We know by now that Endpoint Protection uses software updates to deliver definition updates to client computers with Configuration Manager Client. With that in mind, make sure that you read Security and Privacy for Software Updates in Configuration Manager at the link following:
https://docs.microsoft.com/en-us/sccm/sum/plan-design/security-and-privacy-for-software-updates
Regarding security best practice, there are a few checkpoints you will want to think through and make sure you have covered.
We have been through most of these in various aspects and how to setup and configure based on Microsoft best practice as well as my experience over the years of implementation and customer practice from real life.
I see it like this, you have Microsoft, the developer of the product that makes guidelines and best practice for how to setup and configure the solutions. This is based on mostly how the product works with...