Event banner
Event details
For security configs which of the following section should be used in which scenario! Device config policies | Endpoint security > baseline policies | Endpoint security > AV, EDR, ASR, etc. Any guidance or best practice here?
I have been experiencing issues with licensing, particularly when it comes to implementing policies like ASR. I often encounter situations where I can set up the policies, only to find out later that we do not have the correct licensing. Purview is another example of this. Will this be something that will be changed? If not, are their other ways to setup ASR?
I totally agree with this. It would be awesome if such features were accompanied with some sort of "this feature requires a minimum of" statement. While it certainly is possible to check licensing details in the Admin Center etc. beforehand, that's not exactly convenient. It would be extremely helpful if such details were available where the work is happening. It would also be helpful if licensing complexity were reduced. Otherwise, we tend to go in to new endeavors with cost concerns at the forefront, and not functionality.
- Can you create a compliance policy that checks for a single anti-virus installed - whether its Defender or Sophos or another? On devices we have with a third-party AV they don't comply with the baseline.
- As far as I know, the only current way of doing this is with a custom compliance script. Any built-in functionality that I'm aware of is presently only checking for Defender, and it would be great if it were built-in.
- Any best practices / tips around server unified management? Especially within an environment with MECM.
- What is your advice about compliance policy (especially Real-time protection) which sometimes takes hours to be compliant after Windows Autopilot deployment? Do you advice to split some compliant policy settings? Assigned per user? computer?
- AzionHzmilton
Microsoft
As discussed on the AMA we generally if you are struggling with specific compliance items to split them into their own compliance policies which allows you to customize that policy further. Then you can leverage things like notifications, grace periods, and combine multiple policies to provide an experience that meets your security needs while providing a good user experience. Determining the best targeting (user vs device) should be something you test in your environment with your policies. Historically many customers had focused on user-based targeting, but we have seen more and more customers be successful with device targeting for compliance. We have been making ongoing investments to improve reporting and compliance when device targeting is used.
- It looks like Intune Data Warehouse only has summary data, can you confirm this, and if so when will more detailed data be added, for example per-device compliance status at the setting level not the policy level for about 140K endpoints. If Intune Data Warehouse is not the solution for this, what do you recommend using to get this level of detailed data (aside from custom graph scripts)?
- Looking for detailed per-setting level status for each device, which isn''t in the reports. There is a settings compliance report, but then it doesn't give you the details of each device, just summary counts.
- What new developments is the Intune team planning for Endpoint Privilege Management?
- Can you please provide documentation for what you started the introduction with?
- Rachelle_Blanchard
Hi Dallas! Here are the links to the documentation referenced at the start of the call:
- Heather_Poulsen
Community Manager
Welcome to the Improve your security posture with Intune AMA at Tech Community Live: Microsoft Intune edition. Let's get started! Please post your questions here in the Comments. We’ll be here until 11:30 a.m. Pacific Time! We will be answering questions in the live stream—and others will be answering here in the Comments.
- Can we onboard servers on MDE using Intune policies? Can we configure Antivirus, SmartScreen, Network Protection, Tamper Protection, Attack Surface Reduction, Controlled Folder Access, and other security configs for servers via Intune Policies?
- The reason why i asked this is because Intune policy description says that it can be applied to windows 10, windows 11, and windows servers but i was not able to find any documentation which indicates that Intune supports server onboarding on MDE.
I'm just another Intune user, so take this with a grain of salt, but while you can manage them in the Intune portal with CM's help https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-manage-microsoft-defender-on-windows-server-via-intune/ba-p/3713195, as I understand it you would need to install the onboarding package using either a local script, GPO, CM, VDI scripts, or Defender for Cloud https://learn.microsoft.com/en-us/defender-endpoint/configure-server-endpoints
