I’ve stumbled upon this matter recently and I’m sure you may have also gone clueless at some point and scratching your head to figure out WHY and How did it go wrong? Let’s go!
I also had the same 4 phases as Sheldon from Big Bang Theory which I guess perfectly matching with this scenario. At 1st it was not that easy to unpack what Microsoft had mentioned in the document against what I saw in the portal. However, I want to simplify what I learned so you don’t have to go through the same.
What I have noticed is that the licensing has been changed around Defender for Endpoint and you need to adhere to the latest to make sure your organization is compliant. The Honor System per se.
What I will be covering 👇🏽
- What’s New and What Was Previously in the Security Portal
- What If You Are Not In The Mixed Mode?
- The Challenge
- Some Tips To Keep it Complaint ✔️
- I have less than 300 users in my org
- What About Shared Devices? AVD Hosts To Be Exact
- Wrapping Up
What’s New and What Was Previously in the Security Portal
Currently, the Security portal is supporting a license scenario called the Mixed Mode. Simply put, that is where you have both MDE P1 and MDE P2 in the tenant and you have the option of tagging the devices accordingly so the subscription features used in that device will be determined by the tag.
Also, the MDE P1 only or MDE P2 only modes that are available if you want to make sure all the devices are using the same subscription features,
Furthermore, Microsoft outlined some scenarios as below.
| Scenario | Description |
|---|---|
| Mixed tenant | Use different sets of capabilities for groups of users and their devices. Examples include: – Defender for Endpoint Plan 1 and Defender for Endpoint Plan 2 – Microsoft 365 E3 and Microsoft 365 E5 |
| Mixed trial | Try a premium level subscription for some users. Examples include: – Defender for Endpoint Plan 1 (purchased for all users), and Defender for Endpoint Plan 2 (a trial subscription has been started for some users) – Microsoft 365 E3 (purchased for all users), and Microsoft 365 E5 (a trial subscription has been started for some users) |
| Phased upgrades | Upgrade user licenses in phases. Examples include: – Moving groups of users from Defender for Endpoint Plan 1 to Plan 2 – Moving groups of users from Microsoft 365 E3 to E5 |
Previously, the highest functional subscription would take precedence for your tenant.
If you are using Mixed Mode – the device tag will determine which subscription to use on that device. It will not be determined by the license assigned to the user. You must have adequate licenses in your licensing section to correlate with the devices.
How it will stay compliant is when the user who is assigned with the correct license logged in, it will all checked out as the IT department is aware of the distribution of the licenses in this scenario.
Mixed mode will only apply to the client endpoint devices (Eg: Windows 10/11)
What If You Are Not In The Mixed Mode?
This is where things will get a bit interesting.
Scenario: What if you have selected MDE P2? In this case below lines from Microsoft applies
The license usage report is estimated based on sign-in activities on the device. Defender for Endpoint Plan 2 licenses are per user, and each user can have up to five concurrent, onboarded devices.
The Microsoft document further says..
The calculation is based on detected users who have accessed devices that are onboarded to Defender for Business (or Defender for Endpoint).
You can find more, in this article
In this scenario, the portal has been set to apply the MDE P2 subscription features to the onboarded client endpoint devices. How it works here is, that the users who are logged in to these onboarded devices should have MDE P2 assigned.
Technically speaking, if you had the adequate number of licenses in your licensing pile and not assigned, you will not get the benefit and it may flag as non-compliant.
In the below example, because I don’t have MDE P1 in my tenant, the Security Portal has set the Subscription State to MDE P2.
So here, it says The estimated number of licenses used based on the number of users logged into devices.
This statement likely refers to estimating the number of Defender for Endpoint licenses needed based on the number of users who are logged into devices onboarded to Defender for Endpoint and where protection is active.
Here’s the breakdown:
- Available Licenses: These are your MDE P2 licenses distributed in different subscriptions (MDE P2 Standalone, M365 E5, M365 A5, Teams Pro etc.)
- Licenses Used: These are the unique user sign-ins to the onboarded devices which SHOULD have the MDE P2 licenses.
If the number of licenses used is larger than the number of available licenses, then this means the devices that has the MDE P2 subscription features was used by users who doesn’t have the MDE P2 assigned.
Example: You may have users hot-desking into Windows endpoints that are onboarded to MDE and MDE subscription usage has been set to P2, but you don’t have sufficient P2 licenses available to assign the users who are logging in to those devices. At this stage, it be a breach.
By estimating the number of licenses needed based on the number of users logged into protected devices, organizations can ensure they have sufficient licensing coverage for their Defender for Endpoint deployment, aligning their licensing costs with actual usage. It helps in optimizing licensing expenses and ensuring compliance with licensing agreements.
The Challenge
If you need to check the assigned users with MDE licenses and the devices they logged in to, especially in a situation where usage is in breach, The Licensing section does not give you who has what license assigned etc. It can be a bit challenging to understand the license distribution.
Some Tips To Keep it Complaint ✔️
- 1 user can have 5 devices that are onboarded and protected by MDE. The primary user should be the same for all these 5 devices.
- Make sure to know the services included in your subscriptions. – Check the Service Descriptions to understand the break-downs.
- Make sure the device is onboarded to MDE
- Tag the devices accordingly and make sure the users who are login to the device has the proper licenses assigned.
- If you are not managing the endpoints using Defender for Endpoint in normal, passive or EDR Block mode, there is no reason to onboard them. If you have device onboarded but using a different EDR/ XDR solution and no plans for Defender for Endpoint to be rolled out, keep them offboarded.
Onboarded Device Modes
- Normal means Microsoft Defender Antivirus is running in active mode.
- Passive mode means Microsoft Defender Antivirus running, but is not the primary antivirus/antimalware product on your device. Passive mode is only available for devices that are onboarded to Microsoft Defender for Endpoint and that meet certain requirements.
- EDR Block Mode means Microsoft Defender Antivirus is running and Endpoint detection and response (EDR) in block mode, a capability in Microsoft Defender for Endpoint, is enabled. Check the ForceDefenderPassiveMode registry key. If its value is 0, it is running in normal mode; otherwise, it is running in passive mode.
I have less than 300 users in my org
Defender for Business is the suitable subscription for this scenario, and it will provide somewhat similar experience to MDE P2.
🔗More on Defender for Business
What About Shared Devices? AVD Hosts To Be Exact
Multi-Session Hosts Licensing Requirements.
When using Windows Enterprise multi-session, depending on your requirements, you can choose to either have all users licensed through Microsoft Defender for Endpoint (per user), Windows Enterprise E5, Microsoft 365 E5 Security, or Microsoft 365 E5, or have the VM licensed through Microsoft Defender for Cloud.
Wrapping Up
Microsoft licensing is always tricky and with no proper management it can quickly go out of hand. I hope this article was informative and provided you with some guidance to proper Defender for Endpoint license management.
Discover more from EMS Route
Subscribe to get the latest posts to your email.
EMS Route 