Migrate to Microsoft Defender for Endpoint - Phase 1: Prepare
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Phase 1: Prepare
Phase 2: Set up
Phase 3: Onboard
Welcome to the Prepare phase of migrating to Defender for Endpoint.
This migration phase includes the following steps:
- Get and deploy updates across your organization's devices.
- Get Microsoft Defender for Endpoint Plan 1 or Plan 2.
- Grant access to the Microsoft Defender portal.
- Review more information about device proxy and internet connectivity settings.
- Capture performance baseline data from the endpoint
Step 1: Get and deploy updates across your organization's devices
As a best practice, keep your organization's devices and endpoints up to date. Make sure your existing endpoint protection and antivirus solution is up to date, and that your organization's operating systems and apps also have the latest updates. Getting updates installed now can help prevent problems later as you migrate to Defender for Endpoint and employ Microsoft Defender Antivirus on all your devices.
Make sure your existing solution is up to date
Keep your existing endpoint protection solution up to date, and make sure that your organization's devices have the latest security updates. Make sure to review your solution provider's documentation for updates.
Make sure your organization's devices are up to date
Need help with updating your organization's devices? See the following resources:
|How to update the software on your Mac
|Update your iPhone, iPad, or iPod touch
|Check & update your Android version
|Linux 101: Updating Your System
Step 2: Get Microsoft Defender for Endpoint Plan 1 or Plan 2
Now that you've updated your organization's devices, the next step is to get Defender for Endpoint, assign licenses, and make sure the service is provisioned.
Buy or try Defender for Endpoint today. Start a free trial or request a quote. Microsoft 365 E3 includes Defender for Endpoint Plan 1, and Microsoft 365 E5 includes Defender for Endpoint Plan 2.
Verify that your licenses are properly provisioned. Check your license state.
Set up your dedicated cloud instance of Defender for Endpoint. See Defender for Endpoint setup: Tenant configuration.
If any devices in your organization use a proxy to access the internet, follow the guidance in Defender for Endpoint setup: Network configuration.
At this point, you're ready to grant access to your security administrators and security operators to use the Microsoft Defender portal.
Step 3: Grant access to the Microsoft Defender portal
The Microsoft Defender portal is where you and your security team access and configure features and capabilities of Defender for Endpoint. To learn more, see Overview of the Microsoft Defender portal.
Permissions to the Microsoft Defender portal can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
Plan the roles and permissions for your security administrators and security operators. See Role-based access control.
Set up and configure RBAC. We recommend using Intune to configure RBAC, especially if your organization is using a combination of Windows, macOS, iOS, and Android devices. See setting up RBAC using Intune.
If your organization requires a method other than Intune, choose one of the following options:
Grant your security team access to the Microsoft Defender portal. (Need help? See Manage portal access using RBAC.
Step 4: View information about device proxy and internet connectivity settings
To enable communication between your devices and Defender for Endpoint, you might have to configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems:
* Windows Server 2016 and Windows Server 2012 R2 require installation of the modern, unified solution for Windows Server 2012 R2 and 2016. For more information, see Onboard Windows servers to Defender for Endpoint: Windows Server 2012 R2 and Windows Server 2016.
The standalone versions of Defender for Endpoint Plan 1 and Plan 2 do not include server licenses. To onboard servers, you'll need an additional license, such as either Microsoft Defender for Servers Plan 1 or Plan 2. To learn more, see Defender for Endpoint onboarding Windows Server.
Step 5: Capture performance baseline data from the endpoint
When migrating from one antivirus product to Microsoft Defender Antivirus, your organization's Help Desk's eyes are on what's new. Thus, if you already had an application that was running hot (high cpu usage), their first troubleshooting step might be to disable Microsoft Defender Antivirus. Before doing that, we highly recommend capturing performance data from endpoints that have or will have Defender for Endpoint installed.
Performance data should include the process list, CPU usage (aggregate across all cores), memory usage, and disk space availability on all mounted partitions. This information helps determine whether what you are seeing is normal or unexpected after onboarding devices to Defender for Endpoint.
One of the tools that you can use is the Performance Monitor (perfmon). You can use it to collect a performance baseline of your Windows or Windows Server endpoint. See Setting a local perfmon in a Windows client or Windows Server.
Congratulations! You've completed the Prepare phase of switching to Defender for Endpoint!
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.