Migrate from Symantec to Microsoft Defender for Endpoint

If you are planning to switch from Symantec Endpoint Protection (Symantec) to Microsoft Defender for Endpoint (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide.

Applies to:

Overview of migrating from Symantec to Defender for Endpoint

When you make the switch from Symantec to Defender for Endpoint, you begin with your Symantec solution in active mode, configure Defender for Endpoint in passive mode, onboard to Defender for Endpoint, and then set Defender for Endpoint to active mode and remove Symantec.

The migration process

When you switch from Symantec to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:

Migration phases - prepare, setup, onboard

Phase Description
Prepare for your migration During the Prepare phase, you get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint.
Set up Microsoft Defender for Endpoint During the Setup phase, you configure settings and exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and Symantec Endpoint Protection. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.
Onboard to Microsoft Defender for Endpoint During the Onboard phase, you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall Symantec and make sure protection through Microsoft Defender for Endpoint is in active mode.

What's included in Microsoft Defender for Endpoint?

In this migration guide, we focus on next-generation protection and endpoint detection and response capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.

Feature/Capability Description
Threat & vulnerability management Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices).
Attack surface reduction Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks.
Next-generation protection Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware.
Endpoint detection and response Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches.
Advanced hunting Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats.
Behavioral blocking and containment Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution.
Automated investigation and remediation Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches.
Threat hunting service (Microsoft Threat Experts) Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed.

Want to learn more? See Microsoft Defender for Endpoint.

Next step