Microsoft Windows 11 Enterprise Licensing: What E3 vs E5 Security Adds

Understanding the Windows 11 Enterprise Licence Landscape

Windows 11 Enterprise licensing exists in two distinct forms that are frequently confused: standalone Windows 11 Enterprise licences (E3 and E5 as device-based or per-user Commercial subscriptions) and the Windows 11 Enterprise entitlements bundled within Microsoft 365 E3 and E5 suite licences. The distinction matters because the security features included differ between the standalone Windows Enterprise SKUs and what comes with the broader M365 suites.

For enterprise organisations with Microsoft 365 subscriptions, Windows 11 Enterprise is included as part of the M365 E3 and E5 suites. This means the primary commercial question is whether the M365 E3 Windows entitlement is sufficient, or whether M365 E5 (or a Windows 11 Enterprise E5 add-on) is required to access the advanced endpoint security features your security architecture demands.

The 2026 M365 SKU stack runs from F1 for frontline workers through F3, E3, E5, and the newly launched E7 at $99 per user per month. E7 is the highest tier — E5 is no longer the top or most comprehensive Microsoft 365 SKU. This matters for Windows security licensing because E7 bundles security, identity, and AI capabilities above and beyond E5.

What Windows 11 Enterprise E3 Includes

Windows 11 Enterprise E3 — whether accessed via the M365 E3 suite or the standalone Windows 11 Enterprise E3 subscription — delivers a substantial enterprise security baseline that goes well beyond Windows 11 Pro.

Core E3 Security Features

The security capabilities included in Windows 11 Enterprise E3 cover the foundational enterprise protection layer: BitLocker device encryption and BitLocker to Go for removable drives, Windows Defender Antivirus with cloud-delivered protection and automatic sample submission, Windows Firewall with advanced security and Group Policy management, Windows Hello for Business including biometric and PIN-based passwordless authentication, Credential Guard to protect domain credentials from theft, Device Guard and WDAC (Windows Defender Application Control) to restrict application execution, Microsoft Defender SmartScreen for web and application reputation filtering, Attack Surface Reduction rules to block common malware delivery techniques, Controlled Folder Access for ransomware protection of user directories, Exploit Guard including DEP, ASLR, Stack Pivot protection, and Exploit Protection, AppLocker for application whitelisting policy management, and Microsoft Intune Plan 1 for mobile device management and endpoint configuration (when accessed via M365 E3).

This is not a thin security offering. E3's security stack represents a comprehensive policy-driven baseline that stops the majority of commodity threats through prevention and configuration hardening. For organisations with relatively standard threat profiles and existing SIEM or incident response capabilities, E3 may be entirely sufficient.

What E3 Lacks: Post-Breach Detection

The critical limitation of E3's security posture is that it is almost entirely preventive rather than detection and response oriented. E3 can block threats through application control, reduce attack surface through configuration policy, and protect identities through Windows Hello and Credential Guard. What it cannot do is detect and investigate threats that bypass prevention — the sophisticated, low-and-slow attacks that define modern enterprise threat activity. That detection and response layer is the primary value that E5 adds through Defender for Endpoint Plan 2.

What E5 Adds: Defender for Endpoint Plan 2

The primary security differentiator between Windows 11 Enterprise E3 and E5 is Microsoft Defender for Endpoint Plan 2. This is not simply a feature upgrade — it is a fundamentally different security capability class: endpoint detection and response (EDR) with extended detection and response (XDR) integration across the M365 security ecosystem.

Defender for Endpoint Plan 2 Core Capabilities

Defender for Endpoint Plan 2 adds the following capabilities that are absent from E3: endpoint detection and response with behavioural analytics and attack chain visualisation, threat and vulnerability management for automated asset discovery and vulnerability prioritisation, advanced hunting with Kusto query language across six months of endpoint telemetry, automated investigation and response that contains and remediates threats without analyst intervention, device discovery for managed and unmanaged device visibility across the network, network device assessment for switches and routers, threat intelligence integration with Microsoft's global threat signal from over 1 billion endpoint events processed daily, Microsoft Threat Experts on-demand advisory service for analyst-grade guidance on specific incidents, and integration with Microsoft Defender XDR for unified security operations across endpoints, email, identity, and cloud apps.

The Defender for Endpoint P2 telemetry retention is six months, giving security teams historical context for threat hunting and incident investigation. The automated investigation capability is particularly valuable for organisations without large SOC teams — it can contain and remediate threats autonomously, reducing dwell time without requiring analyst action on every alert.

Additional E5 Security Features Beyond Endpoint

Beyond Defender for Endpoint P2, M365 E5 also includes Entra ID P2 (formerly Azure AD P2) with Privileged Identity Management, Identity Protection, and Access Reviews — an identity security layer that E3 does not include. E5 also adds Microsoft Purview Audit Premium with 10-year log retention and advanced eDiscovery, E5 Compliance features including Insider Risk Management and Communication Compliance, and Microsoft Defender for Office 365 Plan 2 for email threat protection with Attack Simulator. These non-endpoint additions are material and should be included in any E3-to-E5 upgrade business case — the decision is not solely about Defender for Endpoint P2.

The E3 vs E5 Commercial Decision

The $21 per user per month difference between M365 E3 and E5 amounts to $252 per user per year. For a 3,000-person organisation, that is $756,000 per year — a meaningful security budget line item that requires rigorous justification.

When E5 Is Clearly Justified

E5 is the right choice when your organisation does not have an existing enterprise EDR solution and needs post-breach detection and response capability. For organisations starting from scratch on endpoint security, Defender for Endpoint P2 at the E5 price point is competitive with or better than acquiring standalone CrowdStrike, SentinelOne, or Carbon Black licences alongside the E3 baseline. The integration with the broader M365 security stack — unified investigation across endpoints, email, and identity — is a genuine advantage that best-of-breed standalone EDR cannot replicate in the Microsoft ecosystem.

E5 is also clearly justified when your compliance requirements mandate advanced audit log retention, Insider Risk Management, or Communication Compliance — capabilities that are E5-only and cannot be replicated with third-party tools at lower cost within the Microsoft compliance framework.

When E3 Is Sufficient

E3 is sufficient when your organisation already has a deployed and operationalised best-of-breed EDR solution — CrowdStrike Falcon, SentinelOne, Carbon Black, or equivalent — with active threat hunting and incident response workflows built on that platform. In these cases, adding Defender for Endpoint P2 through an E5 upgrade creates redundant EDR capability and the associated integration complexity, not additional protection. The E3 prevention baseline combined with your existing EDR delivers equivalent or superior protection to E5 at materially lower cost.

E3 is also sufficient for frontline and operational roles whose threat profile does not include sophisticated targeted attacks. Applying E5 uniformly across an organisation when 50 to 60 percent of users have low-risk threat profiles wastes security budget that could be deployed elsewhere.

The Role of EA Volume Discounts — and Why They No Longer Apply Automatically

A critical commercial fact that Microsoft has not communicated clearly to customers: the automatic volume discount tiers for EA licences — Level B, C, and D — were eliminated in November 2025. Prior to that date, organisations with 500 or more users (Level B) received automatic 6 percent discounts, Level C organisations received 9 percent, and Level D organisations with 15,000 or more users received 12 percent off list price. All of those automatic discounts are gone. Every customer now pays Level A list price regardless of size, unless discounts are specifically negotiated as part of the individual EA renewal.

For an organisation renewing a 5,000-user M365 E5 deployment, the elimination of Level C discount (9 percent) represents a hidden cost increase of approximately $5.40 per user per month — $324,000 per year on an E5 estate — that has not been flagged in any proactive Microsoft customer communication. Organisations that are renewing EAs and assuming their historical discount level will be applied automatically are in for a significant bill shock.

This makes independent negotiation support more valuable than it has ever been for EA renewals involving security licences. Discounts that used to be automatic now require explicit negotiation, and knowing the right levers to pull — competing bids, Q4 timing, multi-year commit structure — is the difference between paying list price and recovering meaningful discount.

Where Windows 11 Enterprise Fits in E7

Microsoft 365 E7, launched in May 2026 at $99 per user per month, includes M365 E5 and therefore includes all the Windows 11 Enterprise E5 security features by definition. E7 adds Copilot, Agent 365, and the Entra Suite on top of E5. For organisations whose security decision leads them to E5 level Windows protection and who also need AI capabilities, E7 becomes the economic comparison point rather than E5 plus Copilot separately.

The Windows security lens does not change the core E7 evaluation framework: E7 makes sense for knowledge workers who will actively use the full feature set, but represents overspending for operational users whose primary need is the E3 protection baseline. A mixed-tier approach — E3 for the operational majority, E5 or E7 for security-sensitive and knowledge-worker populations — is almost always more cost-efficient than uniform deployment at the highest tier.

Recommendations for the E3 vs E5 Decision

Map your existing security stack before buying E5. List every security tool currently deployed — EDR, SIEM, identity, email, network. Assess which E5 capabilities overlap and which genuinely add net-new protection. If you have Crowdstrike and Splunk, the E5 security value case is weaker than Microsoft's standard presentation implies.

Licence security by role, not uniformly. Senior knowledge workers, IT staff, executives, and privileged users are the right population for E5 level protection. Standard operational users, frontline workers, and low-privilege roles can be adequately served by E3. A mixed deployment typically covers 20 to 40 percent of users on E5 and the remainder on E3 — saving $252 per user per year on the E3 population.

Negotiate E3 and E5 as separate line items. In EA negotiations, E3 and E5 unit prices should be negotiated independently. If you are deploying a mixed tier, ensure your EA allows per-tier pricing flexibility rather than a blended rate that penalises the lower tier.

Engage independent advice before your EA renewal. The elimination of automatic volume discounts in November 2025 means that every organisation renewing an EA in 2026 needs to negotiate discounts actively. Our Microsoft licensing advisory specialists work exclusively on the buyer side and can quantify the right negotiation position for your specific deployment mix.