Microsoft Defender for Endpoint P1 vs P2: Licensing, Features, and When to Upgrade

The Foundation: What Defender for Endpoint Is

Microsoft Defender for Endpoint (MDE) is the primary endpoint security platform in Microsoft's security portfolio. It operates as an agent-based solution embedded in Windows 10, Windows 11, and available via downloadable agents for macOS, Linux, iOS, and Android. MDE is the successor to Windows Defender Advanced Threat Protection (Windows Defender ATP) and forms a core component of the broader Microsoft Defender XDR platform.

The platform's capabilities divide cleanly across two licensing tiers: Plan 1 (P1) and Plan 2 (P2). These plans are not merely marketing designations — they represent a substantive architectural divide between prevention-focused endpoint security and full endpoint detection and response (EDR). Understanding where that line falls determines whether your current M365 SKU provides adequate endpoint security for your threat model, or whether a move to E5 or E7 is warranted.

Plan 1: What You Get at E3

Defender for Endpoint Plan 1 is included in Microsoft 365 E3 and A3 licences, as well as in the standalone Defender for Endpoint P1 SKU. It focuses entirely on attack prevention and hardening — designed to stop threats from executing, not to detect and respond to threats already present.

Next-Generation Protection

P1 includes Microsoft's next-generation antivirus engine (Microsoft Defender Antivirus), which provides cloud-delivered protection, real-time behaviour monitoring, heuristic and machine learning-based detection, and automated sample submission. This is the core antivirus component that has been part of Windows for years, now enhanced with cloud intelligence from Microsoft's security graph.

Attack Surface Reduction (ASR)

ASR rules are one of P1's most underutilised yet high-value capabilities. ASR rules block specific behaviour patterns commonly exploited by malware — such as Office applications spawning child processes, executable content from email, obfuscated scripts, and process injection techniques. A well-configured ASR ruleset reduces the attack surface significantly without requiring any threat detection. Many E3 organisations have ASR capable but unconfigured, making this a quick win that does not require P2.

Device Control

P1 includes USB device control, which allows administrators to restrict removable storage, printers, and other peripherals by device class, vendor, or specific device ID. For organisations with data exfiltration concerns, this capability provides meaningful protection at no additional licensing cost.

Web Protection and Firewall Management

P1 includes network protection (blocking connections to known malicious IPs and domains), web content filtering, and integration with Windows Firewall for policy management. These capabilities are available at the E3 level and form a reasonable prevention layer for most enterprise environments.

Centralised Management

P1 provides access to the Microsoft Defender portal for unified device management, policy configuration, and basic reporting. However, the portal's investigative capabilities — detailed timelines, process trees, alert investigation views — are limited compared to what P2 exposes, because the underlying data that P2 streams to the backend is not collected at the P1 level.

Plan 2: What E5 and E7 Add

Defender for Endpoint Plan 2 is included in Microsoft 365 E5, E5 Security, and the newest top-tier SKU, M365 E7. E7 is the most comprehensive M365 bundle available in 2026 — positioned above E5, it includes everything in E5 plus advanced AI capabilities, Copilot, and security features previously sold as E5 add-ons. Microsoft's field teams are actively transitioning E5 customers to E7 at renewal, and Defender for Endpoint P2 carries forward into E7 as a core component.

P2 retains everything in P1 and adds a full suite of detection, investigation, and response capabilities that transform MDE from a prevention tool into a complete EDR platform.

Endpoint Detection and Response (EDR)

EDR is the defining capability that separates P1 from P2. Where P1 focuses on preventing threats from executing, EDR provides continuous recording of endpoint telemetry — process execution, file system changes, registry modifications, network connections, and memory events — stored in Microsoft's cloud backend for up to six months of historical investigation.

When an alert fires, a security analyst can trace the full attack chain: which process created which child process, which registry key was modified, which file was dropped where, and which external IP was contacted. This retrospective investigation capability is simply absent from P1. If a threat evades prevention controls and you are on P1 only, your ability to understand what happened — and whether anything remains present — is severely limited.

Automated Investigation and Remediation (AIR)

P2 includes Microsoft's Automated Investigation and Remediation engine, which triggers automatically when alerts reach a threshold confidence level. AIR follows a decision tree to gather artefacts, determine scope, and in most cases fully remediate the incident without analyst intervention — quarantining files, reverting registry changes, and blocking process execution. For security operations teams under alert fatigue, AIR is one of the most operationally impactful features in the P2 tier.

Threat and Vulnerability Management (TVM)

TVM provides continuous assessment of software vulnerabilities, security misconfigurations, and exposed credentials across all onboarded endpoints. It integrates with Intune for remediation workflow, automatically prioritises vulnerabilities by exploitation risk and device exposure, and tracks remediation status across the estate. P1 has no equivalent capability — vulnerability management requires either P2 or a third-party solution such as Tenable or Qualys.

Threat Analytics and Threat Intelligence

P2 integrates Microsoft's threat intelligence directly into the investigative workflow. Threat Analytics reports provide briefings on active threat campaigns, with direct links to affected devices and guidance on recommended mitigations. Microsoft Threat Experts (MTE) provides a managed threat hunting service available as an add-on to P2 customers that gives access to Microsoft's human threat hunters for targeted attack notifications and direct consultation.

Advanced Hunting

Advanced Hunting is a query interface over the full six-months of raw endpoint telemetry stored in P2. Using KQL (Kusto Query Language), analysts can run arbitrary queries across process events, file events, network events, and alert data — building custom threat hunts, writing detection rules, and correlating activity across hundreds or thousands of endpoints simultaneously. This capability has no equivalent in P1.

Sandbox (Deep Analysis)

P2 provides access to a cloud-based sandbox for detonating suspicious files in an isolated virtual environment with full behavioural recording. Files can be submitted manually from the portal or automatically when flagged by the detection engine. Deep Analysis reports include full process execution trees, DNS queries, HTTP connections, and file system artefacts generated during detonation.

Licensing: Which SKU Includes Which Plan

The table below summarises the M365 SKU stack and Defender for Endpoint plan inclusions as of 2026. The M365 SKU stack runs E1 through E3, E5, and E7, with E7 as the current top-tier bundle.

• M365 E1: No Defender for Endpoint included. Basic Microsoft Defender Antivirus only.
• M365 E3: Defender for Endpoint Plan 1 included. Prevention capabilities, ASR, device control, web protection.
• M365 E5: Defender for Endpoint Plan 2 included. Full EDR, AIR, TVM, threat analytics, advanced hunting, sandbox.
• M365 E7: Defender for Endpoint Plan 2 included (same as E5). E7 additionally bundles Copilot, advanced AI features, and security add-ons previously requiring separate purchase above E5.
• M365 E5 Security (add-on): Defender for Endpoint Plan 2 included. Available as an add-on to E3 at approximately $12 per user per month.
• Standalone P2: Available at approximately $5.20 per device per month for organisations that want P2 capabilities without upgrading the full M365 SKU.

Each licensed user can onboard up to five concurrent devices under both P1 and P2. Server licensing is separate: Defender for Servers P1 and P2 are Azure Defender products available through Microsoft Defender for Cloud, billed per server per month.

When P1 Is Sufficient

P1 provides genuine endpoint security value when deployed and configured correctly. Organisations with a mature ASR configuration, enforced device control policies, network protection enabled, and a complementary third-party threat detection tool (such as CrowdStrike or SentinelOne for EDR) can achieve adequate endpoint security coverage at the E3 level without paying for E5 or E7.

P1 is also sufficient for low-risk user populations within a mixed-SKU strategy. Frontline workers on F1 or F3 licences, or administrative users with limited internet exposure and no access to sensitive data, can reasonably operate under P1 while high-risk roles — developers, finance, legal, and IT — are placed on E5 or E7 for P2 EDR coverage.

The key test is whether your security operations team can investigate and respond to endpoint incidents without P2's retrospective telemetry. If your security team has no EDR capability — no third-party tool and only P1 in place — then a compromise that evades prevention controls will leave you blind to its scope and persistence. In that scenario, the upgrade from P1 to P2 is not optional for organisations with meaningful sensitive data or regulatory obligations.

When P2 Is Required

P2 becomes operationally necessary in several scenarios. If your organisation operates a Security Operations Centre (SOC) or managed detection and response (MDR) service, those teams require the EDR telemetry and hunting capabilities that only P2 provides — P1's portal provides insufficient data for professional incident response. If you are subject to regulatory frameworks requiring documented incident investigation and forensic capability (NIST, ISO 27001, NIS2, DORA), P2's retrospective telemetry and investigation workflows directly support compliance requirements that P1 cannot address.

Organisations that have experienced ransomware incidents or targeted attacks need P2's advanced hunting to determine whether threat actor infrastructure persists post-remediation. And for organisations considering Microsoft Defender XDR as their unified detection and response platform, P2 is a prerequisite — XDR's attack disruption and cross-domain correlation capabilities require P2's endpoint telemetry depth.

P2 Standalone vs. Upgrading to E5 or E7

For organisations on E3 seeking P2 capabilities, three acquisition paths exist: purchase the standalone P2 licence at approximately $5.20 per device per month, add the E5 Security add-on at $12 per user per month (which adds P2 plus Defender for Identity, Defender for Office 365 P2, and Entra ID P2), or upgrade to E5 or E7 for the full bundle.

The standalone P2 path makes sense when you have a specific subset of devices — servers, privileged workstations, or security team endpoints — requiring EDR coverage without upgrading the entire organisation's M365 SKU. For organisations where the security team's desktop fleet represents 10 to 15 percent of total users, standalone P2 at $5.20 per device is substantially cheaper than moving everyone to E5 at $57 per user per month.

The E5 Security add-on at $12 per user per month makes sense when you need not just P2 but also Defender for Identity and Entra ID P2 (conditional access, identity protection, PIM). The all-up security add-on bundle provides significantly more value than standalone P2 alone when those identity capabilities are also required.

Moving to E7 makes sense when you want the full Microsoft stack including Copilot, are approaching E5 renewal, and the all-in E7 cost with Copilot included is competitive with E5 plus separate Copilot add-on purchases. Our Microsoft EA advisory specialists team models all three paths for every client to identify the lowest total cost of ownership for their specific SKU mix and user population.