Event details
Question. We are using the "MEMAC > Endpoint Security > Manage" space to create policy for AV, Bitlocker encryption, Firewall, etc. Then we are told to use the Security Baselines. Clearly there is massive overlap, and thus conflict, between these sets of policies. Clearly it's not sensible to use both. In my view the Security Baselines are less good, because so many settings in one policy makes them hard to test/troubleshoot. The smaller "Endpoint Security" policies are easier to maintain. But what should we be doing??
Agree Paul. Would really help for an overview of when to use MEM Policies, when to use security baselines and when to use the new endpoint security configurations
- LauraArrizza
Microsoft
The guidance is to first use Security Baselines to leverage the built-in setting recommendations that come from security experts across Windows, Defender for Endpoint, Edge, and Windows 365. After deploying the customized Security Baseline policy, you can use Endpoint Security policy templates that span across categories like AV, Firewall, ASR etc. to complement baselines with missing settings that are specific to the scope of security you're looking for. From there, you can leverage the Settings Catalog to add additional settings using the picker experience. We also surface Administrative Templates for settings that may still be need to be added but not available via the other methods. In terms of viewing and addressing conflicts, we have reports to help identify where you may have overlapping settings targeted. Reports like "Assignment failures" and "Device configuration" and the per policy reports allow you to drill down and understand where conflicts may be occurring. Make sure to check out some of the other Ignite sessions for specific discussions on deploying policy across the methods we offer!- Thanks Laura. The challenge we find in large organisations, is that without order of preference in policies you then end up having to copy the baselines, strip out settings, to then filter either on or off depending on application\system requirements\limitations in separate policies where the baselines cause issues and end up with endless additional policies to manage the settings that break various apps and services. In a new company with cloud native applications it is nice and simple but when moving large companies with complex GPO's that need migrating to allow their applications to function its quite a challenge. Is order or precedence something on the roadmap or not due to the complexities in implementing it? Many thanks in advance.
- LauraArrizzaAppreciate the feedback Neil and I understand where you're coming from. In terms of policy ordering/precedence - this is something on the roadmap we're designing for but do not have dates to share at this time. In the meantime, we are bringing security baselines over to using the same technology as Settings Catalog and Endpoint Security policies so that there is consistency in the setting definitions, names, and reporting to make it easier to identify & avoid conflicts. As we roll out these improvements, plus additional reports and eventually precedence hopefully this addresses your concerns.
- Interesting. Thank you.
