Defender for Endpoint Plan 1 delivers core protection. Plan 2 adds endpoint detection and response, automated investigation, and threat hunting. Most enterprises already own Plan 2 and run only Plan 1 features.
Defender for Endpoint Plan 1 delivers core protection, and Plan 2 adds endpoint detection and response, automated investigation, threat hunting, and vulnerability management. The buyer question is rarely which to buy. It is whether you already own Plan 2 and simply have not turned it on.
Plan 1 delivers core endpoint protection: malware protection, attack surface reduction, device control, and manual response actions. It stops known threats well.
What Plan 1 does not include is continuous detection and response. Microsoft documents the split clearly in its Plan 1 and Plan 2 comparison.
Plan 1 suits organizations that need strong preventive protection without a security operations function. It blocks and contains, then leaves response to manual action.
Plan 2 adds the investigation and hunting layer: endpoint detection and response, automated investigation and remediation, advanced hunting, threat analytics, and vulnerability management.
Defender for Endpoint Plan 1 versus Plan 2
| Capability | Plan 1 | Plan 2 | Note |
|---|---|---|---|
| Malware protection | Yes | Yes | Core in both |
| Attack surface reduction | Yes | Yes | Core in both |
| Endpoint detection and response | No | Yes | The main gap |
| Automated investigation | No | Yes | Reduces analyst load |
| Advanced hunting | No | Yes | Needs analysts |
| Vulnerability management | Limited | Yes | Bundled in Plan 2 |
Defender Vulnerability Management is bundled into Plan 2, with a premium add on for deeper features. Microsoft describes it in the vulnerability management documentation. It surfaces and ranks endpoint weaknesses for remediation.
Plan 1 ships inside Microsoft 365 E3. Plan 2 ships inside Microsoft 365 E5 and E5 Security. Standalone Plan 2 lists at roughly 5 dollars per user per month.
If you hold Microsoft 365 E5 or E5 Security, you already own Plan 2. Microsoft confirms the entitlements on its Defender for Endpoint product page. Check the existing estate before buying anything standalone.
The common advice is to compare Plan 1 and Plan 2 features and buy whichever fits, usually Plan 2. We disagree with the framing. In most enterprises we review, the licensing decision was already made the day they bought E5, which includes Plan 2. The real question is not which plan to buy but whether the Plan 2 features they already own are switched on and staffed. The buyer side move is to audit the existing entitlement, activate dormant Plan 2 capability, and only then decide whether any gap justifies new spend. Buying standalone Plan 2 on top of E5 pays twice for the same tool.
Source: Redress Compliance advisory engagement file, 2024 to 2025.
Most enterprises do not need to buy Plan 2. They already own it inside E5 and run only the Plan 1 features. The gap is activation, not licensing.
Plan 2 earns its cost where a security operations function can use it.
Servers need their own Defender for Endpoint or Defender for Servers licensing. In our reviews, unmanaged servers were the largest exposure, not the desktop plan choice. Microsoft lists the prerequisites in the requirements documentation.
Audit the existing suite entitlements before any standalone purchase.
List who holds E5 or E5 Security, then check whether their Plan 2 features are active. Owned but dormant is the most common waste.
License Plan 2 for high risk populations and Plan 1 for the rest. Estate wide top tier licensing rarely matches the actual risk profile.
Plan 1 delivers core endpoint protection, while Plan 2 adds endpoint detection and response, automated investigation, threat hunting, and vulnerability management. Plan 1 stops known threats; Plan 2 investigates and hunts the unknown ones.
Yes. Defender for Endpoint Plan 1 is included with Microsoft 365 E3. Plan 2 is included with Microsoft 365 E5 and Microsoft 365 E5 Security, so many E5 customers already own Plan 2.
Standalone Defender for Endpoint Plan 2 lists at roughly 5 dollars per user per month. Buying it on top of an E5 entitlement means paying twice for the same capability, which is a common error.
No. Endpoint detection and response is a Plan 2 capability. Plan 1 offers manual response actions but not the continuous EDR, advanced hunting, or automated investigation that Plan 2 provides.
To capture the full value, yes. Plan 2 features such as advanced hunting and threat analytics need analysts to act on them. Without a security operations function, much of the Plan 2 value goes unused.
Defender Vulnerability Management is the vulnerability and configuration capability bundled into Plan 2, with a premium add on for deeper features. It surfaces and prioritizes endpoint weaknesses for remediation.
Yes. A common pattern licenses Plan 2 for high risk users and servers and Plan 1 for the rest. Mixed licensing matches cost to risk rather than buying the top tier estate wide.
Buying standalone Plan 2 while already entitled to it through E5, or licensing Plan 2 estate wide with no security operations team to use the advanced features. Both pay for capability that is duplicated or dormant.
Microsoft renewal moves, the EA framework, the M365 SKU framework, the Copilot framework, and the buyer side moves across the full Microsoft estate.
Used across more than five hundred enterprise engagements. Independent. Buyer side. Built for procurement leaders running the next renewal cycle.
