Microsoft
MicrosoftWhen will Domain Controllers be supported for DFE setting management? Using DFE management to apply Intune security policies to Windows Server OS devices is great but if we can't apply that same workflows to Domain Controllers it still means we must manage DCs via GPO as far as Defender is concerned. At that point it makes a lot more sense to use GPO for Server OS DFE setting management for consistency purposes. I am a big fan of the product and ecosystem but it's an incredible drawback with how awkward setting management has and continues to be for DFE and how hybrid customers seem to always draw the short straw.
I know the ship has sailed here but I am amazed that the initial policy and setting vision for DFE did not include, at least as an alternative, being able to configure all the settings inside the Security portal and DFE settings dashboard itself. DFE is the only security product on the market where you can't manage a large portion of how it behaves and works inside the product portal itself, let alone all the different OS and hybrid and non-hybrid quirks. To me this is as convoluted as a hypothetical situation where you make the majority of Exchange Online settings managed inside of the SharePoint admin portal except for Global Admin mailboxes which can only be managed via PowerShell and ignore all settings set in the Admin portal.
The devices can clearly talk to the could services to get a subsection of policies - please consider on making it simpler to secure our device fleet so that we can be sure that our policies and settings are applied and uniform across all devices enrolled into DFE without all these complexities around enrollment, hybrid, AADSync, etc... Onboarding onto DFE should be the only step needed.
