Trial user guide: Microsoft Defender for Endpoint

Welcome to the Microsoft Defender for Endpoint Plan 2 trial user guide!

This playbook is a simple guide to help you make the most of your free trial. Using the suggested steps in this article from the Microsoft Defender team, you learn how Defender for Endpoint can help you to prevent, detect, investigate, and respond to advanced threats.

What is Defender for Endpoint?

Defender for Endpoint is an enterprise endpoint security platform that uses the following combination of technology built into Windows and Microsoft's robust cloud service:

• Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send sensor data to your private, isolated, cloud instance of Defender for Endpoint.

• Cloud security analytics: Using big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Microsoft 365), and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats.

• Threat intelligence: Generated by Microsoft hunters and security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Defender for Endpoint to identify attacker tools, techniques, and procedures, and generate alerts when they're observed in collected sensor data.

Microsoft Defender for Endpoint

Core Defender Vulnerability Management	Attack surface reduction	Next-generation protection	Endpoint detection and response	Automated investigation and remediation	Microsoft Threat Experts
Centralized configuration and administration, APIs
Microsoft Defender portal

Let's get started!

Set up your trial

1. Confirm your license state.
2. Set up role-based access control and grant permissions to your security team.
3. Visit the Microsoft Defender portal.
4. Onboard endpoints using any of the supported management tools.
5. Configure capabilities.
6. Visit the Microsoft Defender portal.

Step 1: Confirm your license state

To make sure your Defender for Endpoint subscription is properly provisioned, you can check your license state in either the Microsoft 365 admin center (https://admin.microsoft.com) or Microsoft Entra ID (https://portal.azure.com).

Check your license state.

Step 2: Set up role-based access control and grant permissions to your security team

Important

Starting February 16, 2025, new Microsoft Defender for Endpoint customers will only have access to the Unified Role-Based Access Control (URBAC). Existing customers keep their current roles and permissions. For more information, see URBAC Unified Role-Based Access Control (URBAC) for Microsoft Defender for Endpoint

Microsoft recommends using the concept of least privileges. Defender for Endpoint uses built-in roles within Microsoft Entra ID. Review the different roles that are available and choose appropriate roles for your security team. Some roles might need to be applied temporarily and removed after the trial is finished.

Use Privileged Identity Management to manage your roles to provide extra auditing, control, and access review for users with directory permissions.

Defender for Endpoint supports two ways to manage permissions:

• Basic permissions management: Set permissions to either full access or read-only. Users who have either the Global Administrator or Security Administrator role in Microsoft Entra ID have full access. The Security Reader role has read-only access and doesn't grant access to view machines/device inventory.
• Role-based access control (RBAC): Set granular permissions by defining roles, assigning Microsoft Entra user groups to the roles, and granting the user groups access to device groups. For more information, see Manage portal access using role-based access control.

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Step 3: Visit the Microsoft Defender portal

The Microsoft Defender portal (https://security.microsoft.com) is where you can access your Defender for Endpoint capabilities.

1. Review what to expect in the Microsoft Defender portal.

2. Go to https://security.microsoft.com and sign in.

3. In the navigation pane, see the Endpoints section to access your capabilities.

Step 4: Onboard endpoints using any of the supported management tools

This section outlines the general steps you to onboard devices (endpoints).

1. Watch this video for a quick overview of the onboarding process and learn about the available tools and methods.

2. Review your device onboarding tool options and select the most appropriate option for your environment.

Step 5: Configure capabilities

After onboarding devices (endpoints), you'll configure the various capabilities, such as endpoint detection and response, next-generation protection, and attack surface reduction.

Use the device onboarding table to choose components to configure. We recommend configuring all available capabilities, but you're able to skip the ones that don't apply.

After you have onboarded devices, run a detection test.

Step 6: Visit the Microsoft Defender portal

The Microsoft Defender portal (https://security.microsoft.com) is a central location where you can view onboarded devices, security recommendations, detected threats, alerts, and more. To get started, see Microsoft Defender portal.

Important

If you decide not to renew your trial or purchase a subscription, make sure to offboard devices before your trial expires.

See also

• Defender for Endpoint technical documentation
• Microsoft Security technical content library
• Defender for Endpoint demonstration

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.