Getting Defender for Endpoint onto Windows without the headaches

Most of the MSPs I talk to already have Microsoft Defender for Endpoint sitting in their licensing stack. Plenty of them haven’t actually rolled it out to a single device. That gap between “we own it” and “it’s protecting the fleet” is where I see real risk hiding, and it’s the gap I want to help you close today. Here’s the path I walk through when I’m onboarding Windows machines into MDE, from licensing right through to the bit everyone skips — tuning.

Get the prerequisites right first

Before you touch a single endpoint, check the licensing. Defender for Endpoint Plan 1 ships with Microsoft 365 Business Premium and is fine for most SMBs. Plan 2 sits inside the E5 stack and is what you want if you need full EDR, threat hunting, and automated investigation. Don’t assume — open the Microsoft 365 admin centre and confirm what’s actually assigned.

Next, head to security.microsoft.com and run the initial setup wizard. Pick your data storage region, set your retention (180 days is fine), and turn on preview features so you see new capabilities as they land. Confirm the tenant is connected to Intune as your MDM authority, because that’s the path I recommend for almost every Windows fleet.

Choose your onboarding path

There are three doors into MDE for Windows, and the right one depends on how the device is managed.

Intune (my default). In the Microsoft Defender portal, go to Settings, Endpoints, Onboarding, choose Windows 10 and 11, and pick “Mobile Device Management / Microsoft Intune.” Click the link through to Intune and you’ll land on the EDR policy page. Create a profile, assign it to your “All Devices” or pilot group, and that’s the heavy lifting done. Devices check in on their next sync — usually within an hour.

Group Policy (for on-prem AD environments). Download the onboarding script and the matching ADMX templates from the same Onboarding page. Drop the script into a startup GPO targeting your machine OU, import the templates into your central store, then enable the Defender ATP policies under Computer Configuration. It’s old-school but rock solid.

Local script (pilots and one-offs). Download the .cmd file, run it as administrator on the target machine, and you’re done in under a minute. I use this when I want to prove the pipeline works before scaling.

Verify and then tune

Don’t trust the green tick — verify it. On the device, run the detection test command from Microsoft’s docs. Within fifteen minutes the device should appear in the Defender portal’s Device Inventory with an “Onboarded” sensor status and an active risk level.

Tuning is where most rollouts stall. Push attack surface reduction rules in audit mode first via Intune’s Endpoint Security blade, leave them there for a fortnight, then flip the noisy ones to block and exclude the genuine false positives. Turn on tamper protection, web content filtering, and network protection. Set up email notifications for high-severity alerts so the SOC inbox doesn’t become the place alerts go to die.

This is also where Copilot for Security earns its keep. I’ll ask Copilot in the Defender portal to summarise an incident, walk the kill chain, or draft the client-facing notification, and a forty-minute writeup becomes a ten-minute review.

The bit nobody talks about

MDE deployment isn’t a project, it’s a posture. The clients who get value are the ones whose MSP looks at the Secure Score in the Defender portal every fortnight, treats the recommendations as a backlog inside Planner, and reports progress to the business owner in plain language. Buying the licence is easy. Operating it is the work — and that’s exactly where you justify your fee.

Stress Test It: Why Copilot Exposes Weak MSP Processes Faster Than Any Audit Ever Could

One of the biggest mistakes I see MSPs making with Microsoft 365 Copilot isn’t technical.
It’s procedural.

They document a process, feel good about it, file it away, and move on. Then Copilot gets introduced and suddenly everything that “worked fine” starts breaking—confusion, rework, inconsistent outcomes, frustrated staff.

That’s not Copilot failing.
That’s Copilot revealing where the cracks already were.

AI has zero patience for fuzzy thinking, undocumented assumptions, or tribal knowledge. If your process relies on “just ask Steve” or “we usually do it this way”, Copilot will surface that gap almost immediately.

Which is why I keep coming back to one principle with MSPs:

Once it’s documented, stress test it. Properly.

Hand It Over and Watch Where It Breaks

The simplest (and most uncomfortable) test is this:

Document the process.
Then hand it to someone who didn’t write it.

Not your best tech. Not the person who lives in that system every day. Hand it to someone competent, but neutral.

Then watch where they hesitate.

The first place they pause.
The first clarifying question they ask.
The workaround they invent because the next step isn’t clear.

That confusion is your gap.

I see this constantly with Copilot rollouts. An MSP documents “how we enable Copilot for a client” or “how staff should use Copilot in Teams”. On paper, it looks solid. In practice?

No one is sure where approved prompts live
No one knows what’s off-limits data‑wise
Everyone assumes someone else has done the access check
Security reviews live in a different document entirely

Copilot just accelerates that confusion because people start using it everywhere, all at once.

Copilot Forces End‑to‑End Thinking (Whether You Like It or Not)

Here’s the uncomfortable truth:
Copilot doesn’t care about your internal silos.

If a process only works because steps 4 and 5 happen “eventually” or “when time allows”, Copilot will make that painfully obvious.

For MSPs, this usually shows up in:

User onboarding that assumes clean SharePoint permissions
Client documentation that exists but isn’t current
Security controls that are “mostly” standardised
SOPs that describe what happens but not who decides

When Copilot is introduced, the questions multiply: “Can I use this with client data?”
“Is this the approved template?”
“Why does Copilot see this file but not that one?”

If the process doesn’t flow cleanly from step one to done, your team will improvise. And improv is exactly what MSPs spend years trying to eliminate.

Fill the Gap. Then Do It Again.

The fix isn’t complicated, but it is repetitive.

When someone gets confused, don’t explain it verbally and move on.
Fix the document.

Close the loop.
Make the decision explicit.
Remove the assumption.

Then hand the process to the next person and run it again.

You’re not looking for perfection. You’re looking for the places where the system breaks under light pressure—before clients or Copilot apply real pressure.

This is where MSP maturity actually shows. Not in how clever the Copilot prompts are, but in how resilient the underlying process is when a human and an AI are both trying to follow it.

The Real Takeaway for MSPs

Copilot isn’t a tool you “set up and support”.
It’s a mirror.

It reflects the quality of your documentation, your standardisation, your decision‑making, and your discipline as a provider.

If you want Copilot to scale productivity instead of chaos, stop asking “what does Copilot do?” and start asking:

“Where would this process fail if no one could ask a question?”

Stress test it.
Fill the gaps.
Then do it again.

That’s how you make Copilot work for your MSP—not against it.

Claude Cowork vs Copilot Cowork: why the Microsoft answer wins for SMB

I’ve watched a lot of clients spend the last twelve months stitching together AI tools that don’t talk to each other. A Claude tab here. A ChatGPT tab there. A Copilot tab somewhere in the middle. Then a folder of CSVs they keep dragging in and out of each one.

That’s not a workflow. That’s a tax.

So when Anthropic shipped Claude Cowork and Microsoft shipped Copilot Cowork in roughly the same window, the question landed in my inbox: which one do we tell our clients to use?

I’ll save you the suspense. For an SMB already paying for Microsoft 365, it’s not close.

What is Cowork, really?

Cowork is the bit that does the work, not the bit that talks about it. You give it an outcome — “draft the quarterly update from these meeting notes and send it to the leadership team” — and it goes off and does the thing.

That’s the shared idea. Both products own it. The split is in where the work happens.

Claude Cowork lives on your desktop. You mount a folder, drop your files in, and Claude runs in a sandbox on your machine. It doesn’t see your inbox. It doesn’t see your calendar. It doesn’t see your Teams chats unless you’ve copy-pasted them in. You bring the data to the model.

Copilot Cowork is the inverse. It already lives inside Microsoft 365, grounded in your Outlook, Teams, SharePoint, OneDrive, and calendar through Work IQ. You don’t mount anything. The model is already where your data lives.

Notice what’s missing? The mounting step. The “let me copy this folder over” step. The “hang on, I need to paste in the email thread” step.

For SMBs, that’s the whole game.

Step-by-Step: getting Copilot Cowork going

If you’re licensed for Microsoft 365 Copilot and enrolled in the Frontier preview, the start is short.

Open Cowork in Microsoft 365

Browse to m365.cloud.microsoft, sign in, and pick Cowork from the agent list. If you don’t see it, check Frontier enrolment under Copilot settings.

Describe the outcome

Skip the prompt-engineering nonsense. Talk like a person.

Read my inbox from this week, find anything tagged from a client,
draft a Friday wrap-up email summarising open items, and post a
short version into the Operations channel in Teams.

Notice what’s missing? Any reference to a file path. Any “first export your inbox to CSV” step. Cowork already has the inbox, the calendar, the Teams channels, and the SharePoint files. It just needs the instruction.

Approve the action

Cowork shows you exactly what it’s about to send, post, or schedule before it does it. You hit Send, Post, or Cancel. The full flow is in the getting started doc if you want to walk a client through it.

Set the schedule

Want it to do this every Friday at 4pm? Schedule the prompt and walk away. Copilot doesn’t get tired. Use that.

Why this actually changes behaviour

Claude Cowork is a beautifully built tool. For a developer or a data analyst on a Mac with a folder full of CSVs, it sings. I’m not knocking it.

But that’s not the SMB picture. The SMB picture is a bookkeeper, a sales lead and a director who all live inside Outlook and Teams from 8am to 6pm. Their data isn’t in a folder on their desktop. It’s in their mailbox, their channel chats, their SharePoint sites and their meeting transcripts.

“But couldn’t we just pipe our M365 data into Claude?”

You could. You’d be paying twice — once for M365, once for Claude — and you’d be exporting business data into a different vendor’s environment to do work the platform you already own can do natively.

That’s not a productivity gain. That’s a procurement problem.

Here’s the real win. Copilot Cowork sits behind the same Entra identity, the same conditional access, the same Purview labels and the same retention policies your tenant already runs. The governance story is already built. There’s no second tool to license, secure, train, or audit.

My recommendation? If you’re an MSP and you’re not walking your SMB clients through Copilot Cowork, you’re leaving value on the table — theirs and yours.

Meet people where they already are.

Cowork isn’t a second AI app for your clients to learn. It’s the work, finally getting done in the place it was always supposed to happen.

Record It (You Already Have the Systems)

Most MSPs I talk to are convinced their biggest constraint is time. Too much work. Too few people. No space to step back and “document everything” the way they know they should.

The uncomfortable truth? You don’t actually need more time. You already have the systems. You’re just not using them properly.

If you want to make progress with standardisation, scale, and eventually AI, step one isn’t buying another tool. It’s recording the work you’re already doing.

The Camcorder Method, Reinforced by AI

Years ago, we talked about the Camcorder Method: capture the work as it happens instead of trying to document it afterwards. With AI, that approach gets supercharged.

When you’re configuring a tenant, fixing a tricky issue, onboarding a client, or even handling an escalation, hit record.

Screen recording
Phone camera
Meeting recording if you’re doing it live with a client or tech

The tool doesn’t matter. The habit does.

As you work, talk through what you’re doing and—more importantly—why. Explain the judgement calls. The checks you instinctively run. The things you don’t do, and why.

This is the stuff that never makes it into documentation, but it’s exactly what junior staff, new hires, and future-you need to understand.

From Recording to Playbook (Without Starting from Scratch)

Here’s where MSPs usually get stuck. They think recording is only half the job, and now they need hours to “turn it into a proper process”.

That used to be true. It isn’t anymore.

Take the recording transcript and give it to AI. Ask it to turn that raw thinking into a draft playbook, SOP, or checklist. Not a final version—a starting point that reflects how the work is actually done in your business.

Then use one of my favourite prompts:

“Ask me any questions that would make this process clearer or easier for the next person to follow.”

This flips the dynamic. Instead of you trying to remember everything you know, the AI actively looks for gaps, assumptions, and missing steps. You answer those questions once, and the documentation improves permanently.

This is exactly how senior staff think when they onboard someone: “They’ll probably get stuck here… they’ll ask me about this… they’ll miss that.”

Now you can capture that thinking without being interrupted mid-job.

The Stranger Test (Be Brutally Honest)

Here’s the litmus test I apply to every process document.

If a capable stranger from another MSP picked this up, could they execute it end-to-end without calling you?

If the answer is “probably not”, the process isn’t finished.

That doesn’t mean it has to be perfect. It means it can’t rely on tribal knowledge, hallway conversations, or “just ask Dave, he knows”.

Every time you have to jump in and clarify something, that’s feedback. Record it. Update the playbook. Feed it back into AI. Over time, the number of interruptions drops—and so does your personal bottleneck.

This is how you scale without cloning yourself.

Why This Actually Matters to the Business

This isn’t about documentation for documentation’s sake.

It reduces risk when key people are away or leave
It shortens onboarding for new techs
It creates consistent outcomes for clients
It gives you something solid to build automation and AI on later

AI doesn’t magically fix messy operations. It rewards clarity. If your processes only exist in your head, AI just amplifies the chaos.

Recording the work is the fastest way I know to get that clarity without stopping the business to “do documentation”.

Final Thought: Don’t Overthink Step One

If you’ve been putting this off because it feels too big, start smaller.

Record the next task you do that you’ve done a hundred times before. Talk it through. Transcribe it. Let AI help shape it.

You don’t need a transformation project. You need momentum.

Hit record. The rest follows.

Entra ID backup just turned up in your Business Premium tenant

A few weeks ago I logged into a Business Premium tenant to do something completely unrelated and noticed a new node in the Entra portal: Backup and Recovery. No upsell banner, no add-on prompt, no “contact your reseller”. Just there. Sitting under Identity governance like it had always been part of the furniture.

That’s the bit worth pausing on. Microsoft has quietly turned identity backup into table stakes for every BP tenant. Notice what’s missing? An invoice.

For years the conversation around protecting your directory has been someone else’s product pitch. Third-party backup vendors built entire businesses on the fact that Microsoft wouldn’t restore a Conditional Access policy you nuked at 4pm on a Friday. Now Microsoft is restoring it for you.

What is Entra Backup and Recovery, really?

It’s a daily snapshot of the configuration that runs your tenant’s identity. Users, groups, applications, service principals, Conditional Access policies, named locations, the authentication methods policy — the things that, when they go missing, take down sign-in for your whole client base.

Five days of retention. Tamper-resistant. No global admin can switch it off, no compromised account can wipe the safety net before the bad thing happens. That’s not a feature. That’s governance.

Important caveats so you don’t sell something that isn’t there. Hard-deleted objects are gone — the recycle bin still does its 30-day job for users and groups, but Backup is for configuration recovery, not undeleting things. Hybrid identity synced from on-premises AD has limitations. Workforce tenants only — not B2C or External ID. And it’s currently in Public Preview, so treat it like one. The official overview is worth a read before you stand in front of a client.

A daily snapshot you can’t disable is more honest than a backup product you forget to renew.

Step-by-Step: turning it on for a Business Premium tenant

1. Sign into the Entra admin centre

Use a Global Administrator account. Navigate to Identity governance → Backup and Recovery. If the node isn’t there yet, give the tenant a day — rollout is staged.

2. Enable the service

It’s a single switch. Once enabled, the first snapshot is captured within 24 hours. There’s nothing to license — Business Premium already includes Entra ID P1, which is the bar.

3. Assign the right roles

There are two purpose-built ones: Microsoft Entra Backup Reader and Microsoft Entra Backup Administrator. Don’t hand recovery rights to every Global Admin out of habit. Restoring a Conditional Access policy from a five-day-old snapshot is exactly the sort of move you want logged against a named, scoped role.

4. Run a Difference Report before you restore anything

This is the part that earns its keep. Before recovering an object, the portal shows you what will change — what’s in the snapshot, what’s live, and where they disagree. You see the diff before you click. The supported objects and limitations(opens in new window) page tells you exactly what’s in scope.

Why this actually changes behaviour

Here’s the real win. The reason MSPs have been selling backup-for-Entra add-ons is fear — what if? That conversation gets harder when Microsoft has put a tamper-resistant safety net in the box.

My recommendation? Stop selling fear. Start showing governance. Walk your BP clients through their backup status, the role separation, and the recovery flow for applications and service principals. It takes ten minutes and it positions you as the person who knew this was already there, not the person trying to bolt something on top.

That’s not a product conversation. That’s an advisor conversation.

The relief, when you find it, isn’t the relief of buying a safety net. It’s the relief of finding one you didn’t have to install.

Create Systems That Scale Without Chaos

I was talking to an MSP owner recently—let’s call him Antoni—who looked completely wrecked. His inbox was overflowing, projects were backing up, and every interruption felt like a crisis. I asked him a simple question:
“Why don’t you hand some of this off?”

He didn’t hesitate.
“I can’t.”

Not because his team wasn’t capable. Not because he didn’t trust them.
Because there was nothing to hand over.

No instructions. No documented process. No shared understanding of “how this gets done around here”. Just a guy drowning in work, telling himself the only solution was to work harder.

I see this exact pattern across MSPs all the time.

The Real Bottleneck Isn’t Workload

Most MSPs don’t actually have a volume problem. They have a systems problem.

Email becomes unmanageable because only one person knows how to triage it “properly”.
Hiring drags on because recruitment lives in someone’s head.
Content never scales because every post starts from a blank page.
Accounting breaks down at month‑end because the process was built for one person, not a business.

The common thread?
The business runs on tribal knowledge instead of repeatable systems.

And here’s the uncomfortable truth: until something is documented and shared, it doesn’t really exist. It’s just personal effort masquerading as process.

What Copilot Exposes (Whether You Like It or Not)

This is where Microsoft 365 Copilot becomes interesting—not as an AI tool, but as a force multiplier for reality.

Copilot doesn’t magically fix broken businesses. What it does is amplify whatever foundations already exist.

If your documentation is scattered, outdated, or non‑existent, Copilot will surface that instantly. If your processes are clear, well‑structured, and centrally stored, suddenly they become usable by more people, more often, without constant supervision.

I’ve seen MSPs try to “roll out Copilot” hoping it will reduce workload, only to realise their biggest problem wasn’t effort—it was ambiguity.

Copilot can summarise a process, draft a response, or explain a task. But it can’t invent clarity that isn’t already there.

Systems First, Scale Second

What Antoni really needed wasn’t better inbox management. He needed a system someone else could step into without panic.

That means:

A documented way of handling incoming requests
Clear decision boundaries (what to respond to, what to delegate, what to defer)
Templates and examples that remove guesswork

Once those exist, Copilot becomes genuinely powerful. A junior staffer can ask, “How do we handle this type of request?” and get grounded guidance based on your way of working—not a generic answer from the internet.

The same applies to hiring, onboarding, sales follow‑up, project delivery, and internal reporting. If the process can’t survive you stepping away for a week, it isn’t a process yet.

Stop Confusing Heroics with Progress

MSPs are especially bad at rewarding hero behaviour. Late nights. Inbox zero at 11pm. Solving everything personally.

It feels productive, but it’s fragile. And it doesn’t scale.

The MSPs that grow without falling apart are the ones that treat systems as assets. They build once, refine often, and use tools like Copilot to extend capability across the team—not to prop up chaos.

Copilot works best when it sits on top of clarity. It helps people find answers faster, make better decisions, and spend less time reinventing the wheel. But only if the wheel has been built properly in the first place.

The Takeaway

If your first instinct under pressure is “I’ll just work harder”, that’s a warning sign—not a badge of honour.

Before you add more staff, more tools, or more AI, ask yourself this:
“If I had to hand this task to someone tomorrow, could I?”

If the answer is no, that’s where the real work starts.

Create systems that scale without chaos.
Copilot will do the rest—but only after you’ve done your part.

Need to Know podcast–Episode 364

A weekly roundup of Microsoft Cloud news with a focus on SMBs. Key topics include Microsoft’s internal testing of an always-on AI assistant, major security threats such as Russian state-sponsored router hijacking and advanced phishing attacks, updates to Microsoft Teams, and a retrospective on SharePoint’s evolution. Robert also discusses the challenges and strategies for adopting AI in business, emphasizing the need for a unified, collaborative approach to AI usage within organizations.

Brought to you by www.ciaopspatron.com

you can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-365-siloed-ai/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

or Spotify:

https://open.spotify.com/show/7ejj00cOuw8977GnnE2lPb

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show

Resources

CIAOPS Need to Know podcast – CIAOPS – Need to Know podcasts | CIAOPS

X – https://www.twitter.com/directorcia

director@ciaops.com

CIAOPS Blog – CIAOPS – Information about SharePoint, Microsoft 365, Azure, Mobility and Productivity from the Computer Information Agency

Join my Teams shared channel – Join my Teams Shared Channel – CIAOPS

CIAOPS Merch store – CIAOPS

Become a CIAOPS Patron – CIAOPS Patron

CIAOPS Brief – CIA Brief – CIAOPS

CIAOPS Labs – CIAOPS Labs – The Special Activities Division of the CIAOPS

Support CIAOPS – Support CIAOPS

Get your M365 questions answered via email

Join the CIAOPS Email list – Please fill out this form

A special thanks to the CIAOPS Patron community for making this podcast possible. You can find the benefits of a subscription to the community and become a member at https://www.ciaopspatron.com

Show notes

Microsoft tests ‘ClawPilot’ AI agent for 3,000 staff

SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks

What’s New in Microsoft Teams | April 2026

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

The Future of SharePoint

Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise

Tuning Safe Links and Safe Attachments in Defender for Office 365 Without Breaking Your Tenant

If you’re running M365 Business Premium for clients, Safe Links and Safe Attachments are already doing work — whether you configured them or not. The Built-in protection preset applies to every mailbox the moment Defender for Office 365 is licensed. The question isn’t “is it on?” — it’s “is it tuned for the way your client actually receives mail?” Out of the box, it’s closer to a safety net than a security control.

Prerequisites MSPs skip

Before you touch a single policy, confirm three things. First, mail has to flow through Exchange Online Protection. Hybrid tenants with a third-party gateway in front (Mimecast, Proofpoint, anything rewriting URLs) will often cause Safe Links to skip wrapping — Microsoft explicitly warns that pre-wrapping can prevent Safe Links from processing the link at all. Second, confirm licensing: Safe Links and Safe Attachments require Defender for Office 365 Plan 1 (included in Business Premium). Plan 2 features (Safe Documents, Threat Explorer real-time detections) need separate entitlement. Third, set quarantine notifications up before you tighten policies — users need end-user spam notifications or a quarantine policy with access enabled, or your service desk gets the entire phishing queue.

Where to configure — Standard preset, not custom, 90% of the time

The Microsoft Defender portal is your canonical surface: security.microsoft.com → Email & collaboration → Policies & rules → Threat policies. From there:

Preset security policies for 90% of clients. Enable Standard, assign to all recipients by domain.
Safe Links and Safe Attachments tiles are for custom policies — only use them when a specific user group needs different behaviour (execs on Strict, a lab OU excluded, etc.).
Configuration analyzer — this is the tile most MSPs never click. It diffs your current policies against Standard and Strict baselines and flags every setting that’s weaker than Microsoft’s recommendation.

Microsoft’s own guidance is explicit: prefer presets over custom policies. See Set up Safe Links policies and Set up Safe Attachments policies.

The rollout pattern that actually works

Don’t flip Strict on Monday morning. Use a three-ring rollout:

Ring 1 — IT and security-aware staff (week 1). Assign Standard preset. Watch quarantine, false-positive submissions, and user complaints. This ring tolerates noise.
Ring 2 — a tolerant business unit (week 2–3). Finance is usually a bad pilot (high-volume invoices with wrapped URLs confuse people). Pick sales ops, marketing, or IT-adjacent teams.
Ring 3 — everyone else (week 4+). By now you have a real signal on which domains need Tenant Allow/Block entries.

For Strict preset, add a fourth ring limited to exec and finance groups — or leave it off. Strict’s aggressive bulk thresholds (BCL 4) will blow up newsletters and marketing workflows. Details at Preset security policies.

Top three pitfalls

1. Custom policies silently overriding presets. Preset security policies have the highest priority except when a custom policy explicitly targets the same user. If you inherited a tenant with a custom Safe Links policy from 2019 that says AllowClickThrough = true, it beats your shiny new Standard preset. Audit first: open every existing policy before assigning presets.

2. Over-allowlisting domains. Every entry in “Do not rewrite the following URLs” is a permanent click-through exception. Treat it like firewall rules — justify, document, review annually. A forgotten *.sharepointdomain.com wildcard is how payloads land.

3. Ignoring the Configuration analyzer. Run it quarterly. Tenants drift: an admin raises a threshold to silence a complaint, nobody reverses it, six months later the baseline is gone. The Configuration analyzer surfaces this in one screen.

Tune deliberately, measure through Threat Explorer, and treat preset policies as your default — the time to build a custom policy is when you can describe exactly which preset setting it’s overriding and why.