Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Introducing Microsoft Defender for Endpoint Plan 1
Published Aug 31 2021 08:49 AM 120K Views

Today, we are excited to announce the preview of a core set of our industry leading prevention and protection capabilities for client endpoints running Windows, macOS, Android, and iOS. This new solution will make it easier for more security teams across the globe to buy and adopt the best of breed fundamentals of Microsoft Defender for Endpoint.

 

The threat landscape is more complex than ever. Organizations with already limited resources are trying to keep up, while also ensuring that they have a Zero Trust security strategy that evolves with ever changing threats and their own organizational needs.

 

The endpoint remains one of the most targeted attack surfaces as new and sophisticated malware and ransomware continue to be prevalent threats. As we move into the second half of 2021, ransomware in particular continues to persist and evolve, financial damage continues to increase, and the impact is felt across numerous industries - not just in private sector but also across public infrastructures.


Over the last year, Microsoft security researchers have tracked nearly a 121% increase in organizations who have encountered ransomware (July 2020 - July 2021) as shown in the chart below.

 

Volume of organizations affected by ransomware.Volume of organizations affected by ransomware.

 

The level of sophistication of these kinds of attacks and the speed at which they evolve requires a different approach to security, one that is based on cloud native technology, built on deep threat and human intelligence, and that can easily scale. It requires robust prevention that uses AI and machine learning to rapidly stop threats and a solution that enables a Zero Trust approach.

 

Delivering security for all

Microsoft is committed to delivering best of breed, multi-platform, and multi-cloud security for all organizations across the globe. Our aim is to offer simplified, comprehensive protection that prevents breaches and enables our customers to innovate and grow. As part of that commitment, we’re excited to offer a foundational set of our market leading endpoint security capabilities for Windows, macOS, Android, and iOS at a lower price in a new solution to be named Microsoft Defender for Endpoint Plan 1 (P1).

 

With Microsoft Defender for Endpoint P1, customers will get the following core capabilities:

  • Industry leading antimalware that is cloud-based with built-in AI that helps to stop ransomware, known and unknown malware, and other threats in their tracks.
  • Attack surface reduction capabilities that harden the device, prevent zero days, and offer granular control over access and behaviors on the endpoint.
  • Device based conditional access that offers an additional layer of data protection and breach prevention and enables a Zero Trust approach.

 

All of these capabilities stand on the same strong foundation that all Microsoft Defender for Endpoint customers benefit from today:

  • Cloud powered solution with nearly infinite scale to meet your needs – no additional IT costs, no compatibility issues, no waiting for updates.
  • Unparalleled breadth and depth of built-in threat and human intelligence powered by machine learning models and AI.
  • A unified solution offering unmatched threat visibility, incident correlation and insight, and a world class SecOps experience as part of Microsoft 365 Defender – our XDR solution.

Microsoft Defender for Endpoint P1 delivers on our endpoint security promise to help organizations rapidly stop attacks, scale their security resources, and evolve their defenses and is available in preview today. Our existing endpoint security solution will continue to be offered without changes and named Microsoft Defender for Endpoint Plan 2 (P2).

 

Comparing solutions
The new Plan 1 is a subset of the capabilities that are in Microsoft Defender for Endpoint today - as highlighted in green in our capability graphic below. It offers organizations the foundational security they need against malware, and other threats such as ransomware, and helps organizations get started on their Zero Trust journey with capabilities that control access and behaviors on the endpoint as well as enable conditional access.

 

Microsoft Defender for Endpoint P1 offers attack surface reduction, next generation protection, APIs and integration, and a unfied security experience for client endpoints including Windows, macOS, Android, and iOS.Microsoft Defender for Endpoint P1 offers attack surface reduction, next generation protection, APIs and integration, and a unfied security experience for client endpoints including Windows, macOS, Android, and iOS.

 

Customers that seek Plan 1 are those that are looking for EPP (endpoint protection) capabilities only. Plan 1 offers best of breed fundamentals in prevention and protection for client endpoints running Windows, macOS, Android, and iOS. It includes next generation protection, device control, endpoint firewall, network protection, web content filtering, attack surface reduction rules, controlled folder access, device based conditional access, APIs and connectors, and the ability to bring your own custom TI. Finally, it includes access to the Microsoft 365 Defender security experience to view alerts and incidents, security dashboards, device inventory, and perform investigations and manual response actions on next generation protection events.

 

For the most complete endpoint security solution, Plan 2 is by far the best fit for enterprises that need a solution with advanced threat prevention and detection, deep investigation and hunting capabilities, and advanced SecOps investigation and remediation tools. Plan 2 capabilities further prevent security breaches, reduce time to remediation, and minimize the scope of attacks with vulnerability management, endpoint detection and response (EDR), automated remediation, advanced hunting, sandboxing, managed hunting services, and in-depth threat intelligence and analysis about the latest malware campaigns and nation state threats.

 

The below table offers a comparison of capabilities are offered in Plan 1 versus Plan 2.

 

Comparison between Microsoft Defender for Endpoint P1 and P2 capabilities. Microsoft Threat Experts includes Targeted Attack Notifications (TAN) and Experts on Demand (EOD). Customers must apply for TAN and EOD is available for purchase as an add-on.Comparison between Microsoft Defender for Endpoint P1 and P2 capabilities. Microsoft Threat Experts includes Targeted Attack Notifications (TAN) and Experts on Demand (EOD). Customers must apply for TAN and EOD is available for purchase as an add-on.

 

Taking it for a spin

Let’s go through an example of how a security analyst can use the capabilities of Microsoft Defender for Endpoint P1 to discover and investigate a security event.

 

Security teams can access P1 capabilities through Microsoft 365 Defender at security.microsoft.com. Once logged in, you will land on the home page that offers a quick snapshot including a summary of active incidents, a view of your device health, and which devices may be at risk. Additional important links are located in the left-hand menu enabling teams to look at incidents and alerts, perform searches, see their device inventory, and access configuration management.

 

Screenshot of Microsoft 365 Defender portal with Microsoft Defender for Endpoint P1 capabilities.Screenshot of Microsoft 365 Defender portal with Microsoft Defender for Endpoint P1 capabilities.

 

The incidents queue offers high level information about each incident including its severity, threat categories, impacted entities such as users and devices, and more. Let’s take a closer look at the incident named “Multiple threat families detected on one endpoint”.

 

Incidents queue with "Multiple threat families detected on one endpoint" incident highlighted.Incidents queue with "Multiple threat families detected on one endpoint" incident highlighted.

 

Incident summary of incident named "Multiple threat families detected on one endpoint"Incident summary of incident named "Multiple threat families detected on one endpoint"

 

An incident is created by correlating related alerts and behaviors, giving security teams a holistic view of the potential threat so that they can quickly assess it and take action. On the incident page, the security team can further investigate with the additional details that are included such as all the alerts associated with the incident, which users and devices were affected, MITRE ATT&CK tactics used, and all the evidence that was collected.

 

On the alerts tab, let’s dive into the alert named “’Powemet' malware was blocked”. This alert was generated by our antimalware capabilities that offer behavior-based, heuristic, and real-time antivirus protection. Microsoft Defender for Endpoint offers one of the best antimalware capabilities in the industry with built in machine learning and behavioral monitoring, and consistently achieving top scores in independent AV tests.

 

Alerts list that is part of incident. Alert named "Powermet malware was blocked" is highlighted.Alerts list that is part of incident. Alert named "Powermet malware was blocked" is highlighted.

 

In the Alert page, the security team can see rich and insightful information regarding the specific alert and the execution process. In this example we can see that Cmd.exe launched the attack that was detected as “Powemet”.

 

Alert details with process tree.Alert details with process tree.

 

By analyzing the process execution tree and the flow of the attack, the security team can assess the threat and then take remediation actions directly from the Alert page. This can easily be done by clicking the ellipses next to the device at the top of the alert page. There, the security team has a range of actions available to them such as:

  • Opening the device page for more detail
  • Managing the device tags
  • Performing an AV scan
  • Collecting an investigation package
  • Restricting app execution
  • Isolating a device

 

Drop down menu showing available action options for device.Drop down menu showing available action options for device.

 

Depending on what is needed, the security analyst can take the appropriate action right in the console to continue their investigation and remediation steps.


Licensing
During this public preview, organizations can try out Microsoft Defender for Endpoint P1 for free. General availability is estimated to be later this year. Once generally available, Plan 1 will be offered in two ways:

  1. As a standalone SKU licensed per user. Eligible licensed users will be able to use Microsoft Defender for Endpoint Plan 1 on up to five concurrent devices.
  2. Included as part of Microsoft 365 E3/A3 with the same per user model and device entitlements as stated above.

For those customers that already have Microsoft 365 E3/A3, you will automatically get Microsoft Defender for Endpoint P1 capabilities when they become generally available. There will be a few steps you will have to take to enable this – we will share that information in detail closer to general availability.

 

Those organizations that own licenses that include Microsoft Defender for Endpoint P2 will not be eligible for P1. These licenses are already entitled to the full comprehensive solution that is P2.

 

Microsoft Defender for Endpoint P1 capabilities are offered as a standalone license or as part of Microsoft 365 E3.Microsoft Defender for Endpoint P1 capabilities are offered as a standalone license or as part of Microsoft 365 E3.

 

How to get started

For detailed information on Microsoft Defender for Endpoint P1 capabilities and deployment guidelines please visit our documentation page

 

Microsoft Defender for Endpoint P1 supports client endpoints running Windows 7*, 8.1, 10, 11, macOS, Android, and iOS. To get started, organizations can sign up for the preview. After signing up, customers will be able to try P1 for free for 90 days. After the 90 days is up, we recommend that organizations work with their Microsoft account team or their cloud service provider (CSP) to purchase P1 licenses.

 

For detailed hardware and software requirements, please visit our documentation.

 

We’re excited to offer more options for organizations across the globe to be able to adopt our industry leading endpoint security capabilities. Customer feedback is critical to us and our development process. We are grateful to the many customers who have given us their input and look forward to hearing more from you. Please don’t hesitate to reach out with your thoughts either in the comments or by clicking on the “Give feedback” button in Microsoft 365 Defender.

 

* Windows 7 requires Extended Security Updates (ESU) for support. For more information on Windows 7 ESU, please check out the FAQ

 

42 Comments
Copper Contributor

Is there a reason why Linux is not mentioned here at all?

Copper Contributor

@ENEMIESENEMY MDE for Linux workstations is not currently supported, so for Linux Server, the MDE Server SKU is required.

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoin... 

Copper Contributor

Cannot even register without the signup page saying the session has timed out

Microsoft

@PeteED - Feel free to send me a DM if you continue to have this issue. 

Copper Contributor

Is MDE P1 available in GCC/M365 G3? 

If not, when can we anticipate availability for our Government customers?

Brass Contributor

Great stuff, been waiting for this to drop.

 

Can you please clarify on licensing: is there any impact on a customer who is still licensed for EMS E3 and Windows Enterprise as separate SKU's, i.e. not M365?

Brass Contributor

Thats great news! we don't need to depend on a CSP! , next step is to release plan 2!.

Copper Contributor

Nice :hearteyes:

Is there any update on when the following capabilities will go live?

The following capabilities are not currently supported on macOS endpoints:

    Data loss prevention
    Live response

 There are very few reasons why an org with split endpoints would look elsewhere if these were available. 

Iron Contributor

This plan 1 does not come with intune?

 

{ "shellProps": { "sessionId": "07fcc1c4ef8c42f7bdcfb4882a734754", "extName": "Microsoft_Intune_DeviceSettings", "contentName": "TenantStatusBlade", "code": 403 }, "error": { "message": "No Permission", "code": 403 }}

 

Screenshot 2021-09-01 at 8.26.07 PM.png

 

crap services , waste time

Copper Contributor

Is it available in the A3 student-use benefit?

Copper Contributor

Great article, thanks.

A very basic question: "How to purchase Microsoft Defender for Endpoint P1". So how to purchase?

Been running a trial for some time, but do not see an option in Admin Center -> Billing -> Your Products.

 

Thanks in advance.

Brass Contributor

Great news this will further increase the cost-benefit of consolidating on the MS security stack. I see from above that you are rolling Def for EP P1 into the E3 bundle is this going to also be included in Business Premium?

 

Microsoft

@Pieterhancke - per the blog, there are only two licensing options, a standalone P1 license or inclusion in M365 E3/A3. There is no impact on any other licenses beyond that. 

Microsoft

@demichev - we only just launched this into preview. As part of the preview, its free to try it. It's not available to purchase until it becomes generally available.

Microsoft

@James Andrewartha - it is not included in the student use benefits.

Copper Contributor

I also have a question if this will be bundled with Business Premium and if there are any plans on some kind of device license. How can we correctly license a kiosk device deployed from Intune as an example?

@Kurt Shintaku GCC cloud is on our roadmap and will be offered post GA.

@Erik Wold@PaulCDicker  Currently there is no plan to integrate MDE P1 as part of M365BP. 

@Pieterhancke No impact on EMS/Windows licenses.

 

Brass Contributor

Could you clarify whether "Microsoft 365 E5 Security" (buddle) includes MDE P2?

 

Iron Contributor

Thanks, @Barak Klinghofer for your clarification. I will wait.

Microsoft

@jjsantanna - yes it does.

Brass Contributor

Thanks @Barak Klinghofer  roll on October 

Steel Contributor

Everything's working so far, all good. Any info about price of this P1?

Copper Contributor

Are there any plans for a device license for defender for endpoint or how can we correctly license a kiosk device deployed from Intune as an example? Can't find a straight answer to this (may have missed an answer to this somewhere in the thread).

Copper Contributor

I'm wondering if P1 is enough for a company that uses Sentinel and collects logs for security purposes. Or do you need P2 to be able to get any benefit at all?

Iron Contributor

Hi @Barak Klinghofer The reply to my post seems to be deleted.

Do we still need intune for Microsoft Defender for Endpoint Plan 1?

 

Regards

Andrew

 

Brass Contributor

Hi @Andrew_Woo,

 

The current Defender product can be deployed 1) manually, 2) using group policy, 3) using 3rd party RMM, or the ideal way, 4) Intune.

 

To answer your question, no you do not "need" Intune, but it is definitely recommended.

 

-jon

Copper Contributor

Will P1 include the features necessary to enable Cloud App Discovery?

Copper Contributor

I got a reply through other channels:

Yes, P1 will enable the endpoints for Cloud App Discovery!

https://twitter.com/HeikeRitter/status/1445813236683530250?s=20

Brass Contributor

Is advanced hunting part of P1? Although this feature is part of "Endpoint detection and response" I imagine it should also be available in P1. Am I right or wrong?

Copper Contributor

Hi,

 

The product documentation mentions that MDE P1 is for Win 10, not Windows Server. MDE P2 is required for Windows Server.

 

MDE P2 requires a minimum of 50 licenses to obtain Server licenses. Is there any information as to whether MDE P1 would satisfy the 50 license requirement to obtain Server licenses?

 

Or would MDE P1 be opened up to Server Operating Systems when it reaches GA? Or maybe we could mix and match P1 and P2 standalone SKUs without the license limits perhaps?

 

Regards,

Brass Contributor

Hi Team

Do we have a GA date yet? Already have Partners looking for the Standalone DFE P1, Or is there a particular Ignite session we should be attending for announcements?

 

Thanks

Iron Contributor

I am waiting this as well.

 

Already piss off with the intune notifications.

 

Copper Contributor

What happens in a scenario where an organisation has a mixture of E3 / E5 licenses where devices are shared? For example of an E5 user logged in one week, then an E3 user logged in the next. My assumption is that all P2 capabilities will still apply therefore would be breaking the licenses rules?

 

thanks

Silver Contributor

I just had a client ask me if MDE P1 would provide them the ability to block unsanctioned apps through the integration with Defender for Cloud App (MCAS), or does that functionality require MDE P2

Brass Contributor

Will MDE P1 receive notifications of any virus or malware attacks from the security.microsoft.com portal?

 

 

Copper Contributor

Can I license my Microsoft 365 A3 organization with Defender for Endpoint P2 with the Step-up licensing or do I need to license then with Security A5?

Brass Contributor

First of all, congrats on a great feature!

It would be even more amazing to be able to define the time frame in which content filtering or indicators take effect to allow/block web access. For example, there may be scenarios where access to otherwise blocked categories is allowed during lunch breaks.

Copper Contributor

I have the Defender for Server enabled on the cloud servers. Defender for Endpoint comes bundled as part of that offering. Which Defender for Endpoint license is activated, when I enable Defender for Server, or is it just about sharing the insights from Defender for Endpoint to the Defender for Cloud.
Looking for some clarification on this..

Iron Contributor

@Barak Klinghofer @Kasia Kaplinska We switched to Dell CSP licensing model back on November 2021. Does our Microsoft 365 E3 include upgrade to Defender Plan 1 on the CSP licensing model?

 

I asked our Dell licensing rep, they have no clue about this offering and keep telling me it's not part of Microsoft 365 E3 and we need to include Add-on for MS Defender for Endpoint to enable that license. 

Microsoft

For anyone reading this who may be looking for step-by-step guidance on how to install Microsoft Defender for Endpoint, be sure to review the Defender setup guide in the Microsoft 365 admin center.

 

The guide has a feature that detects settings in your tenant to provide tailored guidance. The setup guide is used to configure features as well as save time with automated investigation and response. 

 

Note: If you don't have Microsoft 365 admin permissions, open the guide in a test or POC tenant to get instructions.

Version history
Last update:
‎Sep 14 2021 01:05 PM
Updated by: