I am a little confused by the SCCM and MDE scenario where both management channels will push their security settings to the device. Can't Co-Management along with Security Settings Management in MDE help with that where you can choose to have security policies managed by MDE?
Significant exceptions are required for some products (eg SQL Server, Exchange, Sharepoint...). Some of these settings are highly-specific (eg DB-specific file/folder paths for scan exclusions). Being system-specific, this is best achieved via powershell scripts. What's the best approach to ensure these carefully-configured exclusions don't get overridden if - for example - I wish to manage *some* settings (eg ASR rules I want to apply globally), but need to leave app-specific, locally-defined exclusion paths alone? You mention the precedence rules in the slide "Defender for Endpoint will override in case of direct conflict between configured settings", but the granularity is unclear - what do you mean by a 'setting', exactly? Is this an all-or-nothing proposition (if enrolled into MDE-managed, all settings are managed exclusively by MDE)? Or does precedence apply at an individual parameter level, eg Audit/Enforce for a specific ASR rule identified by GUID? You also did not cover - what MDE endpoint logs: what settings are received from where, and what the final result is (critical for troubleshooting, cf RSOP for GPOs) - how to remove earlier AAD tattoos
Currently in public preview, you need to enable that for your tenant - I assume in October (so very soon) it will become GA and the new features will then show up as well.
Do you have a link regarding AAD clean up if a device is failing to be managed by MDE
I am a little confused by the SCCM and MDE scenario where both management channels will push their security settings to the device.
Can't Co-Management along with Security Settings Management in MDE help with that where you can choose to have security policies managed by MDE?
Significant exceptions are required for some products (eg SQL Server, Exchange, Sharepoint...). Some of these settings are highly-specific (eg DB-specific file/folder paths for scan exclusions). Being system-specific, this is best achieved via powershell scripts.
What's the best approach to ensure these carefully-configured exclusions don't get overridden if - for example - I wish to manage *some* settings (eg ASR rules I want to apply globally), but need to leave app-specific, locally-defined exclusion paths alone?
You mention the precedence rules in the slide "Defender for Endpoint will override in case of direct conflict between configured settings", but the granularity is unclear - what do you mean by a 'setting', exactly? Is this an all-or-nothing proposition (if enrolled into MDE-managed, all settings are managed exclusively by MDE)? Or does precedence apply at an individual parameter level, eg Audit/Enforce for a specific ASR rule identified by GUID?
You also did not cover
- what MDE endpoint logs: what settings are received from where, and what the final result is (critical for troubleshooting, cf RSOP for GPOs)
- how to remove earlier AAD tattoos
does this work for workgroup based machines as well? such as machines that are not synced to Azure AD?
No
when will this be available for use fully released?
Currently in public preview, you need to enable that for your tenant - I assume in October (so very soon) it will become GA and the new features will then show up as well.
why is your hair not pink?
Summer is over 😆