Thanks @Hesham Saad, understood, maybe I didn't phrase it very well?

What I was looking for was anything similar to "Deployment Guide" for Azure MFA for instance?

By this I mean, a very real and practical guide to a list of the the design decisions + various options, plus guidance on the consequences of those decisions - I'm going to assume that this doesn't exist as yet.

The on-boarding & off-boarding process is quite well documented in the Admin console under settings on the last two items - what I was looking for was any docs around these design decisions, but that's OK I've started creating it based on the latest high level slide deck. 

Thanks @Ryen Macababbad I've already provided some feedback on Yammer.

Question - there doesn't appear to be much focus on applying the "Audit Only" settings and collecting data before changing to enforced? Some of the settings will have the capacity to be disruptive to business if pushed too aggressively too quickly? Thoughts?

@David Caddick Are you talking about Attack Surface Reduction Rules? In the ASR section (https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/productio...) you'll see "In audit mode there is no end user impact all it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step by step move security controls into block mode."

What do you propose?   

Hi @Ryen Macababbad, I guess I'm hinting at the fact that it feels a bit like as a Deployment Guide it's a bit underdone? I'm not too worried as we have already run thru this ourselves and created our own.

But even the link in the Deployment Guide for ASR under rank = 3 is just a link to the overview of ASR Settings - I would have thought that it's not a bad idea to at least mention the Audit mode and some basic recommendation with a direct link would be an improvement?

Going slightly off topic - when we look at these specific settings in Intune they are all over the place, no grouping, not even in alphabetical order - that could really do with a clean up?

Dave C  

Audit mode is not available for Automated Investigations unless you prompt user or auto-respond and EDR block mode also has to audit mode feature. Also ASR rules and EDR Block Mode can't be applied per group :( This looks like a beta version to be honest. Definitely desires better documentation.