Microsoft Defender for Endpoint is one of the most widely deployed endpoint security platforms in India — and also one of the most under-utilised. Many Indian businesses running Microsoft 365 Business Premium or E3/E5 already have Defender for Endpoint included in their license. They simply have not activated or configured it.
This guide covers exactly what Defender for Endpoint costs in India, which Microsoft 365 plan includes which level of Defender protection, and how to get the most out of what you are already paying for.
Microsoft Defender for Endpoint — Two Plans
Defender for Endpoint is available in two tiers — Plan 1 (P1) and Plan 2 (P2). These are not just marketing names; they represent meaningfully different capability levels.
Microsoft Defender for Endpoint Plan 1 (P1)
The foundational tier — providing core endpoint security without full EDR investigation capabilities.
What P1 includes:
Next-Generation Protection:
- Cloud-delivered antivirus with machine learning-based detection
- Behavioral blocking — detects malicious process behaviour without signature match
- Ransomware protection via Controlled Folder Access — blocks unauthorised write access to protected folders
- Network protection — blocks connections to malicious domains (requires network protection policy)
Attack Surface Reduction (ASR) Rules: Over 30 configurable rules that block specific attack techniques at the system level:
- Block Office macros from spawning child processes
- Block credential stealing from Windows LSASS
- Block script obfuscation techniques
- Block executable content from email attachments
- Block untrusted or unsigned processes from running from USB
Device Control: Policy-based control over USB devices — block all USB storage, allow specific approved devices by hardware ID. Important for organisations with insider threat concerns or compliance requirements around data exfiltration.
Basic Vulnerability Management: Identifies which devices have known CVEs and provides a prioritised remediation list.
Windows Defender Firewall and Network Protection: Centralised management of Windows Firewall policies across all enrolled endpoints.
Best for: Organisations on Microsoft 365 Business Premium (where P1 is included) that want properly configured endpoint protection beyond default Windows Defender settings.
Microsoft Defender for Endpoint Plan 2 (P2)
The full enterprise EDR platform — adds deep investigation, threat hunting, and automated response to P1's prevention capabilities.
Everything in P1, plus:
Endpoint Detection and Response (EDR):
- Complete activity timeline for every endpoint — every process, file, network connection, and registry change recorded and searchable for up to 6 months
- Alert investigation dashboard — alerts with full kill-chain context assembled automatically
- Incident management — link related alerts into unified incident timelines across endpoints
Advanced Threat Hunting: Query the full endpoint telemetry dataset using Microsoft's KQL (Kusto Query Language). Proactively search for indicators of compromise, TTPs from threat intelligence feeds, or custom hunt queries across your entire device fleet — retroactively, over up to 30 days of historical data (180 days with Microsoft Sentinel integration).
Automated Investigation and Response (AIR): When a high-confidence alert is triggered, Defender P2 launches an automated investigation — follows lateral movement indicators, queries related endpoints, determines scope and impact, and recommends or auto-executes containment actions (device isolation, process kill, file quarantine). Reduces analyst workload by automating repetitive investigation steps.
Threat and Vulnerability Management (TVM) Advanced: Full TVM with software inventory, configuration assessment, browser extension visibility, and certificate inventory. Integration with Microsoft Intune for direct patch deployment from the security console.
Microsoft Threat Experts: Access to Microsoft's managed threat hunting team — targeted attack notifications when high-confidence threats are detected in your environment.
Sandbox Detonation (Deep Analysis): Submit suspicious files to Microsoft's cloud sandbox for full detonation analysis — detailed behavioural report of what the file does when executed.
Which Microsoft 365 Plan Includes Defender for Endpoint?
| Microsoft 365 Plan | Defender for Endpoint Included |
|---|---|
| Microsoft 365 Business Basic | None |
| Microsoft 365 Business Standard | None |
| Microsoft 365 Business Premium | Defender for Endpoint P1 |
| Microsoft 365 Apps for Enterprise | None (apps only) |
| Microsoft 365 E3 | Defender for Endpoint P1 |
| Microsoft 365 E5 | Defender for Endpoint P2 |
| Microsoft 365 E5 Security add-on (on E3) | Defender for Endpoint P2 |
| Windows 10/11 E5 | Defender for Endpoint P2 |
The most important insight for Indian businesses:
If you are on Microsoft 365 Business Premium and have never configured Defender for Endpoint — you are running an endpoint security platform with zero effective configuration. The default Windows Defender settings do not represent a properly deployed Defender for Endpoint P1 deployment. Attack Surface Reduction rules are disabled by default. Network protection is disabled by default. Device control is unconfigured. Cloudfy can activate and configure all P1 capabilities in your existing plan.
Standalone Defender for Endpoint Pricing — India 2026
For organisations not on Microsoft 365 or needing P2 on non-M365 deployments:
Defender for Endpoint P1 (standalone): Available as a standalone subscription for Windows, Mac, Linux, iOS, and Android. Per-device, per-month subscription. Contact Cloudfy for current INR pricing.
Defender for Endpoint P2 (standalone): Full enterprise EDR available as standalone without requiring Microsoft 365 E5. Per-device, per-month subscription. Contact Cloudfy for current INR pricing.
Microsoft 365 E5 Security Add-On (on E3): For organisations on E3 that want P2-level security without upgrading to full E5 — the E5 Security add-on (approximately ₹870/user/month, contact Cloudfy for current rate) provides Defender for Endpoint P2, Defender for Office 365 P2, Defender for Identity, and Defender for Cloud Apps on top of an existing E3 subscription.
Defender for Endpoint vs CrowdStrike vs SentinelOne — India 2026
| Dimension | Defender for Endpoint P2 | CrowdStrike Falcon Pro | SentinelOne Singularity |
|---|---|---|---|
| Gartner MQ | Leader | Leader | Leader |
| EDR completeness | Strong (6-month data retention) | Very strong | Very strong |
| Linux EDR | Available (improving) | Strongest in market | Very strong |
| Ransomware rollback | Basic (Controlled Folder Access) | Limited | Yes — automated rollback |
| Management console | Defender XDR (excellent) | Falcon Console (excellent) | S1 Management (good) |
| Cost if on M365 E5 | Included — no additional cost | ~₹2,500–₹3,500/device/year | ~₹2,200–₹3,200/device/year |
| Best for | Microsoft-first on E5 | Cloud-native / Linux-heavy | Ransomware-focused, autonomous response |
Key takeaway for India: If you are on Microsoft 365 E5, Defender for Endpoint P2 is already paid for. Replacing it with CrowdStrike or SentinelOne adds ₹2,500–3,500 per device per year for incremental capability that may not justify the cost for a Microsoft-first environment. If you are not on E5, CrowdStrike and SentinelOne are strong alternatives — particularly for organisations with significant Linux server fleets.
Getting Maximum Value From Defender for Endpoint
Most Indian businesses that have Defender for Endpoint P1 are using it at less than 30% of its capability. Common gaps:
1. Attack Surface Reduction Rules not configured ASR rules are the most impactful P1 capability — blocking specific attack techniques at the OS level. They are disabled by default and must be configured via Intune or Group Policy. Cloudfy configures ASR rules as part of any Defender deployment engagement.
2. Network Protection disabled Network Protection blocks connections to malicious IP addresses and domains at the Windows network filter level — before any browser or application makes the connection. Requires enabling and configuring.
3. Device isolation capability untested Defenders' ability to isolate a compromised device from the network (while maintaining communication with the Defender console) is one of its most powerful response capabilities. Most organisations have never tested this. Cloudfy validates isolation capability during deployment.
4. Custom detection rules not deployed P2's advanced hunting query language (KQL) allows custom detection rules based on your environment's known-benign patterns. Out-of-the-box alert rules often generate significant noise for Indian business software — ERP systems, GST utilities, TDS tools. Custom rules reduce false positive rate significantly.
Frequently Asked Questions
Does Defender for Endpoint P1 work on Mac and Linux? Yes. Defender for Endpoint P1 and P2 support Windows, macOS, iOS, Android, and Linux (major distributions: RHEL, Ubuntu, Debian, SLES, Fedora). macOS and Linux support is generally strong; Linux EDR capability is improving but not as mature as CrowdStrike on Linux.
Can Defender for Endpoint be managed without Microsoft Intune? Yes. Defender for Endpoint can be enrolled via Microsoft Intune (recommended), Group Policy (on-prem AD), SCCM/MECM, or a local script for smaller deployments. For the full management experience including ASR rule deployment and device compliance policies, Intune is recommended.
What is Microsoft Security Copilot and does it work with Defender? Microsoft Security Copilot is a generative AI security assistant that integrates with Defender XDR. It provides natural language threat investigation ("explain this incident timeline"), automated script analysis, and incident summary generation. Available as a standalone add-on.
Is Defender for Endpoint compliant with RBI and SEBI requirements? Defender for Endpoint P2's EDR capabilities, centralised alert monitoring, and 6-month data retention satisfy the endpoint security monitoring requirements referenced in RBI's IT Framework and SEBI's Cyber Security Circular. Cloudfy provides compliance documentation to support your audit process.
Ready to activate and configure Microsoft Defender for Endpoint in your organisation? Contact Cloudfy Systems — authorised Microsoft partner — for a free security posture audit and formal INR quotation.