Defender for Endpoint P1 vs P2
Defender for Endpoint. Plan 1 or Plan 2.
A buyer side guide to Microsoft Defender for Endpoint Plan 1 versus Plan 2 in 2026. The feature gap, who needs EDR, the E5 packaging, and how to license each.
A buyer side guide to Microsoft Defender for Endpoint Plan 1 versus Plan 2 in 2026. The feature gap, who needs EDR, the E5 packaging, and how to license each.
Defender for Endpoint Plan 1 delivers prevention while Plan 2 adds detection, response, and hunting, so the choice turns on whether your team can act on alerts, and most enterprises that justify the product at all need Plan 2.
This guide is for security and procurement leaders sizing Defender for Endpoint in 2026. Read it with the Defender suite guide and the Microsoft Practice page so the security design and the commercial design stay aligned.
The split is prevention versus operations. Plan 1 stops known threats, while Plan 2 gives a security team the tools to detect, investigate, and respond.
Plan 1 is the prevention tier. It blocks and contains threats on the device but leaves the investigation and response work outside its scope.
Plan 2 adds the security operations layer. These are the capabilities a SOC uses every day to find and stop active threats.
Packaging decides the cheapest route. Plan 2 rides inside E5, so an E5 estate already owns it, while an E3 estate must add it.
Defender for Endpoint plans compared
| Dimension | Plan 1 | Plan 2 |
|---|---|---|
| Core function | Prevention | Prevention plus EDR |
| Bundled in | Microsoft 365 E3 | E5 and E5 Security |
| Threat hunting | Not included | Included |
| Best fit | Prevention only need | Active SOC or MDR |
An E5 seat already includes Plan 2. Buying a standalone Plan 2 license for an E5 user is a duplicate, so reconciling entitlements is the first cost check. Microsoft documents the Plan 1 and Plan 2 feature split in detail.
Both metrics exist. Per device can be cheaper for shared workstations, while per user fits a knowledge worker estate, so the device profile drives the metric choice.
Anchor the choice on response capability. The tools only pay off if someone can use them, so the question is operational before it is commercial.
If a team investigates and responds, Plan 2 is required to give them EDR and hunting. If endpoints only need prevention, Plan 1 covers it, though that is rare in an enterprise.
Plan 1 covers core endpoint protection such as next generation antivirus, attack surface reduction, and manual response actions. Plan 2 adds endpoint detection and response, automated investigation, threat and vulnerability management, and threat hunting. Plan 2 is the full security operations tier.
Yes. Defender for Endpoint Plan 2 is included in Microsoft 365 E5 and in the E5 Security add on. Customers on E3 can step up to E5 Security or buy Plan 2 standalone to get the full endpoint capability.
Plan 1 includes next generation antivirus, attack surface reduction rules, device control, web protection, and manual response actions on a device. It does not include EDR, automated investigation, or threat hunting, which are Plan 2 features.
If you have a security team that acts on alerts, yes. Plan 1 leaves the detection and response gap open, so any organization running a SOC or managed detection service needs the EDR and hunting capabilities in Plan 2.
Both plans are licensed per user or per device. Plan 1 is available standalone or in Microsoft 365 E3, while Plan 2 comes in E5, E5 Security, or as a standalone per user license. The metric matters for shared device estates.
Match the plan to whether you can act on detections. If a team investigates and responds, Plan 2 is required. If endpoints only need prevention with no response capability, Plan 1 covers it at lower cost, though most enterprises need Plan 2.
Microsoft renewal moves, the EA framework, the M365 SKU framework, the Copilot framework, and the buyer side moves across the full Microsoft estate.
Used across more than five hundred enterprise engagements. Independent. Buyer side. Built for procurement leaders running the next renewal cycle.
Buyers who already hold E5 sometimes buy Plan 2 standalone as well. The capability is in the E5 seat, so the standalone line is a duplicate nobody reconciled.
500+ enterprise clients. 11 vendor practices. Industry recognized. One conversation can change what you pay for the next three years.
One short note on Microsoft security and endpoint licensing, Defender packaging, EA renewals, and the buyer side moves we are running in client engagements.
