cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Which policies to use for MEM integrated Windows 10 and above?

Ueli Zimmermann
Brass Contributor

‎Jul 28 2022 05:39 AM

‎Jul 28 2022 05:39 AM

Which policies to use for MEM integrated Windows 10 and above?

Hello there,

 

My question would be around Windows 10 and above Devices joined to AzureAD and MEM/Intune managed. Is the "Microsoft Defender for Endpoint Baseline" the best Baseline policy set to use or shall we use now as well the dedicated Policies inside of the Endpoint Security Blade ? i have seen some deviations especially in the Antivirus Profile options as well as in Bitlocker. There are more details to configure then in the Baseline package. Although still some specific settings seems to be better integrated into the Baseline package. As this Unified Security Management was mostly created for non MDM onboarded Devices i wanted to know what is the official recommendation to ensure the upmost Security Config is enabled but without constant conflicts in policies as you simply cant disable parts of the Baseline Profiles and some settings are not in there which means it ends up in conflicts all the time if you actually want to have a mix of both worlds.  Just curious how others do to get best line of defense.

 

rgs

1,301 Views
0 Likes
3 Replies
Reply
3 Replies
rahuljindal-MVP

‎Jul 28 2022 04:00 PM

‎Jul 28 2022 04:00 PM

Re: Which policies to use for MEM integrated Windows 10 and above?

The baseline acts as the minimum set of recommended policies by MS that an organization can implement. You can build your configuration settings over it or don't use the baseline at all.
0 Likes
Reply
Ueli Zimmermann

‎Jul 29 2022 09:04 AM

‎Jul 29 2022 09:04 AM

Re: Which policies to use for MEM integrated Windows 10 and above?

what i would like to know what is the recommended configuration for a todays common modern enterprise ready Workplace and how to apply this policies in the best way for MEM enabled Devices without conflicts between the different profiles / methods.
0 Likes
Reply
best response confirmed by Ueli Zimmermann (Brass Contributor)
Yong Rhee

‎Jul 29 2022 09:25 AM - edited ‎Jul 29 2022 09:26 AM

‎Jul 29 2022 09:25 AM - edited ‎Jul 29 2022 09:26 AM

Solution

Re: Which policies to use for MEM integrated Windows 10 and above?

Hi @Ueli Zimmermann,

/* From the configuration standpoint, MEM surfaces multiple baseline templates that are recommendations from security experts on what admins should configure in their environments. The Microsoft Defender for Endpoint Baseline is an example of those for Defender related settings. When configuring the baseline, you can choose to customize the recommended values for the settings for certain exceptions. The endpoint security templates like AV, Firewall, Bitlocker are available to complement the baselines for anything else that you want to configure, plus the settings catalog and ADMX policy types to add more settings in your environment. To your question – “so which one should I use?”, it depends on if you want to leverage baselines to keep up to date with the MDE recommendations + have an easy template to follow versus if you want to use endpoint security templates to configure your own settings.

Ultimately, the decision is up to you on how you want to implement security configurations and follow a Zero Trust model:

Microsoft 365 Zero Trust deployment plan
https://docs.microsoft.com/en-us/microsoft-365/security/microsoft-365-zero-trust?view=o365-worldwide
*/

Thanks,
Yong Rhee - MSFT

2 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Ueli Zimmermann (Brass Contributor)
Yong Rhee

‎Jul 29 2022 09:25 AM - edited ‎Jul 29 2022 09:26 AM

‎Jul 29 2022 09:25 AM - edited ‎Jul 29 2022 09:26 AM

Solution

Re: Which policies to use for MEM integrated Windows 10 and above?

Hi @Ueli Zimmermann,

/* From the configuration standpoint, MEM surfaces multiple baseline templates that are recommendations from security experts on what admins should configure in their environments. The Microsoft Defender for Endpoint Baseline is an example of those for Defender related settings. When configuring the baseline, you can choose to customize the recommended values for the settings for certain exceptions. The endpoint security templates like AV, Firewall, Bitlocker are available to complement the baselines for anything else that you want to configure, plus the settings catalog and ADMX policy types to add more settings in your environment. To your question – “so which one should I use?”, it depends on if you want to leverage baselines to keep up to date with the MDE recommendations + have an easy template to follow versus if you want to use endpoint security templates to configure your own settings.

Ultimately, the decision is up to you on how you want to implement security configurations and follow a Zero Trust model:

Microsoft 365 Zero Trust deployment plan
https://docs.microsoft.com/en-us/microsoft-365/security/microsoft-365-zero-trust?view=o365-worldwide
*/

Thanks,
Yong Rhee - MSFT

View solution in original post

2 Likes
Reply