User vs Kiosk Licensing, Microsoft Defender for Endpoint unmasked, the full story.
Once upon a time…
Once upon a time far back in technology history (2021 and prior I believe) Microsoft Defender for Endpoint Plan 1 or Plan 2 could be purchased per device or per user, this method of procurement made sense, and still does, because as I discovered on my client engagements here in Australia – there are many organisations who leverage Endpoint devices without an assigned user.
Universities and Libraries would be an immediate example, students at uni do not have an M365 A5 Staff license and have a student use allowance that does not include Microsoft Defender for Endpoint, where this student needs to access a laboratory computer with no assigned staff member or a shared device with no license applied, they may be a problem.
customer story
I have been working recently with an education customer who has staff and many times more students, was well as a Device count that is around 4.5 times their M365 A5 license count, I was asked in this case what happens?
I would think this has been asked 1 million (1 million and one now!) times before and the answer would be easy to find, I was grossly incorrect, it is nigh on impossible to find any information on what exactly is the expectation with Kiosk and shared devices where there is not an assigned user, even Microsoft does not spell this out with an answer that can be used.
As a trusted Microsoft partner I have many contacts at Microsoft that I can leverage to support in these cases, but in this case it has been “crickets” – in other words no answer.
My experience
What I am to follow with should not be taken as advice, I have researched and am presenting the information to my readers on what I have found, but, I am not a legal expert and Microsofts wording does not exactly make 100% sense.
First Point to make is the Microsoft Defender for Endpoint come with an entitlement for five devices to be licensed for every one user license of Defender for Endpoint, Microsoft’s official documentation is here, I was unable to find the answer I needed here.
This ratio of five device licenses to each user seems to support the claim that Microsoft do not audit an organisation until the Defender for Endpoint licensing is above five devices to one users
First search seems to read that Defender for Endpoint is not supported in Kiosk mode, here. This does not make sense considering all devices need endpoint security, not just user devices? So following the link and it’s a dead end, after all Kiosk mode is not Defender for EndPoint on Android. Much of what is written online is either circular or best intentioned without fact.
Evidence #1: This spice works article seems to have the collective intelligence of many of us coming back with the assumption that as long as you don’t go beyond 5 to 1 then you will be ok, we all know what assumption makes us, but in the absence of hard facts this is what we have to work with.
Evidence #2: The hive mind of Reddit expertise here, indicates that again it does not matter what devices you onboard as long as the number is lower than five times the user count. Though this may not be authoritative, in the absence of evidence it becomes the best guess I have.
Evidence #3: Again from Reddit, Here the writer is again explaining the same scenario I have encountered when asking Microsoft directly.
Enterprise Agreement Education organisations
For large education, you have a method in which to license devices without owners, so the problem is solvable for this use case but unfortunately that is not the case across the board.
In summary
Whilst there is not a lot of “hard evidence” as to how best manage the current lack of concrete information by Microsoft regarding Defender for Endpoint Licensing, I would like to leave you with these thoughts:
- Remaining within your five device licenses to user licenses should be sufficient to remain within your Microsoft license terms, there is no easy way to determine just who is consuming a license within the business from the totals.
- Intune licenses are still needed for each device utilising Intune as a deployment mechanism.
- If you are concerned that you may not be in compliance then maybe have a licensed user log on to the device from time to time.
- Microsoft has a license SKU called an M365 F3 or F5, these are very affordable and designed for users who spend the majority of their time on a small screened device, this would cover students and almost any human now with a smart phone who access their email and other apps from their device, only occasionally using a kiosk machine.
oh, and finally
- Microsoft Intune licenses may be required for each device in the 5 devices to 1 user count for deployment and utilising the other benefits of Device management and MDM.
- The Microsoft Defender for Endpoint License does not cover Servers at all, here Microsoft Defender for Servers or Defender for Endpoint Servers (yes they are different) is required, one is purchased through Azure and the other via your reseller partner or Microsoft directly.
Really finally
If this information is incorrect then please reach out in the comments, finding conclusive proof of Microsoft’s license requirements for Shared Device and Kiosk use has been impossible. None of this should be construed as definitive advice, I have summarised my investigation into this topic to save time for others seeking the same answer.
Reddit post here: Defender ATP
As always please feel free to contact me here.
Leave a Reply