Microsoft Defender for Business - Frequently asked questions and answers

Use this article to get answers to questions you might have about Defender for Business.

How do I try or buy Defender for Business?

We recommend working with a Microsoft partner

If you prefer to try or buy Defender for Business on your own, go to the Defender for Business product page, and select the option to try or buy Defender for Business.

For more information, see Get Defender for Business.

Is there a limit to how many users can be licensed for Defender for Business?

Yes.

Defender for Business is designed for small and medium-sized businesses with up to 300 users. If you have more than 300 users, consider an enterprise solution. For example:

• Defender for Endpoint
• Microsoft Defender XDR
• Microsoft 365 for enterprise

How many devices can I onboard and secure with Defender for Business?

You can onboard and secure up to five client devices per user license.

Note

Servers require extra licenses. For example, Microsoft Defender for Business servers.

Does Defender for Business protect Mac, Android, and iOS/iPadOS client devices?

Yes.

Defender for Business supports protection for Windows, Mac, Android, and iOS/iPadOS devices. For more information, see Onboard devices.

Does Defender for Business support servers?

Yes, but you need to buy extra licenses.

If you plan to onboard an instance of Windows Server or Linux Server, you need an extra license. For example, Microsoft Defender for Business servers. This license is available as an add-on to the standalone version of Defender for Business and Microsoft 365 Business Premium. The Microsoft Defender for Business servers license is priced at $3 per server instance. You have two choices for implementation:

• Purchase a license for each onboarded server.
• Offboard servers from Defender for Business.

If you have more than 60 servers, you need a different kind of license. For example:

• Microsoft Defender for Endpoint Server.
• Microsoft Defender for Servers Plan 1 or Plan 2.

For more information, see Onboard servers to Microsoft Defender for Endpoint.

What's different between Microsoft Defender for Business servers and Microsoft Defender for Servers Plan 1 and Plan 2?

The following table compares server options for Defender for Business customers:

Server license	Description
Microsoft Defender for Business servers	An add-on to Defender for Business and Microsoft 365 Business Premium. This offering enables small and medium sized businesses with up to 300 users to onboard and protect servers and client devices in the Microsoft Defender portal at https://security.microsoft.com.
Microsoft Defender for Servers Plan 1/Plan 2	An enterprise-focused offering you can purchase with any Microsoft cloud subscription. This offering is part of Microsoft Defender for Cloud, and includes advanced threat hunting with six months of data retention and the Microsoft Threat Experts service. The admin experience for Defender for Cloud resides within the Azure portal at https://portal.azure.com.

Adding Defender for Cloud to a Defender for Business organization doesn't change the simplified configuration experience in Defender for Business. The functionality in Microsoft Defender for Servers Plan 1 or Plan 2 works with Defender for Business.

Can I configure more than one web content filtering policy in Defender for Business?

Currently, No.

Defender for Business supports only one uniform web filtering policy per Defender for Business organization.

For more information, see Set up web content filtering.

Can I use non-Microsoft antivirus/anti-malware software with Defender for Business?

Technically, yes.

However, you could run into an issue where real-time protection could be turned off on those devices. If real-time protection is turned off on a device, the device appears unprotected.

In Defender for Business, real-time protection is turned on by default. But devices running non-Microsoft antivirus/antimalware software could affect your settings.

To learn more, see I'm seeing indications that some devices aren't protected even though they're onboarded to Defender for Business.

Are device control capabilities available in Microsoft Defender for Business?

Yes, but with limitations.

Defender for Business includes built-in Attack Surface Reduction (ASR) rules. For more information, see Enable your attack surface reduction rules in Microsoft Defender for Business.

You can't create custom ASR rules in Defender for Business. You need Microsoft Intune to create ASR rules.

On macOS devices, you can use Jamf or Microsoft Intune to set up device control on Mac. For more information, see Device Control for macOS.

Device control in Microsoft Defender for Endpoint prevents users, endpoints, or both from using unauthorized removable storage media.

How do I configure attack surface reduction rules and capabilities in Defender for Business?

Use Intune to configure your attack surface reduction rules. Other attack surface reduction capabilities can be configured in the Microsoft Defender portal. See Attack surface reduction capabilities in Defender for Business.

How do I run custom reports with Defender for Business?

Defender for Business uses Defender for Endpoint APIs for all available capabilities. You can use the APIs with a reporting tool. As an example scenario, you can use a Power BI connector and schedule a PowerShell script to generate executive summaries formatted in HTML, and send those summaries via email

For more information, see the following resources:

• Overview of management and APIs
• API reference information
• Microsoft Defender for Business and Microsoft partner resources

I'm a Microsoft partner. Can I manage multiple organizations from one control panel, or do I need to sign in to each organization individually?

Several options are available, including Microsoft 365 Lighthouse and using APIs to integrate with your tools. For more information, see Microsoft Defender for Business and Microsoft partner resources.

Defender for Business integrates with Microsoft 365 Lighthouse for multitenant support in a single console (https://lighthouse.microsoft.com). For more information, see Overview of Microsoft 365 Lighthouse.

You can use Defender for Endpoint APIs to integrate Defender for Business with your remote monitoring and management (RMM) tools and your professional service automation (PSA) software. For more information, see Microsoft Defender for Business and Microsoft partner resources.

How does Microsoft Intune work with Defender for Business?

Defender for Business capabilities are integrated with endpoint security policies in the Microsoft Intune admin center. You can use either the Microsoft Defender portal or the Intune admin center to onboard devices and configure security policies. Some capabilities, such as controlled folder access and attack surface reduction rules must be configured in the Intune admin center.

For more information, see the following articles:

• Set up, review, and edit your security policies and settings in Microsoft Defender for Business
• Manage device security with endpoint security policies in Microsoft Intune

If I'm already using Microsoft 365 Business Premium, why do I need Defender for Business?

Defender for Business provides advanced threat protection for your organization's devices. Microsoft 365 Business Premium includes Defender for Business and more capabilities. For example:

• Defender for Office 365 Plan 1 to protect your organization's email and files.
• Azure Information Protection Plan 1.
• Sensitivity labeling.
• Data loss prevention for email and files.

For more information, see Microsoft 365 User Subscription Suites for Small and Medium-sized Businesses.

What are the differences between Defender for Business and Defender for Endpoint Plans 1 and 2?

Defender for Business is designed for small and medium-sized businesses who have up to 300 users. Capabilities in Defender for Business include next-generation protection, attack surface reduction, endpoint detection & response (EDR), and automated investigation and remediation. Defender for Business also features simplified configuration and device onboarding options that streamline the overall setup and configuration process.

Defender for Endpoint is an enterprise endpoint security platform designed to help organizations prevent, detect, investigate, and respond to advanced threats

• Defender for Endpoint Plan 1 includes next-generation protection and attack surface reduction capabilities
• Defender for Endpoint Plan 2 extends Plan 1 capabilities with core vulnerability management capabilities, EDR, automated investigation & remediation, threat hunting, and six months of data retention

For a detailed comparison, see How does Defender for Business compare to Microsoft Defender for Endpoint?.

Can I have a mix of Microsoft endpoint security subscriptions?

No.

Microsoft Defender for Business doesn't support mixed licensing. An organization with Defender for Business (included in Microsoft 365 Business Premium) and with Defender for Endpoint Plan 2 (included in Microsoft 365 E5 Security) defaults to the Defender for Business experience.

For example, you have 80 users licensed for Defender for Business as part of a Microsoft 365 Business Premium, and you add Microsoft 365 E5 Security for 30 of those users. The experience for all users defaults to Defender for Business.

To use the Defender for Endpoint Plan 2 experience, do the following steps:

• License all users for Defender for Endpoint Plan 2 (through the standalone version of Defender for Endpoint Plan 2 or Microsoft 365 E5 Security).
• Contact Microsoft Support to request the switch for your organization.

For more information, see Manage your subscription settings.

For more information about licenses and product terms, see Licensing and product terms for Microsoft 365 subscriptions.

My organization now has more than 300 users, and I have a mix of Microsoft endpoint security subscriptions. Can I still use Defender for Business?

Defender for Business and Microsoft 365 Business Premium are for organizations with a maximum of 300 users. If you now have more than 300 users, we recommend a subscription that includes Defender for Endpoint for all users.

For example, your company grew from 250 to 330 users, and you now have 300 Defender for Business licenses and 30 Microsoft 365 E3 licenses (Microsoft 365 E3 includes Defender for Endpoint Plan 1).

When it's time to renew your subscription, we recommend choosing one of the following enterprise plans:

• Microsoft 365 E5 (includes Defender for Endpoint Plan 2 plus Defender for Office 365 Plan 2)
• Microsoft 365 E3 (includes Defender for Endpoint Plan 1)
• Defender for Endpoint Plan 1 or 2

For details about licenses and product terms, see Licensing and product terms for Microsoft 365 subscriptions.

How do I view my organization's Microsoft subscriptions and user licenses?

You can view your current subscriptions and licenses on the Licenses page of the Microsoft 365 admin center at https://admin.microsoft.com/Adminportal/Home#/licenses.

Also see Understand subscriptions and licenses in Microsoft 365 for business.

See also

• Overview of Microsoft 365 Business Premium
• Overview of Defender for Business

Use this article to get answers to questions you might have about Defender for Business.

We recommend working with a Microsoft partner

If you prefer to try or buy Defender for Business on your own, go to the Defender for Business product page, and select the option to try or buy Defender for Business.

For more information, see Get Defender for Business.

Yes.

Defender for Business is designed for small and medium-sized businesses with up to 300 users. If you have more than 300 users, consider an enterprise solution. For example:

• Defender for Endpoint
• Microsoft Defender XDR
• Microsoft 365 for enterprise

You can onboard and secure up to five client devices per user license.

Note

Servers require extra licenses. For example, Microsoft Defender for Business servers.

Yes.

Defender for Business supports protection for Windows, Mac, Android, and iOS/iPadOS devices. For more information, see Onboard devices.

Yes, but you need to buy extra licenses.

If you plan to onboard an instance of Windows Server or Linux Server, you need an extra license. For example, Microsoft Defender for Business servers. This license is available as an add-on to the standalone version of Defender for Business and Microsoft 365 Business Premium. The Microsoft Defender for Business servers license is priced at $3 per server instance. You have two choices for implementation:

• Purchase a license for each onboarded server.
• Offboard servers from Defender for Business.

If you have more than 60 servers, you need a different kind of license. For example:

• Microsoft Defender for Endpoint Server.
• Microsoft Defender for Servers Plan 1 or Plan 2.

For more information, see Onboard servers to Microsoft Defender for Endpoint.

The following table compares server options for Defender for Business customers:

Server license	Description
Microsoft Defender for Business servers	An add-on to Defender for Business and Microsoft 365 Business Premium. This offering enables small and medium sized businesses with up to 300 users to onboard and protect servers and client devices in the Microsoft Defender portal at https://security.microsoft.com.
Microsoft Defender for Servers Plan 1/Plan 2	An enterprise-focused offering you can purchase with any Microsoft cloud subscription. This offering is part of Microsoft Defender for Cloud, and includes advanced threat hunting with six months of data retention and the Microsoft Threat Experts service. The admin experience for Defender for Cloud resides within the Azure portal at https://portal.azure.com.

Adding Defender for Cloud to a Defender for Business organization doesn't change the simplified configuration experience in Defender for Business. The functionality in Microsoft Defender for Servers Plan 1 or Plan 2 works with Defender for Business.

Currently, No.

Defender for Business supports only one uniform web filtering policy per Defender for Business organization.

For more information, see Set up web content filtering.

Technically, yes.

However, you could run into an issue where real-time protection could be turned off on those devices. If real-time protection is turned off on a device, the device appears unprotected.

In Defender for Business, real-time protection is turned on by default. But devices running non-Microsoft antivirus/antimalware software could affect your settings.

To learn more, see I'm seeing indications that some devices aren't protected even though they're onboarded to Defender for Business.

Yes, but with limitations.

Defender for Business includes built-in Attack Surface Reduction (ASR) rules. For more information, see Enable your attack surface reduction rules in Microsoft Defender for Business.

You can't create custom ASR rules in Defender for Business. You need Microsoft Intune to create ASR rules.

On macOS devices, you can use Jamf or Microsoft Intune to set up device control on Mac. For more information, see Device Control for macOS.

Device control in Microsoft Defender for Endpoint prevents users, endpoints, or both from using unauthorized removable storage media.

Use Intune to configure your attack surface reduction rules. Other attack surface reduction capabilities can be configured in the Microsoft Defender portal. See Attack surface reduction capabilities in Defender for Business.

Defender for Business uses Defender for Endpoint APIs for all available capabilities. You can use the APIs with a reporting tool. As an example scenario, you can use a Power BI connector and schedule a PowerShell script to generate executive summaries formatted in HTML, and send those summaries via email

For more information, see the following resources:

• Overview of management and APIs
• API reference information
• Microsoft Defender for Business and Microsoft partner resources

Several options are available, including Microsoft 365 Lighthouse and using APIs to integrate with your tools. For more information, see Microsoft Defender for Business and Microsoft partner resources.

Defender for Business integrates with Microsoft 365 Lighthouse for multitenant support in a single console (https://lighthouse.microsoft.com). For more information, see Overview of Microsoft 365 Lighthouse.

You can use Defender for Endpoint APIs to integrate Defender for Business with your remote monitoring and management (RMM) tools and your professional service automation (PSA) software. For more information, see Microsoft Defender for Business and Microsoft partner resources.

Defender for Business capabilities are integrated with endpoint security policies in the Microsoft Intune admin center. You can use either the Microsoft Defender portal or the Intune admin center to onboard devices and configure security policies. Some capabilities, such as controlled folder access and attack surface reduction rules must be configured in the Intune admin center.

For more information, see the following articles:

• Set up, review, and edit your security policies and settings in Microsoft Defender for Business
• Manage device security with endpoint security policies in Microsoft Intune

Defender for Business provides advanced threat protection for your organization's devices. Microsoft 365 Business Premium includes Defender for Business and more capabilities. For example:

• Defender for Office 365 Plan 1 to protect your organization's email and files.
• Azure Information Protection Plan 1.
• Sensitivity labeling.
• Data loss prevention for email and files.

For more information, see Microsoft 365 User Subscription Suites for Small and Medium-sized Businesses.

Defender for Business is designed for small and medium-sized businesses who have up to 300 users. Capabilities in Defender for Business include next-generation protection, attack surface reduction, endpoint detection & response (EDR), and automated investigation and remediation. Defender for Business also features simplified configuration and device onboarding options that streamline the overall setup and configuration process.

Defender for Endpoint is an enterprise endpoint security platform designed to help organizations prevent, detect, investigate, and respond to advanced threats

• Defender for Endpoint Plan 1 includes next-generation protection and attack surface reduction capabilities
• Defender for Endpoint Plan 2 extends Plan 1 capabilities with core vulnerability management capabilities, EDR, automated investigation & remediation, threat hunting, and six months of data retention

For a detailed comparison, see How does Defender for Business compare to Microsoft Defender for Endpoint?.

No.

Microsoft Defender for Business doesn't support mixed licensing. An organization with Defender for Business (included in Microsoft 365 Business Premium) and with Defender for Endpoint Plan 2 (included in Microsoft 365 E5 Security) defaults to the Defender for Business experience.

For example, you have 80 users licensed for Defender for Business as part of a Microsoft 365 Business Premium, and you add Microsoft 365 E5 Security for 30 of those users. The experience for all users defaults to Defender for Business.

To use the Defender for Endpoint Plan 2 experience, do the following steps:

• License all users for Defender for Endpoint Plan 2 (through the standalone version of Defender for Endpoint Plan 2 or Microsoft 365 E5 Security).
• Contact Microsoft Support to request the switch for your organization.

For more information, see Manage your subscription settings.

For more information about licenses and product terms, see Licensing and product terms for Microsoft 365 subscriptions.

Defender for Business and Microsoft 365 Business Premium are for organizations with a maximum of 300 users. If you now have more than 300 users, we recommend a subscription that includes Defender for Endpoint for all users.

For example, your company grew from 250 to 330 users, and you now have 300 Defender for Business licenses and 30 Microsoft 365 E3 licenses (Microsoft 365 E3 includes Defender for Endpoint Plan 1).

When it's time to renew your subscription, we recommend choosing one of the following enterprise plans:

• Microsoft 365 E5 (includes Defender for Endpoint Plan 2 plus Defender for Office 365 Plan 2)
• Microsoft 365 E3 (includes Defender for Endpoint Plan 1)
• Defender for Endpoint Plan 1 or 2

For details about licenses and product terms, see Licensing and product terms for Microsoft 365 subscriptions.

You can view your current subscriptions and licenses on the Licenses page of the Microsoft 365 admin center at https://admin.microsoft.com/Adminportal/Home#/licenses.

Also see Understand subscriptions and licenses in Microsoft 365 for business.

See also

• Overview of Microsoft 365 Business Premium
• Overview of Defender for Business