Setup Guide For Micorsoft Defender Plan 1 and 2

Overview of Microsoft Defender for Endpoint Plans

Microsoft Defender for Endpoint is an enterprise endpoint security platform that helps prevent, detect, investigate, and respond to advanced threats across Windows, macOS, Linux, iOS, and Android devices.

Microsoft offers two enterprise plans:

Defender for Endpoint Plan 1 (P1) – core endpoint protection.

Defender for Endpoint Plan 2 (P2) – full enterprise‑grade endpoint detection and response (EDR), investigation, and automation capabilities.

P1 focuses on strong prevention and basic management, while P2 adds advanced detection, hunting, and automated response for security operations teams.

Microsoft Defender for Endpoint Plan 1 – Description

Defender for Endpoint Plan 1 provides essential endpoint protection and is typically sufficient for organizations that need strong prevention and basic management, without full EDR or hunting capabilities.

Key capabilities include:

Next‑generation protection

Cloud‑powered antivirus and anti‑malware that blocks known and emerging threats.

Attack surface reduction (ASR)

Rules to constrain risky behaviors, plus features like network and web protection, device control, and controlled folder access for ransomware mitigation.

Centralized management

Policy and configuration through Intune, Configuration Manager, Group Policy, or scripts, and visibility in the Microsoft Defender portal.

Cross‑platform support

Protection for Windows clients and servers, macOS, Linux, iOS and Android, when onboarded appropriately.

Plan 1 licensing is available standalone or as part of certain Microsoft 365 enterprise plans such as E3/A3/G3.

Microsoft Defender for Endpoint Plan 2 – Description

Defender for Endpoint Plan 2 includes all Plan 1 features, and adds a full EDR and threat‑hunting platform aimed at security operations (SOC) teams.

Additional capabilities include:

Endpoint detection and response (EDR)

Advanced behavioral detections, rich incident timelines, and response actions (isolate device, collect investigation package, kill process, etc.).

Advanced hunting

Powerful query‑based hunting across endpoint data to proactively find suspicious activity and build custom detections.

Automated investigation and remediation (AIR)

Automated playbooks that investigate alerts and remediate threats, reducing time to contain incidents.

Threat analytics and Secure Score for Devices

Threat intelligence, exposure insights, and prioritized recommendations to improve security posture.

Deeper integration and expert support

Tight integration with other Defender products and the option for managed threat monitoring from Microsoft or partners.

Plan 2 is usually included with Microsoft 365 E5 or available as an add‑on for other SKUs. It is recommended for organizations with a SOC, regulatory requirements, or a higher risk profile.

Common Setup Steps for Plan 1 and Plan 2

Although the feature sets differ, the setup flow for Plan 1 and Plan 2 is largely the same. Microsoft documents a standard sequence:

Review prerequisites and licensing

Confirm you have the correct licenses (P1 or P2) assigned to users.

Verify supported operating systems and datacenter region choice (EU/UK/US).

Plan your deployment method

Choose how devices will be onboarded and managed, for example:

Intune (cloud‑native management)

Intune + Configuration Manager (hybrid)

Configuration Manager alone

Local script for pilots and small test groups

Set up the tenant environment

Configure the tenant and verify connectivity from endpoints to Defender cloud services (proxies, firewalls, sensors).

Assign roles and permissions

Use Microsoft Entra (Azure AD) roles / RBAC such as Security Administrator, Security Operator, and Security Reader to grant least‑privilege access to the Microsoft Defender portal.

Onboard endpoints

Use the selected method (Intune, ConfigMgr, GPO, or script) to onboard Windows, macOS, Linux, iOS, and Android devices.

Configure protection policies

Create and assign antivirus, firewall, attack surface reduction, web protection, and device control policies using Intune or other tools.

The remaining sections summarize how to perform these steps using Intune, which is Microsoft’s recommended management platform.

Step‑by‑Step: Setting up Defender for Endpoint Plan 1

1. Verify requirements and licensing

In the Microsoft 365 admin center, check that Defender for Endpoint Plan 1 licenses are available and assigned to users whose devices you want to protect.

Confirm that target devices run supported OS versions (for example, Windows 10 1709+ or Windows 11).

2. Plan the deployment model

Most organizations use one of these approaches:

Intune only for cloud‑managed clients.

Configuration Manager + Intune for hybrid environments.

GPO or local script for specific on‑premises or small pilot deployments.

3. Prepare your tenant

Follow Microsoft’s “Set up Defender for Endpoint” guidance: verify tenant configuration, proxy settings if required, and ensure that Defender sensors can report to the service.

4. Assign security roles

In Microsoft Entra ID and the Microsoft Defender portal:

Assign Security Administrator or Global Administrator only to a limited number of users.

Use Security Operator and Security Reader roles for day‑to‑day SOC work and read‑only access.

5. Onboard devices

From the Microsoft Defender portal:

Go to Settings → Endpoints → Device onboarding.

Choose your onboarding method (Intune, Configuration Manager, Group Policy, or script).

Download and apply the onboarding package/policy to the target devices.

6. Configure next‑generation protection

Using Intune for Windows clients:

Go to Intune admin center → Endpoint security → Antivirus.

Create or edit a Microsoft Defender Antivirus policy for Windows 10, Windows 11, and Windows Server.

Configure settings such as real‑time protection, cloud‑delivered protection, scan schedules, and remediation actions.

Assign the policy to relevant device or user groups and save.

7. Configure attack surface reduction (ASR)

Still in Intune:

Go to Endpoint security → Attack surface reduction.

Create policies for:

Attack surface reduction rules (e.g., blocking credential theft, vulnerable drivers, and suspicious scripts).

Controlled folder access for ransomware mitigation.

Network protection and web protection.

Start in audit mode where necessary, review impact, then move to block mode.

At this point, Plan 1 is fully operational with centralized management and hardened prevention controls in place.

Step‑by‑Step: Setting up Defender for Endpoint Plan 2

Plan 2 deployment starts with all the same steps as Plan 1, then adds EDR, hunting, and automation configuration.

1. Complete Plan 1 setup

Ensure all Plan 1 steps (licensing, onboarding, AV/ASR policies) are already in place for devices that will use Plan 2.

2. Enable and tune EDR capabilities

In the Microsoft Defender portal:

Confirm that onboarded devices are appearing in the portal with sensor data.

Review default EDR detection and alerting behavior.

Configure response settings (for example, whether devices can be isolated, whether files can be quarantined remotely).

3. Configure advanced hunting

In the Microsoft Defender portal, use Advanced hunting to run queries across endpoint data.

Start with Microsoft’s sample queries, then build custom queries for your environment (e.g., specific tools, locations, or behaviors you care about).

Convert critical hunting queries into custom detections so they generate alerts automatically.

4. Set up automated investigation and remediation (AIR)

In the Defender portal, review automated investigation and remediation settings and choose appropriate automation levels for different device groups.

Start conservatively (e.g., semi‑automated, requiring approval for certain actions), then increase automation as confidence grows.

5. Use threat analytics and Secure Score

Regularly review Threat analytics and Microsoft Secure Score for Devices to understand current weaknesses and recommended hardening actions.

.Feed these recommendations back into Intune policies and configuration baselines.

Choosing Between Plan 1 and Plan 2

In practical terms:

Choose Plan 1 if you primarily need strong, centrally managed prevention (AV, ASR, web/network protection) and simple reporting.

Choose Plan 2 if you need a full EDR platform: advanced detections, hunting, automated investigation and remediation, and deeper analytics across your endpoints.