MDE is a combo of cloud-integrated, enterprise antivirus with a continuous vulnerability assessment that recommends how to make devices mode secure. MDE largely monitors what is happening on devices and servers. MDE also includes manual response and investigation tools. MDE can manage servers, but it is highly focused on end user devices.
MDFC is designed to protect Azure subscriptions and the resources in those subscriptions. It can be extended to AWS, GCP, and on-prem servers for Server, SQL, and container monitoring.
MDFC has no antivirus capabilities. The sub-solution, Defender for Servers is only for servers (obviously). MDFC focuses on monitoring how these resources are accessed externally. MDFC also has a vulnerability assessment for resources and servers. The server assessment can use the same TVM engine as MDE. Like MDE, MFDC provides security alerts and hardening recommendations.
Defender for Servers includes a license for MDE servers. You usually want both on servers (servers need MDE for AV). MDE for (non-server) devices is part of the M365 E3/E5 license.
Answer from Andrew Blumhardt on learn.microsoft.comVideos
What are the differences between Defender for Business and Defender for Endpoint Plans 1 and 2?
Defender for Business is designed for small and medium-sized businesses who have up to 300 users. Capabilities in Defender for Business include next-generation protection, attack surface reduction, endpoint detection & response (EDR), and automated investigation and remediation. Defender for Business also features simplified configuration and device onboarding options that streamline the overall setup and configuration process.
Defender for Endpoint is an enterprise endpoint security platform designed to help organizations prevent, detect, investigate, and respond to advanced threats.
- Defender for Endpoint Plan 1 includes next-generation protection and attack surface reduction capabilities.
- Defender for Endpoint Plan 2 extends Plan 1 capabilities with core vulnerability management capabilities, EDR, automated investigation & remediation, threat hunting, and six months of data retention.
The following table summarizes some differences between Defender for Business and Defender for Endpoint:
| Capabilities | Defender for Business |
Defender for Endpoint Plan 1 |
Defender for Endpoint Plan 2 |
|---|---|---|---|
| Centralized management | |||
| Simplified firewall and antivirus configuration for Windows | |||
| Vulnerability management (core capabilities) | |||
| Attack surface reduction | |||
| Next-generation protection | |||
| Endpoint detection & response (EDR) | (optimized) |
||
| Automatic attack disruption | |||
| Automated investigation & remediation | |||
| Monthly security summary reporting | |||
| 30 days advanced hunting and six months of data retention in the device timeline |
|||
| Threat analytics | (optimized) |
||
| Cross-platform support (Mac, iOS/iPadOS, Android) |
|||
| Windows Server and Linux Server (requires server licenses) |
|||
| Microsoft Threat Experts | |||
| Microsoft 365 Lighthouse (optimized; for CSPs only) |
|||
| Microsoft Defender multi-tenant management | |||
| APIs |
What is the difference between Microsoft Defender for Business servers and Microsoft Defender for Servers Plan 1 and Plan 2?
The following table compares server options for Defender for Business customers:
| Server license | Description |
|---|---|
| Microsoft Defender for Business servers | Microsoft Defender for Business servers is an add-on to Defender for Business and Microsoft 365 Business Premium. This offering enables small and medium sized businesses (up to 300 users) to onboard and protect servers and client devices in the Microsoft Defender portal. |
| Microsoft Defender for Servers Plan 1 / Plan 2 | Microsoft Defender for Servers Plan 1/Plan 2 is an enterprise-focused offering that can be purchased with any other Microsoft cloud plan. This offering is part of Microsoft Defender for Cloud, and includes advanced threat hunting with six months of data retention and the Microsoft Threat Experts service. The admin experience for Defender for Cloud resides within the Azure portal (https://portal.azure.com). |
Adding Defender for Cloud to a tenant that has Defender for Business doesn't change the simplified configuration experience that Defender for Business offers. The functionality in Microsoft Defender for Servers Plan 1 or Plan 2 work with Defender for Business.
Can I use non-Microsoft antivirus/antimalware software with Defender for Business?
Although you can technically onboard devices that are running a non-Microsoft antivirus/antimalware solution, you could run into an issue where real-time protection could be turned off on those devices. If real-time protection is turned off on a device, the device appears to be not protected.
In Defender for Business, real-time protection is turned on by default; however, devices running non-Microsoft antivirus/antimalware software could affect your settings.
To learn more, see I'm seeing indications that some devices aren't protected even though they're onboarded to Defender for Business.
How does the experience from a device or endpoint's perspective differ between a paid MDE subscription and native/free Windows Defender?
My specific question using an example: If I were sitting down at a Windows 11 machine, is there a CLI command (ideally powershell) that I could run that would tell me if I were on a paid MDE version (and ideally which one P1|P2|etc) vs the native?
My general question is: what GUI or other end user experiences would be different with using a paid MDE version? If I were prepping my end users for a migration from free Windows Defender to paid Microsoft Defender for Business, is there anything I should prep them for (ie, this screen or dialog will look different than what you're used to)?
MDE is a combo of cloud-integrated, enterprise antivirus with a continuous vulnerability assessment that recommends how to make devices mode secure. MDE largely monitors what is happening on devices and servers. MDE also includes manual response and investigation tools. MDE can manage servers, but it is highly focused on end user devices.
MDFC is designed to protect Azure subscriptions and the resources in those subscriptions. It can be extended to AWS, GCP, and on-prem servers for Server, SQL, and container monitoring.
MDFC has no antivirus capabilities. The sub-solution, Defender for Servers is only for servers (obviously). MDFC focuses on monitoring how these resources are accessed externally. MDFC also has a vulnerability assessment for resources and servers. The server assessment can use the same TVM engine as MDE. Like MDE, MFDC provides security alerts and hardening recommendations.
Defender for Servers includes a license for MDE servers. You usually want both on servers (servers need MDE for AV). MDE for (non-server) devices is part of the M365 E3/E5 license.
Hi @MyAzQuery ,
Microsoft Defender is the overall "brand" for Microsoft security products, and while these do have similar names as you've spotted they are different products.
In summary:
- Microsoft Defender for Endpoint, is an enterprise endpoint security platform - it incorporates things like next generation antivirus, but also include behavioral sensors, leverages cloud based security analytics and threat intelligence in order to provide security for Windows, macOS, Linux, Andoid and iOS endpoints. This link provides a good overview and starting point for more information.
- Microsoft Defender for Cloud provides "Cloud Security Posture Management" (CSPM), providing a security analysis of all the resources in your cloud estates, and Cloud Workload Protection (CWP) which gives specific protection for your resources such as VMs, cloud storage, databases, security keys, containers, etc. This link provides a starting point on this service.
One of the workload protections in Defender for Cloud is "Defender for Servers" - one of the ways this provides protection of your servers is by including a license to run Defender for Endpoint on the VM, hence giving you the antivirus and other endpoint protection on that system. However, Defender for Servers also provides other protections such as Just in Time access control and adaptive network hardening.
In short, if you're looking to provide antivirus and other protections for something like your windows endpoints (i.e. the PCs your employees use on a daily basis) then Defender for Endpoint is the product you're after. If you are looking to protect all your resources in the cloud (Azure, AWS, GCP) then Defender for Cloud is what you're after.
I hope this helps - if so, please upvote and "mark as answer" so that others will find this in the future.
-----
Got about 400 users that need an endpoint protection plan...Wondering if it is worth paying the difference on Microsoft Defender for Endpoint Plan 1 and get Microsoft Defender for Endpoint Plan 2.... Getting hassled by auditors, I guess reports from sccm on the Microsoft defender that is shipped with windows doesn't cut it any more.
What is the experience out here? Do you have an opinion on either of them, better yet, maybe both? I would like to hear it.