Docs
Microsoft Defender Versions Comparison: Antivirus vs Endpoint vs XDR
Compare Microsoft Defender Antivirus, Defender for Endpoint plans, Defender XDR, and related Defender products so you can choose the right security stack.
Comparison for Buyers and operators comparing Defender product names and plans
Microsoft uses the Defender name across several different products. This guide separates the built-in antivirus engine, paid endpoint plans, and the broader XDR layer so teams can choose the right stack.
What You'll Get
- Separate Defender Antivirus, Defender for Endpoint, Defender for Business, and Defender XDR
- Understand which layers are included in different Microsoft security purchases
- Avoid naming confusion when comparing plans or writing internal guidance
Jump To
Short Answer
As of March 8, 2026, Microsoft Defender Antivirus is the built-in antivirus engine in Windows, while most other "Defender" products are separate enterprise security services. If you are comparing names, start by separating endpoint antivirus (Defender Antivirus), endpoint platform (Defender for Endpoint), and cross-domain SOC workflow (Defender XDR). If your question is mainly price and entitlement, continue with the main "is Microsoft Defender free" guide.
Microsoft Defender Product Comparison Table
Use this quick map first:
| Product | Primary scope | Best fit | What to know |
|---|---|---|---|
| Windows Security | Windows security app and status console | Any Windows endpoint | UI layer that surfaces protection status; not the antivirus engine itself. |
| Microsoft Defender Antivirus | Built-in Windows antimalware and antivirus | Baseline endpoint protection | Turns off automatically when an active third-party AV is installed, and turns back on if removed. |
| Defender for Endpoint Plan 1 | Enterprise endpoint protection foundation | Teams needing centralized endpoint controls | Adds centralized management, attack surface reduction, and manual response actions beyond standalone AV. |
| Defender for Endpoint Plan 2 | Advanced endpoint detection and response | SOC-driven or higher-risk environments | Comprehensive endpoint plan with advanced investigation and response capabilities. |
| Defender for Business | SMB endpoint protection (up to 300 users) | Small and midsize organizations | Built on Defender for Endpoint capabilities with SMB-oriented workflows. |
| Defender for Office 365 Plan 1 | Email and collaboration threat protection | Microsoft 365 orgs improving phishing and malware defense | Sits on top of built-in Exchange Online protections. |
| Defender for Office 365 Plan 2 | Advanced email/collaboration investigation and response | Teams needing stronger SecOps workflows for mail threats | Adds expanded investigation, hunting, and automation capabilities over Plan 1. |
| Defender for Identity | Identity threat detection across AD and hybrid identity signals | Organizations with on-prem AD or hybrid identity | Correlates identity attack signals in the Defender portal. |
| Defender for Cloud Apps | SaaS app visibility and control | Organizations managing SaaS risk and app governance | Focuses on cloud app usage, data control, and app-level threat detection. |
| Microsoft Defender XDR | Unified incidents and response across endpoint, identity, email, and apps | SOC teams that want one incident plane | Coordinates multiple Defender services in one portal experience. |
| Microsoft Defender for Cloud | Cloud posture and cloud workload protection | Azure, multicloud, and cloud-native workloads | Cloud security platform, not a replacement for endpoint antivirus. |
Licensing note: Packaging changes over time; always verify what is included in your exact Microsoft 365 or standalone SKU.
What Microsoft Defender Antivirus Is (And Is Not)
Microsoft Defender Antivirus is endpoint antimalware built into Windows. It handles local malware prevention and detection on the device itself. It is not the same thing as Defender for Endpoint Plan 1 or Plan 2, which add centralized enterprise security operations capabilities through the Defender portal. If your team keeps mixing up "free in Windows" versus paid business products, read the free-vs-paid breakdown next.
Defender for Endpoint Plan 1 vs Plan 2
Plan 1 is the foundational enterprise endpoint layer with core prevention, hardening, and centralized management. Plan 2 adds the deeper investigation, advanced hunting, and response workflows associated with a more mature security operations model. If your team primarily needs centralized protection management, Plan 1 may be enough. If you need deeper post-breach workflow depth, Plan 2 is usually the clearer fit. If your comparison includes Macs, continue with the macOS Defender licensing guide.
Where Microsoft Defender XDR Fits
Defender XDR is the cross-product incident and response layer. It correlates signals from Endpoint, Identity, Office 365, and Cloud Apps into shared incidents so analysts can investigate in one place. In short: XDR is the unifier, not a replacement for endpoint antivirus.
Common Naming Confusion (Fast Fixes)
- Windows Security vs Defender Antivirus: Windows Security is the app interface; Defender Antivirus is the AV engine.
- Defender Antivirus vs Defender for Endpoint: Antivirus is local endpoint protection; Endpoint adds enterprise management and response.
- Defender for Endpoint vs Defender XDR: Endpoint is one workload; XDR is the cross-workload operations layer.
- Defender for Cloud vs Defender for Endpoint: Cloud protects cloud resources and posture, while Endpoint protects devices.
How to Choose the Right Defender Stack
- Start with Defender Antivirus baseline coverage on all supported endpoints.
- Add Defender for Endpoint (Business, P1, or P2) for centralized endpoint operations.
- Add Defender for Office 365 if email and collaboration threats are a major attack path.
- Add Defender for Identity if you run Active Directory or hybrid identity.
- Use Defender XDR when you need unified incidents and cross-domain investigations.
- Use Defender for Cloud for cloud posture and cloud workload protection use cases.