plan 2 adds the full EDR feature set with threat hunting, automated investigation, and Defender Experts managed coverage.
Plan 1 is included in Microsoft 365 E3. Plan 2 is included in Microsoft 365 E5 and the E5 Security add on. Standalone Plan 2 sits at 5.20 USD per user per month at list. The choice between Plan 1 and Plan 2 is one of the largest single line items in the Microsoft security mix.
Read this alongside the Microsoft knowledge hub, the Microsoft services page, the Intune Plan 1 vs Plan 2 article, the EA Renewal Playbook, and the Vendor Shield subscription.
Plan 1 covers next generation antivirus and core endpoint hardening. Most knowledge worker estates that ride on Microsoft 365 E3 already pay for Plan 1.
Plan 2 adds the full EDR scope on top of the Plan 1 baseline. Microsoft documents the Plan 1 and Plan 2 feature split. Most enterprises buy Plan 2 inside Microsoft 365 E5 or the E5 Security add on rather than standalone.
The Microsoft 365 stacking rule sets the bundle math. Defender for Endpoint is layered across the Microsoft 365 E5 catalog. Mapping the plan correctly to the underlying base license is the first step.
| Base plan | Defender for Endpoint plan | Notes |
|---|---|---|
| Microsoft 365 E3 | Plan 1 included | Standard knowledge worker |
| Microsoft 365 E5 | Plan 2 included | Premium plan with full EDR |
| Microsoft 365 E3 plus E5 Security add on | Plan 2 included | Targeted EDR mix |
| Microsoft 365 F3 | Lite coverage | Frontline plan, limited Defender posture |
| Microsoft 365 Business Premium | Plan 1 included | Mid market bundle |
| Standalone Defender Plan 2 | Plan 2 | Add on to any base, 5.20 USD per user per month |
The E5 Security add on at 12 USD per user per month bundles Defender for Endpoint Plan 2, Defender for Identity, Defender for Office Plan 2, and Defender for Cloud Apps. The four products standalone cost 21 USD per user per month. The add on saves 9 USD per user per month on every targeted persona.
Microsoft publishes list prices for every Defender plan. The EA discount band on standalone Defender SKUs sits a touch below the Microsoft 365 base plan band.
| SKU | List per user per month | EA discount band | Typical landed price |
|---|---|---|---|
| Defender for Endpoint Plan 1 standalone | $3.00 | 3% to 10% | $2.70 to $2.91 |
| Defender for Endpoint Plan 2 standalone | $5.20 | 5% to 15% | $4.42 to $4.94 |
| Defender for Servers Plan 2 | $15 | 5% to 15% | $12.75 to $14.25 |
| Defender Experts add on | $3 per device per month | 3% to 10% | $2.70 to $2.91 |
| E5 Security add on | $12 | 5% to 15% | $10.20 to $11.40 |
Microsoft commercial reviews on Defender focus on feature mismatch and persona over assignment. The Defender Experts service is a frequent entitlement gap. Five traps catch most enterprises.
The Defender line item lands inside the broader Microsoft Enterprise Agreement. The Microsoft Product Terms govern every step down and true down right. Six levers move the bill at renewal.
The standard Microsoft account team pitch is that every user belongs on Microsoft 365 E5, so Plan 2 blankets the whole estate by default. We disagree. Across the Microsoft security estates we benchmarked in 2024 to 2025, roughly 6 in 10 carried Plan 2 on users who never touched endpoint detection and response, advanced hunting, or automated investigation. The buyer side move is to map every persona to the feature it actually uses, license Plan 2 only where the workflow needs it, and hold the E5 Security add on price for the targeted band. Flat coverage is a billing convenience for the vendor, not a security requirement.
Source: Redress Compliance advisory engagement file, 2024 to 2025.
The seven step checklist puts the Defender for Endpoint estate on a clean licensing footing before the next EA renewal.
White Paper · Microsoft
The 12 month buyer side framework we use with Fortune 500 clients to cut the standard Microsoft EA uplift. Read it free.
Plan 1 covers next generation antivirus, attack surface reduction, and core endpoint hardening. Plan 2 adds endpoint detection and response, advanced hunting, threat and vulnerability management, automated investigation and response, and Defender Experts eligibility. Plan 1 ships in Microsoft 365 E3. Plan 2 ships in Microsoft 365 E5 or the E5 Security add on.
Yes. Microsoft 365 E5 includes Defender for Endpoint Plan 2 in the security stack. The E5 Security add on at 12 USD per user per month also carries Plan 2 against an E3 base. Standalone Plan 2 sits at 5.20 USD per user per month for any user off E5.
No. A persona aligned mix typically saves 20 to 30 percent on a 10,000 user estate. Regulated knowledge workers, executives, developers, and administrators justify Plan 2. Standard knowledge workers can run on Plan 1. Map every persona before licensing the full estate on Plan 2.
Defender Experts is the Microsoft managed threat hunting service and it requires a Plan 2 base. Two tiers ship, Hunting and XDR. Hunting handles proactive notification. XDR adds full triage and remediation. List price starts at 3 USD per device per month for Hunting.
The frequent findings are advanced hunting on a Plan 1 user, server posture without Defender for Servers Plan 2, the vulnerability dashboard touched on a Plan 1 estate, Defender Experts without entitlement, and automated investigation run on Plan 1. The Defender portal surfaces the usage, so entitlement reconciliation is the defense.
Standalone Defender for Endpoint Plan 2 lists at 5.20 USD per user per month. Plan 1 standalone lists at 3 USD. The E5 Security add on at 12 USD bundles Plan 2 with three other Defender products. Typical EA discount bands run 5 to 15 percent on the standalone Plan 2 line.
Microsoft 365 F3 ships only a limited Defender posture, not full Plan 1 or Plan 2. Frontline workers on F3 who need endpoint detection and response require a standalone Plan 2 add on. Confirm the F3 scope before assuming frontline devices are covered.
Redress runs the Defender persona allocation review, the feature usage audit, the server posture reconciliation, and the EA renewal position inside the Vendor Shield subscription and the Renewal Program. Every engagement is led by a former Microsoft commercial executive on the buyer side, with no Microsoft kickback on the table.
Redress runs Microsoft Defender advisory inside the Vendor Shield subscription, the Renewal Program, the Benchmark Program, and the Software Spend Assessment.
Read the related Microsoft hub, the benchmarking page, the about us page, the locations page, and the contact page.
Buyer side reference on the Microsoft EA renewal sequence. Defender mix, Intune Suite math, Copilot ramp, true up timing, and the six clause renewal levers.
Independent. Buyer side. Written for CIOs, CFOs, and procurement leaders carrying Microsoft Enterprise Agreements. No Microsoft kickback. No conflict on the table.
Open the white paper in your browser. Corporate email only.
Open the Paper →The flat Plan 2 for everyone position is the largest waste pattern on the Microsoft security mix. Map the personas, lock the E5 Security add on for the targeted band, and the bill drops 20% before the discount conversation starts.
We have run 500+ enterprise clients across 11 publishers. Every engagement starts with one conversation.
Microsoft Defender benchmarks, EA renewal cadence, Intune Suite math, Copilot ramp patterns, and persona allocation intelligence from every Microsoft engagement we run on the buyer side.
Once a month. Audit patterns, renewal benchmarks, vendor commercial signals across Oracle, Microsoft, SAP, Salesforce, IBM, Broadcom, AWS, Google Cloud, ServiceNow, Workday, Cisco, and the GenAI vendors. No follow up sales pressure.
Free providers (Gmail, Yahoo, Outlook) cannot subscribe. Work email only. Unsubscribe in one click.
