Suggestion for Ideal Defender for Endpoint License Plan

Copper Contributor

Hi Team,


We are planning to deploy Defender for Endpoint EDR for one of our clients who has around 500 endpoint devices(Windows Laptops/Desktops), 70 Windows Servers, 6 Linux servers etc. Could you suggest the ideal Defender for Endpoint plan which can cover all these devices? Thank you.



Anand R

6 Replies

Hi, @AnandRMenon,


To answer your questions, I need a little more information:


1. What Microsoft 365 or Office 365 licenses is your client already using?
2. What platform are the servers running on? Are they still on-premises, running in Microsoft Azure, or elsewhere?
3. What are your customer's minimum requirements or what minimum requirements do you have yourself?


Looking forward to your reply.

@Tiennes Thanks for the reply.


1. Our customer is currently using another email platform and not O365. Is O365 account mandatory for Defender for Endpoint?


2. All servers are On-Prem. Different variants of Windows(2012, 2016, 2019 etc.) and Linux(Ubuntu, CentOS) servers. Endpoints are primarily Windows 10.


3. The customer wants an EDR tool with antivirus capabilities which supports Endpoints, Servers etc.

@Tiennes Hi, any leads on this? Thanks a lot.

Helo @AnandRMenon, the best option for users and their endpoints, max 5, is Microsoft 365 E5, this includes collaboration, productivity, office apps on desktop, security, and compliance. It has EPP (Antivirus/Antimalware) and EDR (UEBA/IA). For servers, regardless of whether they are Linux or Windows, it is recommended that they have Microsoft Defender for Server Plan 2, this includes EPP and EDR. Also, directly from Azure with Microsoft Defender for Cloud, this includes vulnerability management.


Security for IT, Microsoft 365, Security for OT, Microsoft Defender for Cloud or Microsoft Defender for Server Plan 2.


It is not necessary for the client to move to Microsoft 365, but this would improve visibility, analysis and automation in security, if the client is still in Google, there is no problem, but collaboration would be in one provider and security in another, this is not recommended. If the customer insists on staying that way then they should centralize the security events in a SIEM + SOAR, recommended the Microsoft Sentinel.


@John Thanks for the detailed reply. Currently for Endpoints, we plan MDE Plan 2 and for Servers, Defender for Servers Plan 1 since it already has MDE integration(also, advanced features in Servers Plan 2 may not be needed in this scenario). But one confusing aspect is, Defender for Endpoint has a per user subscription whereas Defender for Servers has a per server subscription. It would have been great if MDE was also based on asset, i.e per endpoint since it's an endpoint-based tool and not a user-baser tool like O365.

Also Defender for Servers primarily needs an Azure subscription. But our customer has no Azure presence currently. So in this scenario, they need to pay for MDE Plan 2, Azure Subscription and then Defender for Servers Plan 1.

Anand R Menon
Hi @John, any leads on this? Thanks.