Help CenterCurrently in preview, security settings management is now supported on domain controllers. To manage security settings on domain controllers, you must enable it in the enforcement scope page (go to Settings > Endpoints Enforcement scope).
Windows Server devices must be enabled before you can enable configuration of domain controllers. Additionally, if the on tagged devices option is selected for Windows Servers, configuration of domain controllers is limited to tagged devices, too.
Caution
- Misconfiguration of domain controllers could have a negative impact on both your security posture and operational continuity.
- If configuration of domain controllers is enabled in your tenant, make sure to review all Windows policies to make sure you're not unintentionally targeting Microsoft Entra device groups that contain domain controllers. To minimize risk to productivity, firewall policies aren't supported on domain controllers.
- We recommend reviewing all policies targeted to domain controllers before unenrolling those devices. Make any required configurations first, and then unenroll your domain controllers. Defender for Endpoint configuration is maintained on each device after the device is unenrolled.