Skip to content

Configuration analyzer

While I am not a fan of the preset security policies, I do recommend people utilize this tool to find potential security configuration improvements. There are plenty of great MDO security configurations in Secure Score, but they don't cover all possible protections in MDO with recommendations. This page allows you to see Microsoft's recommendation for standard or strict protections.

There is also a tab for Configuration drift analysis and history which is a decent tool to help you track changes in your MDO policies.

Standard and Strict recommendations

On these tabs you will see all changes Microsoft recommends making based on standard or strict protections. This will contain recommendations for every policy in your environment, so you may see the same recommendation twice or more if you have many custom policies.

Each recommendation will include the following information:

  • The recommendation
  • The policy the recommendation applies to
  • The policy setting name
  • The policy you will find this setting in
  • Your current configuration for this setting
  • Last modified date which should show when the setting was last modified, but it appears to just follow the last modified time of any setting in the respective policy

Selecting the recommendation will usually give you further detail and links on why this is recommended.

Configuration drift analysis and history

This page will summarize changes to your MDO policies and settings. It includes the following information:

  • Modification date and time
  • Who made the modification
  • The setting that was changed
  • The policy that was changed
  • The value(s) that were changed

Issues with this tool

This tool is helpful but when last used it had some bugs with it

  • There seems to be a hard limit on how much it can display, if you select a time span too broad it will not display everything in that time span
  • I have also seen it blank for short time spans when settings were definitely changed in that time span

I find it best to look at 1 week time spans when trying to use this tool.

Construction

Plan to add how to properly audit MDO changes in the future