Editorial photograph of a security operations center representing Microsoft Defender for Endpoint threat hunting across a global estate
Article · Microsoft · Defender

Microsoft Defender for Endpoint. Plan 1 versus Plan 2.

Microsoft Defender for Endpoint ships in two plans. Plan 1 is endpoint protection. Plan 2 adds endpoint detection and response, threat and vulnerability management, automated investigation and response, and managed threat hunting through Defender Experts.

Read the Framework Microsoft Hub
$3P1 list per user
a leading industry analyst firmRecognized
Read the framework. · Independent. Buyer side. Reads in your browser. Read the framework →
Industry Recognized
500+ Enterprise Clients
$2B+ Under Advisory
11 Vendor Practices
100% Buyer Side Independent
Home Microsoft Hub Microsoft Defender for Endpoint Plan 1 vs Plan 2Microsoft Hub Microsoft Services EA Renewal Playbook 365 Optimizer Vendor Shield
Portrait placeholder for Morten Andersen, Co Founder
Written by Morten Andersen Co Founder · ex IBM, ex Oracle
PublishedJanuary 8, 2026
Last updatedMay 14, 2026

Microsoft Defender for Endpoint is the EDR product on the Microsoft security stack. Plan 1 covers next generation antivirus, attack surface reduction, and basic device control. Plan 2 adds the full EDR feature set with threat hunting, automated investigation, and Defender Experts managed coverage.

Plan 1 is included in Microsoft 365 E3. Plan 2 is included in Microsoft 365 E5 and the E5 Security add on. Standalone Plan 2 sits at 5.20 USD per user per month at list. The choice between Plan 1 and Plan 2 is one of the largest single line items in the Microsoft security mix.

Read this alongside the Microsoft knowledge hub, the Microsoft services page, the Intune Plan 1 vs Plan 2 article, the EA Renewal Playbook, and the Vendor Shield subscription.

Key Takeaways

What CISO and procurement carry into every Microsoft security review

  • Plan 1 is in E3. Endpoint protection baseline, included on the broader E3 base.
  • Plan 2 is in E5. Full EDR, included on E5 or the E5 Security add on.
  • Plan 2 unlocks EDR. Threat hunting, automated investigation, advanced hunting query.
  • Defender Experts. Managed threat hunting service, separate SKU on top of Plan 2.
  • List spread. Plan 1 at 3 USD, Plan 2 at 5.20 USD per user per month standalone.
  • Renewal lever. Lock the E5 Security add on price for the full EA term, default vendor position is reprice.

Defender for Endpoint Plan 1 scope

Plan 1 covers next generation antivirus and core endpoint hardening. Most knowledge worker estates that ride on Microsoft 365 E3 already pay for Plan 1.

What Plan 1 actually covers

  • Next generation antivirus. Microsoft Defender Antivirus with cloud delivered protection.
  • Attack surface reduction. ASR rules across Office macros, scripts, and exploit guard.
  • Device control. USB block, BitLocker, application control policies.
  • Web protection. Microsoft Defender SmartScreen and URL filtering.
  • Network protection. Block traffic to malicious IPs and domains.
  • Centralized management. Defender for Endpoint portal, basic reporting and alerts.

What Plan 1 does not cover

  • Endpoint detection and response. Live response, advanced hunting query, no Plan 1.
  • Threat and vulnerability management. No vulnerability dashboard on Plan 1.
  • Automated investigation and response. Manual triage only, no AIR on Plan 1.
  • Defender Experts. Managed threat hunting requires Plan 2 base.

Defender for Endpoint Plan 2 scope

Plan 2 adds the full EDR scope on top of the Plan 1 baseline. Most enterprises buy Plan 2 inside Microsoft 365 E5 or the E5 Security add on rather than standalone.

What Plan 2 unlocks against Plan 1

  • Endpoint detection and response. Full EDR with live response, six month evidence retention.
  • Advanced hunting query. KQL queries across the endpoint dataset.
  • Threat and vulnerability management. Vulnerability dashboard with exposure score and recommendations.
  • Automated investigation and response. AIR playbook that resolves common alerts without analyst time.
  • Threat Analytics. Microsoft Threat Intelligence Center reporting and IOC feed.
  • Defender Experts eligibility. Managed threat hunting add on requires Plan 2 base.

Six personas that justify Plan 2

  1. Regulated knowledge worker. Finance, healthcare, defense, full EDR audit trail.
  2. Executive and finance. Targeted persona, full AIR and Threat Analytics coverage.
  3. Developer and engineer. Repository access, source code exposure, EDR coverage.
  4. System administrator. Privileged identity, AIR plus advanced hunting coverage.
  5. External contractor with persistent access. Full Plan 2 instead of Plan 1.
  6. Mergers and acquisitions integration. Plan 2 floor across the acquired estate.

M365 stacking rule

The M365 stacking rule sets the bundle math. Defender for Endpoint is layered across the Microsoft 365 catalog. Mapping the plan correctly to the underlying base license is the first step.

Defender for Endpoint mapping across Microsoft 365 plans

Base planDefender for Endpoint planNotes
Microsoft 365 E3Plan 1 includedStandard knowledge worker
Microsoft 365 E5Plan 2 includedPremium plan with full EDR
Microsoft 365 E3 plus E5 Security add onPlan 2 includedTargeted EDR mix
Microsoft 365 F3Lite coverageFrontline plan, limited Defender posture
Microsoft 365 Business PremiumPlan 1 includedMid market bundle
Standalone Defender Plan 2Plan 2Add on to any base, 5.20 USD per user per month

The E5 Security add on math

The E5 Security add on at 12 USD per user per month bundles Defender for Endpoint Plan 2, Defender for Identity, Defender for Office Plan 2, and Defender for Cloud Apps. The four products standalone cost 21 USD per user per month. The add on saves 9 USD per user per month on every targeted persona.

Pricing and bundle math

Microsoft publishes list prices for every Defender plan. The EA discount band on standalone Defender SKUs sits a touch below the Microsoft 365 base plan band.

Indicative list pricing and discount bands

SKUList per user per monthEA discount bandTypical landed price
Defender for Endpoint Plan 1 standalone$3.003% to 10%$2.70 to $2.91
Defender for Endpoint Plan 2 standalone$5.205% to 15%$4.42 to $4.94
Defender for Servers Plan 2$155% to 15%$12.75 to $14.25
Defender Experts add on$3 per device per month3% to 10%$2.70 to $2.91
E5 Security add on$125% to 15%$10.20 to $11.40

Audit traps on Defender for Endpoint

Microsoft commercial reviews on Defender focus on feature mismatch and persona over assignment. Five traps catch most enterprises.

Five common audit findings

  1. Plan 2 features used on Plan 1 users. Advanced hunting query run against a Plan 1 user dataset.
  2. Defender for Servers without the SKU. Server posture enabled on hosts not covered by Defender for Servers Plan 2.
  3. Threat and vulnerability management gap. TVM dashboard accessed for a Plan 1 only estate.
  4. Defender Experts engagement without entitlement. Managed threat hunting alerts on a Plan 1 user.
  5. AIR run on Plan 1 user. Automated investigation triggered against a Plan 1 only persona.

Buyer side defense moves

  • Tag every user with the entitled plan. Defender portal scope rule, Plan 1 versus Plan 2.
  • Lock advanced hunting behind a role. RBAC scope on the advanced hunting query.
  • Audit the server posture. Servers enabled in Defender that lack the Servers Plan 2 SKU.
  • Reconcile the entitlement. Plan 2 user count must equal Plan 2 feature usage scope.
  • Pre price the gap. Use the discount bands above before Microsoft quotes a settlement.

Renewal levers on Defender

The Defender line item lands inside the broader Microsoft Enterprise Agreement. Six levers move the bill at renewal.

Six renewal levers procurement carries

  1. E5 Security add on price hold. Lock the add on price for the full EA term.
  2. Plan 2 standalone discount floor. 5% to 15% on standalone Plan 2, default vendor floor is 0%.
  3. Step down right. Drop users from Plan 2 to Plan 1 mid term with no penalty.
  4. True down right. Reduce Plan 2 seat count at anniversary, not only at renewal.
  5. Defender Experts pilot ramp. Staged adoption, quarterly true up, not a flat ramp.
  6. Server posture clean up. Defender for Servers count matches the host count, no shelfware.

What to do next

The seven step checklist puts the Defender for Endpoint estate on a clean licensing footing before the next EA renewal.

  1. Inventory every user. Persona, current plan, last login.
  2. Map the persona allocation. Six archetype model, Plan 1 versus Plan 2 per persona.
  3. Audit the feature usage. Advanced hunting, AIR, TVM dashboard, Defender Experts.
  4. Reconcile the server posture. Defender for Servers count versus host count.
  5. Pre price the renewal. Plan 1, Plan 2, E5 Security add on, Defender Experts.
  6. Lock the renewal levers. Add on price hold, step down, true down.
  7. Document the position. Procurement memo, CFO sign off, EA amendment language ready.

Frequently asked questions

What is the difference between Defender for Endpoint Plan 1 and Plan 2?

Plan 1 covers next generation antivirus, attack surface reduction, and core endpoint hardening. Plan 2 adds endpoint detection and response, advanced hunting, threat and vulnerability management, automated investigation and response, and Defender Experts eligibility. Plan 1 is included in Microsoft 365 E3. Plan 2 is included in Microsoft 365 E5 or the E5 Security add on.

Is Defender for Endpoint Plan 2 included in Microsoft 365 E5?

Yes. Microsoft 365 E5 includes Defender for Endpoint Plan 2 as part of the security and compliance stack. The E5 Security add on at 12 USD per user per month also includes Plan 2 against an E3 base. Standalone Plan 2 sits at 5.20 USD per user per month for any user not on E5 or the add on.

Should every user have Defender for Endpoint Plan 2?

No. A persona aligned mix typically saves 15% to 30% on a 10,000 user estate. Regulated knowledge workers, executives, developers, and system administrators justify Plan 2. Standard knowledge workers can run on Plan 1. Frontline F3 users carry the Defender lite scope by default. Map every persona before licensing the full estate on Plan 2.

What are Defender Experts?

Defender Experts is the Microsoft managed threat hunting service. It runs on Plan 2 and Defender XDR. Two tiers ship, Hunting and XDR. Hunting handles proactive notification. XDR adds full triage and remediation. List price is 3 USD per device per month for Hunting.

What are the most common Defender for Endpoint audit findings?

Advanced hunting on a Plan 1 user, server posture without Servers Plan 2, TVM dashboard touched on a Plan 1 estate, Defender Experts without entitlement, and AIR run on Plan 1. The Defender portal surfaces the usage, the usage report plus entitlement reconciliation is the defense.

How does Redress engage on Microsoft Defender licensing?

Redress runs the Defender persona allocation review, the feature usage audit, the server posture reconciliation, and the EA renewal position inside the Vendor Shield subscription and the Renewal Program. Every engagement is led by a former Microsoft commercial executive on the buyer side, with no Microsoft kickback on the table.

How Redress engages on Microsoft Defender discipline

Redress runs Microsoft Defender advisory inside the Vendor Shield subscription, the Renewal Program, the Benchmark Program, and the Software Spend Assessment.

Read the related Microsoft hub, the benchmarking page, the about us page, the locations page, and the contact page.

Score your Defender mix in under five minutes.
Open the 365 Optimizer →
White Paper · Microsoft

Download the Microsoft EA Renewal Playbook.

Buyer side reference on the Microsoft EA renewal sequence. Defender mix, Intune Suite math, Copilot ramp, true up timing, and the six clause renewal levers.

Independent. Buyer side. Written for CIOs, CFOs, and procurement leaders carrying Microsoft Enterprise Agreements. No Microsoft kickback. No conflict on the table.

Microsoft EA Renewal Playbook

Open the white paper in your browser. Corporate email only.

Open the Paper →
$3
P1 list per user
$5.20
P2 list per user
$12
E5 Security add on
$2B+
Under advisory
100%
Buyer side

The flat Plan 2 for everyone position is the largest waste pattern on the Microsoft security mix. Map the personas, lock the E5 Security add on for the targeted band, and the bill drops 20% before the discount conversation starts.

Chief Information Security Officer
European financial services group
More Reading

More from this practice.

Microsoft Hub →
Microsoft EA Renewal Playbook
Microsoft · Whitepaper
Microsoft EA Renewal Playbook
Defender, Intune, Copilot levers.
20 min read
Intune Plan 1 vs Plan 2
Microsoft · Article
Intune Plan 1 vs Plan 2
Endpoint management plan choice.
18 min read
M365 E3 vs E5 vs F3
Microsoft · Article
M365 E3 vs E5 vs F3
Plan choice across personas.
20 min read
Microsoft Services
Microsoft · Service
Microsoft Services
How Redress engages.
8 min read
Microsoft Knowledge Hub
Microsoft · Hub
Microsoft Knowledge Hub
Master Microsoft reference.
22 min read
Editorial photograph of enterprise contract negotiation strategy

License the Microsoft Defender estate cleanly. Independent advisors, end to end.

We have run 500+ enterprise clients across 11 publishers. Every engagement starts with one conversation.

Contact Us Vendor Shield

Microsoft intelligence, monthly.

Microsoft Defender benchmarks, EA renewal cadence, Intune Suite math, Copilot ramp patterns, and persona allocation intelligence from every Microsoft engagement we run on the buyer side.