Forum Discussion

Ueli Zimmermann's avatar
Ueli Zimmermann
Brass Contributor
Jul 28, 2022

Which policies to use for MEM integrated Windows 10 and above?

Hello there,   My question would be around Windows 10 and above Devices joined to AzureAD and MEM/Intune managed. Is the "Microsoft Defender for Endpoint Baseline" the best Baseline policy set to u...
  • yongrheemsft's avatar
    yongrheemsft
    Jul 29, 2022

    Hi Ueli Zimmermann,

    /* From the configuration standpoint, MEM surfaces multiple baseline templates that are recommendations from security experts on what admins should configure in their environments. The Microsoft Defender for Endpoint Baseline is an example of those for Defender related settings. When configuring the baseline, you can choose to customize the recommended values for the settings for certain exceptions. The endpoint security templates like AV, Firewall, Bitlocker are available to complement the baselines for anything else that you want to configure, plus the settings catalog and ADMX policy types to add more settings in your environment. To your question – “so which one should I use?”, it depends on if you want to leverage baselines to keep up to date with the MDE recommendations + have an easy template to follow versus if you want to use endpoint security templates to configure your own settings.

    Ultimately, the decision is up to you on how you want to implement security configurations and follow a Zero Trust model:

    Microsoft 365 Zero Trust deployment plan
    https://docs.microsoft.com/en-us/microsoft-365/security/microsoft-365-zero-trust?view=o365-worldwide
    */

    Thanks,
    Yong Rhee - MSFT

rahuljindal-MVP's avatar
rahuljindal-MVP
Bronze Contributor
The baseline acts as the minimum set of recommended policies by MS that an organization can implement. You can build your configuration settings over it or don't use the baseline at all.
Ueli Zimmermann's avatar
Ueli Zimmermann
Brass Contributor
Jul 29, 2022
what i would like to know what is the recommended configuration for a todays common modern enterprise ready Workplace and how to apply this policies in the best way for MEM enabled Devices without conflicts between the different profiles / methods.
  • yongrheemsft's avatar
    yongrheemsft
    Icon for Microsoft rankMicrosoft
    Jul 29, 2022

    Hi Ueli Zimmermann,

    /* From the configuration standpoint, MEM surfaces multiple baseline templates that are recommendations from security experts on what admins should configure in their environments. The Microsoft Defender for Endpoint Baseline is an example of those for Defender related settings. When configuring the baseline, you can choose to customize the recommended values for the settings for certain exceptions. The endpoint security templates like AV, Firewall, Bitlocker are available to complement the baselines for anything else that you want to configure, plus the settings catalog and ADMX policy types to add more settings in your environment. To your question – “so which one should I use?”, it depends on if you want to leverage baselines to keep up to date with the MDE recommendations + have an easy template to follow versus if you want to use endpoint security templates to configure your own settings.

    Ultimately, the decision is up to you on how you want to implement security configurations and follow a Zero Trust model:

    Microsoft 365 Zero Trust deployment plan
    https://docs.microsoft.com/en-us/microsoft-365/security/microsoft-365-zero-trust?view=o365-worldwide
    */

    Thanks,
    Yong Rhee - MSFT

Resources