During this skill, you’ve learned about the various security features in Windows 11. You’ve also learned how to use either Endpoint security policies or a device configuration profile (using the Endpoint protection template) to enforce the required configurations.
In fact, you can generally use either of these methods. An advantage of using the Endpoint security policies is that you can also implement security baselines to help keep those policies aligned with security improvements. By using Endpoint security policies, you can configure the following:
- Antivirus Enables you to review Windows 11 unhealthy endpoints and devices with active malware. You also can use this option to create and assign antivirus profiles:
- Microsoft Defender Antivirus exclusions
- Microsoft Defender Antivirus
- Windows Security Experience
- Disk Encryption Enables you to create and configure BitLocker profiles for Windows 11 devices and macOS encryption settings.
- Firewall Enables you to create and configure firewall profiles and firewall rules.
- Endpoint Detection and Response Enables you to create profiles that provide advanced attack detections that are near real-time and actionable.
- Attack Surface Reduction Enables you to create and configure the following profiles to help reduce the attack surface on your managed devices:
- App and browser isolation
- Device control
- Attack surface reduction rules
- Exploit protection
- Web protection (for legacy Edge)
- Application control
- Account Protection Enables you to create profiles that help protect user credentials by using Windows Hello for Business and Credential Guard technology.
- Device Compliance Enables you to create and manage device compliance settings. These include
- Policies
- Notifications
- Retire Noncompliant devices
- Locations
- Compliance policy settings
- Conditional access Enables you to create and configure conditional access policies. These policies enable you to enforce access requirements when specific conditions occur. For example, deny access to cloud apps for non-compliant devices.
In fact, some elements can only be configured in these settings, such as Local user group membership and Local admin password solution (Windows LAPS).
An advantage of using an Endpoint protection configuration profile is combining and configuring all your Microsoft Defender security settings in a single profile. These settings are
- Microsoft Defender Application Guard
- Windows Defender Firewall
- Microsoft Defender SmartScreen
- Windows Encryption
- Microsoft Defender Exploit Guard
- Microsoft Defender Application Control
- Microsoft Defender Credential Guard
- Microsoft Defender Security Center
- Xbox services
- User Rights
Familiarize yourself with the available options in each of these methods for securing your endpoints.