Microsoft recently announced that Microsoft Defender for Endpoint will soon be available in two plans: P1 and P2. In this article, I will look at how the two plans compare.
With Windows, MacOS, iOS, and Android devices being the most common target for cyber criminals, malware and threats are continuously improving and evolving.
In the most recent announcement, Microsoft revealed that organizations have been under increasing attack from web-based threats and ransomware.
Microsoft Defender for Endpoint is a security suite for end-user devices, like Windows PCs and Android phones, that is designed to protect enterprises against advanced threats including viruses, ransomware, rootkits and other types of malware.
Microsoft Defender for Endpoint is part of the Defender suite, which includes Defender for Endpoint, Defender for Identity, and Defender for Office 365. Defender for Endpoint was originally released as Windows Defender ATP (Advanced Threat Protection), a product which added improvements to the capabilities of the Windows Defender solution included in Windows 10.
In 2019, Windows Defender ATP become Microsoft Defender ATP, and included an array of threat protection capabilities.
Microsoft Defender for Endpoint was a single license product that was included in Microsoft 365 E5 (and A5), Microsoft 365 E5 Security (add-on), and Standalone.
In August 2021, Microsoft announced that the single licensed product would be split into two products: Defender for Endpoint P1 (Plan 1) and Defender for Endpoint P2 (Plan 2).
Microsoft Defender for Endpoint will soon be available in two plans: P1 and P2. Plan 2 (P2) is available now and it contains advanced features like advanced threat hunting and device discovery. Plan 1 (P1) is currently in preview and it contains the base features like next-generation antimalware and antivirus protection, centralized management, and security reports.
Recently, Microsoft announced that it is “excited to offer a foundational set of our market leading endpoint security capabilities for Windows, macOS, Android and iOS at a lower price, in a new solution named ‘Microsoft Defender for Endpoint Plan 1 (P1), which will be included in Microsoft 365 E3 at no extra cost”.
Microsoft Defender for Endpoint P2 contains the same feature set as the original full-featured Microsoft Defender for Endpoint product. The new Microsoft Defender for Endpoint P1 product gives access to a subset of the features available in the P2 plan.
The following is a high level breakdown of the available features, as described in a Microsoft blog post:
Plan 1 contains a subset of the features from the original Defender for Endpoint product, as shown below:
|Microsoft Defender for Endpoint Feature||P1||P2|
|Attack Surface Reduction Rules||Included||Included|
|Controlled Folder Access||Included||Included|
|Custom Threat Intelligence||Included||Included|
|Device-based Conditional Access||Included||Included|
|Unified Security Tools||Included||Included|
|Web Content Filtering||Included||Included|
|Automated Investigation and Remediation||Included|
|Endpoint Detection and Response||Included|
|Microsoft Threat Experts||Included|
|Sandbox (Deep Analysis)||Included|
|Threat and Vulnerability Management||Included|
Whilst Microsoft has kept the most advanced features for Plan 2, there are some significant capabilities in Plan 1 that will help organizations stay secure, for example:
Windows Defender Application Control (WDAC) is advanced protection against zero-day threats through the use of a number of configurable rules that determine the integrity of the file or application being executed. Combined with good application management practices, WDAC can be incredibly affective in the fight against new and emerging threats.
Device Control allows organizations to control the use of external devices such as USB or printers, by either reporting on their use, or preventing use, depending on the policy assigned. It is also possible to include exceptions to these report and prevent rules, to meet differing business needs.
Web Content Filtering shifts the responsibility for Web Protection from network and web filter appliances and places it on the endpoint itself. With the recent update in working from home, this means that users are protected no-matter how they browse the web. Web Content Filtering in Microsoft Defender for Endpoint P1 and P2 protects all browsers and apps on the endpoint.
Whilst the list of features included in P1 is extensive, it misses out on the advanced capabilities available in P2.
Plan 2 includes Endpoint Detection and Response, alongside Automated Investigation and Remediation, which are advanced features that provide incredibly strong protection from security breaches and attacks. Automated Investigation and Response significantly lowers the time taken to remediate an attack, ensuring the business can get back online more quickly. As the capabilities in Plan 2 are AI-driven, rather than definition based, organizations will be ahead of, and protected against, the latest malware, threats, and zero days.
The new P1 offering no longer requires the expensive E5 option; it is included in Microsoft 365 E3 (and A3). It is available for purchase Standalone, meaning organizations that wish to utilize Defender for Endpoint outside of an M365 E3 or E5 agreement are able to purchase either Plan 1 or Plan 2 as a Standalone option.
Note: Defender for Endpoint P1 is currently in Preview and not available for purchase. Availability and Pricing for the Standalone offering is expected towards the end of 2021.
By splitting Microsoft Defender for Endpoint into P1 and P2, Microsoft have provided affordable threat protection for most organizations, which may help ensure they don’t fall back to third-party offerings to meet their endpoint security requirements.