Microsoft is known for its many licensing plans, but there are two of them that we have not covered in more detail. They are the EDR Plan 1 and Plan 2. They are examined more closely in this article.

What Is In Plan 1?

Here is what is included:

It has the following types of functionalities:

  1. Other platforms are protected:

This includes Windows 10 version 1709 or higher, Android, and the iOS and macOS, which includes the following flavors:

*11.5 (Big Sur);

*10.15.7 (Catalina);

*10.14.6 (Mojave).

  1. A centralized point:

Your IT Security team gets a holistic view of the Cyber Threat Landscape that they are facing from a single console, as well as the ability to mitigate them right there. You can also easily implement Role based Access Control Policies, you can create more granular rights, access, and privileges for all of your employees based upon the principle of Least Privilege. Reporting has also become far more simplified, and it too consists of the following features:

    • The Incidents and Alerts Section: These are the are the real time warnings that have been triggered according to the rules that you have established. The Incidents are actual threats that have been detected across all of your company issued devices.
    • The Actions Center: This is a repository for future reference that contains all of the corrective actions you have taken to mitigate any threats as discovered by the above.
    • The Reports Section: This is also a repository for all of the threats and attacks that your company has experienced.
  1. Manual Response Actions:

These are the manual-based actions that your IT Security team has taken to mitigate any Cyber related threats. The actions that can be implemented are:

    • Device: This launches a thorough and complete antivirus scan of any and all of your company issued devices.
    • Isolate Device: This separates the device from the rest of your IT and Network Infrastructure so any infections of malware on that particular device does not spread itself any further.
    • Stop and Quarantine: This will stop any process that is associated with a suspect file, and even quarantine in it in a separate environment.
    • Add indicators: This is where you can add indicators if a suspected file should still be quarantined, or if it can be released back into the production environment after it has been remediated.
  1. Advanced levels of protection:

With this, you get sophisticated Artificial Intelligence (AI) and Machine Learning (ML) algorithms to help further fortify your lines of defense on a 24 X 7 X 365 basis. Any actions taken with these algorithms are completely automated, based upon the rules that you have created for them. They can protect both your company issued devices and your Cloud based platforms. You can also get product updates automatically as well.

Extra Functionalities Of Plan 1

  1. The Attack Surface Rules:

With this, you can create rules to detect and block the following:

    • Suspicious files that try to run other processes;
    • The launching of new scripts that could contain malware in them;
    • Any suspicious behavior that usually does not happen during normal business hours.
  1. Ransomware:

Included are extra tools that your company can use to deploy to help prevent Ransomware attacks from impacting your business.

  1. Peripheral Devices:

You can configure your company issued devices to either accept or deny the insertion of USB devices, and prevent files from them being downloaded locally.

  1. Protection from the Web:

With this, you can prevent all of your employees from:

    • Accessing Phishing or other questionable websites or applications;
    • Implement Web Filtering: You can prevent your employees from accessing websites or applications based upon both their category and related content.
  1. Network Security:

You automatically receive a version of the Next Generation Firewall, and other tools to protect your endpoints.

An Illustration

All of the functionalities for Plan 1 as detailed in the last two sections are illustrated below:

(SOURCE: 1).

What Is In Plan 2?

With Plan 2, you get all of the described features of Plan 1, as well as the following:

  1. Device Discovery:

You can automatically create a network map of where all of your devices are located, on a real time basis. This is especially useful if you have to issue a remote wipe command for those devices that are lost or stolen.

  1. Threat & Vulnerability Management:

This is a more sophisticated tool to allow you and your IT Security team to manage and mitigate threats as they happen.

  1. Automated Investigations:

This capability also makes use of sophisticated AI and ML algorithms to closely examine the context of the alerts and warnings and take any needed actions on an automated basis. The benefit of this is that it allows your IT Security team to focus on the more potent and dangerous threats.

  1. Advanced Hunting:

This is a repository that allows you to examine and analyze up to 30 days’ worth of raw information and data that are collected by your network security devices.

  1. Microsoft Threat Experts:

This is a new service that allows your SOC team to monitor and analyze all threats at an “expert” ultra-advanced level.


If you need helping on deciding which plan is best for your business, or even in deploying it, contact us today.