Which policies to use for MEM integrated Windows 10 and above?


Hello there,


My question would be around Windows 10 and above Devices joined to AzureAD and MEM/Intune managed. Is the "Microsoft Defender for Endpoint Baseline" the best Baseline policy set to use or shall we use now as well the dedicated Policies inside of the Endpoint Security Blade ? i have seen some deviations especially in the Antivirus Profile options as well as in Bitlocker. There are more details to configure then in the Baseline package. Although still some specific settings seems to be better integrated into the Baseline package. As this Unified Security Management was mostly created for non MDM onboarded Devices i wanted to know what is the official recommendation to ensure the upmost Security Config is enabled but without constant conflicts in policies as you simply cant disable parts of the Baseline Profiles and some settings are not in there which means it ends up in conflicts all the time if you actually want to have a mix of both worlds.  Just curious how others do to get best line of defense.



3 Replies
The baseline acts as the minimum set of recommended policies by MS that an organization can implement. You can build your configuration settings over it or don't use the baseline at all.
what i would like to know what is the recommended configuration for a todays common modern enterprise ready Workplace and how to apply this policies in the best way for MEM enabled Devices without conflicts between the different profiles / methods.
best response confirmed by Ueli Zimmermann (Contributor)

Hi @Ueli Zimmermann,

/* From the configuration standpoint, MEM surfaces multiple baseline templates that are recommendations from security experts on what admins should configure in their environments. The Microsoft Defender for Endpoint Baseline is an example of those for Defender related settings. When configuring the baseline, you can choose to customize the recommended values for the settings for certain exceptions. The endpoint security templates like AV, Firewall, Bitlocker are available to complement the baselines for anything else that you want to configure, plus the settings catalog and ADMX policy types to add more settings in your environment. To your question – “so which one should I use?”, it depends on if you want to leverage baselines to keep up to date with the MDE recommendations + have an easy template to follow versus if you want to use endpoint security templates to configure your own settings.

Ultimately, the decision is up to you on how you want to implement security configurations and follow a Zero Trust model:

Microsoft 365 Zero Trust deployment plan

Yong Rhee - MSFT