Microsoft has recently announced that it will be releasing 2 new plans for Microsoft Defender for Endpoint, Plan 1 and Plan 2, but it is important to know the history of these security systems to understand why these new plans are such a big deal. There were 2 different security plans before this recent announcement, Microsoft Defender, and Defender ATP.

Microsoft Defender

Microsoft Defender is an antivirus client that runs on your computer and is included in Windows 10. Every day, Defender downloads an update from Microsoft that looks for new types of malware, viruses, files, pictures, etc. that might match a pattern from the daily downloaded file. If Defender does find a match, it blocks the file in question. This is the traditional endpoint protection that we have seen for years and from competitors like McAfee and Semantic.

The traditional defender relies upon the daily list to compare files against, the list says something like ‘watch out for these 10,000 viruses, here’s what they look like’, but there are many that aren’t on the list. Some can’t be detected as they are either brand new, zero-day exploits, installed with permission but without knowledge, or not even malware (like a rootkit for example).

Issue is that for bigger companies, there is no management of the defenders, there are just a bunch of them sitting on many endpoints with no central console for management. Additionally, some customers opted to not use Defender because it is free, and was assumed to not be very good, when in fact the contrary is true.

Defender ATP

After Defender, Microsoft released a new product in the Cloud, Defender ATP (Advanced Threat Protection), and this, in addition to Defender, gives the ability to look at activities on endpoints and determine from those activities if they are potential threats proactively. Instead of having to wait to download the ‘most wanted list’ to identify potential malware on your computer, the new system is constantly looking for suspicious information.

Defender ATP took endpoint protection to the next level, and it introduced a capability called EDR (endpoint detection and response). EDR detects, investigates, and responds to advanced attacks, much more than just matching patterns. It can see that there are suspicious activities going on within a specific machine and will alert a real person so they can investigate. This allows users to hunt for threats on software that may have not executed yet.

Today, there are a lot of sophisticated attacks utilizing the long-play approach. Malicious actors first establish themselves within a given system, and then plant seeds and wait for the right moment to attack. They then put all the systems together and turn them on at exactly the right (or wrong) moment. EDR can detect and remove some of that weird activity ahead of time, and if there is someone investigating it, they have a way to shut it down before it executes. In some cases, EDR can do an auto investigation with automatic remediation.

Defender ATP brought all these enhanced features but also caused some other issues. First, if a business wanted to manage their Defender endpoints, but didn’t want ATP because it was too complicated, they still had to buy ATP to get the security console to manage all the endpoints for Defender.

Secondly, Defender ATP is complicated. Many businesses need to hire staff or other companies who are specifically threat hunters. These teams are tasked with looking through all the events and activity and locating security issues. Even though ATP is extremely advanced and comprehensive, businesses needed someone to analyze the information coming in and make sense of it, otherwise it’s not as useful. Without a team of threat hunters, you simply have a system that is detecting and reporting activity, but nobody to investigate or remediate it. There is only so much you can do with ATP because of these two issues.

Defender for Endpoint Plans 1 and 2


Microsoft has recently broken off part of ATP and called it ‘Defender for Endpoint Plan 1’. For clients interested in utilizing all features of ATP, they are still available in Plan 2. Plan 1 however allows for users to step into some additional capabilities compared to what they may have been used to with plain old Defender. One of the new capabilities included in Plan 1 is Attack Surface Reduction. This integrates with Windows 10 to control the firewall, turn off services that are not necessary, harden the BIOS, prevent rootkits, and more to reduce users attack surfaces by closing vulnerabilities.

Plan 1 also installs next generation protection which is still Defender for Endpoint but it doesn’t have EDR or automatic investigation. It does however contain centralized configuration and administration. This is what was missing from the free version of Defender initially, plus users are given attack surface reduction. By getting Plan 1, these new capabilities are introduced, and the client platform reach is extended across Mac OS, Android, and iOS. The attraction to Plan 1 is really the central administration feature as well as the ability to deploy across all endpoint types.

Defender for Endpoint Plan 1 is still a public preview (which Finchloom can get your business signed up for) and general availability is estimated later in the year. Additionally, Plan 1 will be included in Microsoft 365 E3, so if your business currently utilizes Microsoft 365 E3, this becomes a new benefit of your subscription.

If your business would like to purchase a la carte if you don’t have Microsoft 365 E3, you can still buy Defender for Endpoint Plan 1 as a standalone. Pricing has not been released yet, however you can learn more about the soon to be product directly from Microsoft here.

This blog was specifically written to inform our audience that Microsoft is opening a trial where you can use Plan 1 for 90 days and can also start working with an account team here at Finchloom to get updated when the pricing becomes available and information about adding it to your subscriptions. For all the latest Microsoft info, please consider to subscribing to our blog and following our LinkedIn page for weekly updates. If you would like to inquire further, please visit this page, and let us know that you are interested in Defender for Endpoint Plan 1 or 2 in the message box. Thanks for reading!