When new machines join your environment, what’s your “day one” configuration checklist—and where does Endpoint Policy Manager fit in?

jeremy.moskowitz · July 15, 2025, 8:08pm

Ericson · July 21, 2025, 6:42pm

For this type of scenario, we lean more towards the “highly managed” side of the spectrum, and EPM dances along the line between security and configuration. We’re a ConfigMgr and Azure hybrid shop with more than “just a few” endpoint devices. Our “day one” configuration checklist consists of verifying that all of our mission and security critical agents are installed. Each agent is configured and managed by its respective team. Our environment is “mature” enough (Honestly? When can you ever say you have a mature environment!?! ) to rely on each respective agent to do their job. As long as the agents are installed, then our desired settings, policies, etc. are also applied. Therefore, “day one” checklist means “verify all of the agents are installed.” The EPM agents, Cloud and CSE, are included in said list. The “highly managed” aspect of this scenario means devices aren’t entering our environment unless it goes through our preestablished methods. If a device does manage to slip through the cracks, then ongoing compliance checks detect and install any missing agents ASAP. These compliance checks also ensure our list of critical agents is always installed in the rare occasion that one of them is somehow removed from an endpoint.

From an EPM perspective, we install the agents and configure the endpoints directly into their respective Company Group via MSI switches. If an endpoint does manage to end up Unassigned, then we have custom scripts/policies applied to said group to immediately move said endpoints to the correct Company Groups. We also default to a “catchall” Company Group that still receives all of our policies if the move script fails to detect the correct Company Group based on the endpoint device’s settings. Our goal is to apply full company policy to endpoints from day one.

jeremy.moskowitz · July 21, 2025, 6:46pm

Nice.. Sounds like your mature process is working as expected. Keep up the good work…!!

system · September 19, 2025, 6:47pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Replacing/Supplementing SRP GP with PPLPM Discussions & Questions least-privilege-manager , software-restriction	7	106	May 25, 2025
How do you handle user exceptions for policies, and what would make that process smoother in your environment? Discussions & Questions endpoint-policy-manager , weekly-product-discussion	3	33	September 27, 2025
Are there any activities you were surprised to see happening in your environment once monitoring was enabled? Discussions & Questions threat-prevention , weekly-product-discussion	1	25	September 19, 2025
Are AI tools considered potential data egress channels in your organization, and do you plan to implement controls to manage these risks? Discussions & Questions endpoint-protector , weekly-product-discussion	5	80	September 27, 2025
Allow Shared CA Signed Cert Between Agents and Enterprise Manager Ideas new , ideas	0	10	July 15, 2025

When new machines join your environment, what’s your “day one” configuration checklist—and where does Endpoint Policy Manager fit in?

Related topics