MDO Preset Security Policies still exist after disabling the switch.

Copper Contributor


Apparently one day the standard preset policies were enabled on my tenant by another user, and then disabled right after. However, as it is also stated in "For the Standard and Strict preset security policies, these rules are created the first time you turn on the preset security policy in the Microsoft 365 Defender portal. If you never turned on the preset security policy, the associated rules don't exist. Turning off the preset security policy doesn't delete the associated rules."


The issue gets more complicated with the following:

  • The policies were not visible in the GUI, only through PowerShell.
  • The policies are still Enabled according to the value "Enabled: True" in the PowerShell objects.
  • Microsoft warns that "Do not attempt to create, modify, or remove the individual security policies that are associated with preset security policies. The only supported method for creating the individual security policies for Standard or Strict preset security policies is to turn on the preset security policy in the Microsoft 365 Defender portal for the first time." (ref. same link as above)

Am I safe to manually delete the policy since I do not need them and now use custom ones for my needs?

1 Reply
In my test tenant I'm only able to enable or disable the preset security policies, not delete them, which corresponds with what the Microsoft documentation on these says.