Defender for Endpoint comes in a few different flavours and editions and is available via many routes.

This will explain them.

Defender for Endpoint (for end-user computers)

There are three main plans:

  • Defender for Endpoint Plan 1
  • Defender for Endpoint Plan 2
  • Defender for Business

Each plan is available as a standalone SKU via NCE.

What are they included with?

  • Microsoft 365 Business Premium – Defender for Business
  • Microsoft 365 E3 – Defender for Endpoint P1 (as of 2021)
  • Microsoft 365 E5 – Defender for Endpoint P2

What are the core features of each plan?

Bundle SKUs that contain Defender… The DfB features are not truly like for like, but it gives you an idea.

Defender for Servers

If you wish to protect servers, Microsoft has a few plans for this situation.

The currently documented and recommended way of procuring and deploying Defender for Servers is via an Azure Subscription.

For on-premise servers, they should be onboarded to Azure Arc where they become available in Defender for Cloud. In Defender for Cloud you can toggle the appropriate plan name. When enabled, Azure Arc will push the Defender for Endpoint extension to the VM, which contains the Defender onboarding script.

There are three main plan names:

  • Defender for Servers Plan 1
  • Defender for Servers Plan 2
  • Defender for Endpoint Server (via NCE) – What this includes is pretty hard to find. My assumption is that it’s Defender for Endpoint P2, but for servers.


Defender for Servers Plan 1 contains the product Defender for Endpoint P2. This is described here – Select a Defender for Servers plan – Microsoft Defender for Cloud | Microsoft Learn

The logic of this is that “Servers are Endpoints”.

Defender for Servers is a plan name which contains additional features the customer might want and it is activated in Azure, as part of Defender for Cloud. The main one customers benefit from here on price is Free data ingestion (500 MB) to Log Analytics workspaces.

What are the cost implications for Defender for Server?

Whichever plan is selected, log ingestion is free for the first 30 days.

If our whole exercise is about providing adequate protection using broadly similar features as the customer end-user endpoints have (Defender for Endpoint P2), then Defender for Servers Plan 1 will serve this purpose*

*If the customer’s log ingestion is more than 500MB/server per day, they would likely save money by using Defender for Servers Plan 2.

Example Scenario

The customer:

  • Has 150 users who are licensed with Microsoft 365 E3
  • Has 75 on-premise servers running Server 2016

You might require a customer to have:

  • Threat hunting capabilities across all devices
  • Live response for servers

These demands are covered in Defender for Servers Plan 1, but it is likely more cost effective to recommend Plan 2.

The products they need to buy in addition:

Product NameRRP (as of May 2024)QuantityTotal
Defender for Endpoint P2£4.30150£645 / month
Defender for Servers Plan 2£11.71775£879.775 / month

Ingestion Costs

If we assume 10GB of data was uploaded per day, per server.

Cost Comparison Summary

Defender for Servers Plan 1:

  • Cost per Server per Month: £3.937
  • Data Ingestion Cost (10 GB per server): £23.12
  • Total Cost per Server per Month: £27.057
  • Total Monthly Cost for 75 Servers: £2,029.275

Defender for Servers Plan 2:

  • Cost per Server per Month: £11.717
  • Included Data Ingestion: 500 MB per day (no extra cost as it covers daily usage)
  • Total Cost per Server per Month: £11.717
  • Total Monthly Cost for 75 Servers: £879.775


Defender for Servers Plan 2 is more cost-effective at £879.775 per month for 75 servers compared to £2,029.275 per month under Plan 1. Plan 2 offers sufficient daily data ingestion (500 MB) that fully covers the required 333.33 MB per day per server without additional charges.