Forum Discussion

PerKarlLind's avatar
PerKarlLind
Copper Contributor
Apr 12, 2023

Assign Microsoft Defender for Endpoint baseline to users or devices?

I am currently working on Optimizing our Intune configuration for better efficiency and have encountered challenges related to conflicts between Microsoft Defender for Endpoint baselines and device configuration profiles. One such issue I've noticed involves Bitlocker, which appears to have a conflict affecting over 1,000 devices.

 

Our "legacy" configuration profile is assigned to these devices, while our "updated" baseline is assigned to users. I have conducted tests on several devices belonging to my team and excluded them from the "legacy" configuration profile. The transition appears to be seamless, without any negative impact on the end user experience or stored bitlocker recovery key.

 

I am seeking guidance on the following questions:

  1. When it comes to Microsoft Defender for Endpoint baselines, is it more advisable to assign them to devices or users?

  2. Would it be safe and efficient to transition all of our devices to exclusively use the Microsoft Defender for Endpoint baseline, rather than maintaining separate configuration profiles? The settings in both configurations are closely aligned.

 

Thank you in advance!

  • MDE baseline contains a subset of settings that should be configured at a minimum according to Microsoft. It is ideal if you are only looking for a baseline and don't want to admin over head of maintaining these settings outside the baseline. However, most organizations go for complete feature set (if they are licensed) and therefore I normally recommend to deploy the MDE settings using Endpoint security profiles instead. They are specifically tailored for endpoints keeping security in mind. I normally exclude the BitLocker and Defender settings from MDM baseline and don't even consider using MDE security baseline. Not to mention that these baselines have not been updated for a long time, however, that is expected to change in the coming months. As for the assignments, it will depend on the use of the assignments. For example, if it is existing devices, then you can assign to either devices or users. Won't really matter. However, if it is for Autopilot, then you may want to assign profiles like Exploit guard, Application control to users as they can trigger a reboot during AP provisioning sometimes.
  • rahuljindal-MVP's avatar
    rahuljindal-MVP
    Bronze Contributor
    MDE baseline contains a subset of settings that should be configured at a minimum according to Microsoft. It is ideal if you are only looking for a baseline and don't want to admin over head of maintaining these settings outside the baseline. However, most organizations go for complete feature set (if they are licensed) and therefore I normally recommend to deploy the MDE settings using Endpoint security profiles instead. They are specifically tailored for endpoints keeping security in mind. I normally exclude the BitLocker and Defender settings from MDM baseline and don't even consider using MDE security baseline. Not to mention that these baselines have not been updated for a long time, however, that is expected to change in the coming months. As for the assignments, it will depend on the use of the assignments. For example, if it is existing devices, then you can assign to either devices or users. Won't really matter. However, if it is for Autopilot, then you may want to assign profiles like Exploit guard, Application control to users as they can trigger a reboot during AP provisioning sometimes.

Resources