Are there any rules of thumb or guidelines about when an organization should create additional security policies in Endpoint manager after the Baselines have been implemented. i.e. what are the scenarios in which the baselines are not sufficient and additional configuration is recommended?
Security Baselines are sufficient in most cases but there might be some considerations when you look at the individual settings. Think of Attack Surface Reduction (ASR) for instance, which blocks certain behaviors that might be normal for business applications to apply like downloading a file through a script. It all comes down to deciding what functionalities could stop your normal processes from running.