Trial user guide: Microsoft Defender for Endpoint

Welcome to the Microsoft Defender for Endpoint Plan 2 trial user guide!

This playbook is a simple guide to help you make the most of your free trial. Using the suggested steps in this article from the Microsoft Defender team, you'll learn how Defender for Endpoint can help you to prevent, detect, investigate, and respond to advanced threats.

What is Defender for Endpoint?

Defender for Endpoint is an enterprise endpoint security platform that uses the following combination of technology built into Windows and Microsoft's robust cloud service:

  • Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send sensor data to your private, isolated, cloud instance of Defender for Endpoint.

  • Cloud security analytics: Using big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Microsoft 365), and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats.

  • Threat intelligence: Generated by Microsoft hunters and security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Defender for Endpoint to identify attacker tools, techniques, and procedures, and generate alerts when they're observed in collected sensor data.

Microsoft Defender for Endpoint

Vulnerability Management
Core Defender Vulnerability Management
Attack surface reduction
Attack surface reduction
Next-generation protection
Next-generation protection
Endpoint detection and response
Endpoint detection and response
Automated investigation and remediation
Automated investigation and remediation
Microsoft Threat Experts
Microsoft Threat Experts
Centralized configuration and administration, APIs
Microsoft 365 Defender

Let's get started!

Set up your trial

  1. Confirm your license state.
  2. Set up role-based access control and grant permissions to your security team.
  3. Visit the Microsoft Defender portal.
  4. Onboard endpoints using any of the supported management tools.
  5. Configure capabilities.
  6. Experience Microsoft Defender for Endpoint through simulated attacks.
  7. Set up the Microsoft Defender for Endpoint evaluation lab.

Step 1: Confirm your license state

To make sure your Defender for Endpoint subscription is properly provisioned, you can check your license state in either the Microsoft 365 admin center ( or Microsoft Entra ID (

Check your license state.

Step 2: Set up role-based access control and grant permissions to your security team

Microsoft recommends using the concept of least privileges. Defender for Endpoint uses built-in roles within Microsoft Entra ID. Review the different roles that are available and choose appropriate roles for your security team. Some roles may need to be applied temporarily and removed after the trial has been completed.

Use Privileged Identity Management to manage your roles to provide extra auditing, control, and access review for users with directory permissions.

Defender for Endpoint supports two ways to manage permissions:

  • Basic permissions management: Set permissions to either full access or read-only. Users with Global Administrator or Security Administrator roles in Microsoft Entra ID have full access. The Security reader role has read-only access and doesn't grant access to view machines/device inventory.

  • Role-based access control (RBAC): Set granular permissions by defining roles, assigning Microsoft Entra user groups to the roles, and granting the user groups access to device groups. For more information, see Manage portal access using role-based access control.


    Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

Step 3: Visit the Microsoft Defender portal

The Microsoft Defender portal ( is where you can access your Defender for Endpoint capabilities.

  1. Review what to expect in the Microsoft Defender portal.

  2. Go to and sign in.

  3. In the navigation pane, see the Endpoints section to access your capabilities.

Step 4: Onboard endpoints using any of the supported management tools

This section outlines the general steps you to onboard devices (endpoints).

  1. Watch this video for a quick overview of the onboarding process and learn about the available tools and methods.

  2. Review your device onboarding tool options and select the most appropriate option for your environment.

Step 5: Configure capabilities

After onboarding devices (endpoints), you'll configure the various capabilities, such as endpoint detection and response, next-generation protection, and attack surface reduction.

Use this table to choose components to configure. We recommend configuring all available capabilities, but you're able to skip the ones that don't apply.

Step 6: Experience Microsoft Defender for Endpoint through simulated attacks

You might want to experience Defender for Endpoint before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Defender for Endpoint surfaces malicious activity and explore how it enables an efficient response.

To run any of the provided simulations, you need at least one onboarded device.

  1. Access the tutorials. In the Microsoft Defender portal (, in the navigation pane, under Endpoints, choose Tutorials.

  2. Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements and detailed instructions that are specific to an attack scenario.

  3. Run a simulation.

Step 7: Set up the Microsoft Defender for Endpoint evaluation lab

The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. Using the simplified set-up experience in evaluation lab, you can focus on running your own test scenarios and the pre-made simulations to see how Defender for Endpoint performs.

See also


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.