Defender for Endpoint comes in a few different flavours and editions and is available via many routes.
This will explain them.
Defender for Endpoint (for end-user computers)
There are three main plans:
- Defender for Endpoint Plan 1
- Defender for Endpoint Plan 2
- Defender for Business
Each plan is available as a standalone SKU via NCE.
What are they included with?
- Microsoft 365 Business Premium – Defender for Business
- Microsoft 365 E3 – Defender for Endpoint P1 (as of 2021)
- Microsoft 365 E5 – Defender for Endpoint P2
What are the core features of each plan?
Defender for Servers
If you wish to protect servers, Microsoft has a few plans for this situation.
The currently documented and recommended way of procuring and deploying Defender for Servers is via an Azure Subscription.
For on-premise servers, they should be onboarded to Azure Arc where they become available in Defender for Cloud. In Defender for Cloud you can toggle the appropriate plan name. When enabled, Azure Arc will push the Defender for Endpoint extension to the VM, which contains the Defender onboarding script.
There are three main plan names:
- Defender for Servers Plan 1
- Defender for Servers Plan 2
- Defender for Endpoint Server (via NCE) – What this includes is pretty hard to find. My assumption is that it’s Defender for Endpoint P2, but for servers.
Defender for Servers Plan 1 contains the product Defender for Endpoint P2. This is described here – Select a Defender for Servers plan – Microsoft Defender for Cloud | Microsoft Learn
The logic of this is that “Servers are Endpoints”.
Defender for Servers is a plan name which contains additional features the customer might want and it is activated in Azure, as part of Defender for Cloud. The main one customers benefit from here on price is Free data ingestion (500 MB) to Log Analytics workspaces.
What are the cost implications for Defender for Server?
Whichever plan is selected, log ingestion is free for the first 30 days.
If our whole exercise is about providing adequate protection using broadly similar features as the customer end-user endpoints have (Defender for Endpoint P2), then Defender for Servers Plan 1 will serve this purpose*
*If the customer’s log ingestion is more than 500MB/server per day, they would likely save money by using Defender for Servers Plan 2.
Example Scenario
The customer:
- Has 150 users who are licensed with Microsoft 365 E3
- Has 75 on-premise servers running Server 2016
You might require a customer to have:
- Threat hunting capabilities across all devices
- Live response for servers
These demands are covered in Defender for Servers Plan 1, but it is likely more cost effective to recommend Plan 2.
The products they need to buy in addition:
| Product Name | RRP (as of May 2024) | Quantity | Total |
| Defender for Endpoint P2 | £4.30 | 150 | £645 / month |
| Defender for Servers Plan 2 | £11.717 | 75 | £879.775 / month |
Ingestion Costs
If we assume 10GB of data was uploaded per day, per server.
Cost Comparison Summary
Defender for Servers Plan 1:
- Cost per Server per Month: £3.937
- Data Ingestion Cost (10 GB per server): £23.12
- Total Cost per Server per Month: £27.057
- Total Monthly Cost for 75 Servers: £2,029.275
Defender for Servers Plan 2:
- Cost per Server per Month: £11.717
- Included Data Ingestion: 500 MB per day (no extra cost as it covers daily usage)
- Total Cost per Server per Month: £11.717
- Total Monthly Cost for 75 Servers: £879.775
Conclusion:
Defender for Servers Plan 2 is more cost-effective at £879.775 per month for 75 servers compared to £2,029.275 per month under Plan 1. Plan 2 offers sufficient daily data ingestion (500 MB) that fully covers the required 333.33 MB per day per server without additional charges.