Forum Discussion
Bryan Hall
Aug 11, 2020Brass Contributor
Bitlocker Compliance/Configuration/Endpoint Security Policy Confusion
I'm relatively new to endpoint management and AutoPilot is my second foray into it (after MAM/APP). I'm confused as to the difference between Compliance and Configuration Policies, and Endpoint Secu...
Moe_Kinani
Aug 11, 2020Bronze Contributor
Hi Bryan,
I will try to answer all the questions, pretty sure that my colleagues will have more to add.
Compliance Policy: It’s the policies that will decide your devices Compliant with EndPoint or NOT. If the device is not Compliant, Config Policies and others will not get applied.
Config Policies, Policies that you can make changes to your devices similar to any other vendor MDM policies.
Security Baseline, I describe it to my customers as GPO or recommended settings, they get updated with new release of Windows version.
1. I would use Config Policy/ Administrative Templates.
2. You use Config Policy when devices are Compliant with your Compliance Policies.
3. Use it if you can find setting not available in Config Policy.
4. I like to use Silent Encryption, Config Policy and specifically this url for setup:
https://www.inthecloud247.com/windows-10-failed-to-enable-silent-encryption/
5. You certainly can’t silent encrypt devices without TPM 2.0 using Intune.
6. Config policy, same article shared above.
7. It will prompt them to encrypt their PCs then they go there and see Red X. I would exclude PCs without TPMs.
Hope this answers the questions!
Moe
I will try to answer all the questions, pretty sure that my colleagues will have more to add.
Compliance Policy: It’s the policies that will decide your devices Compliant with EndPoint or NOT. If the device is not Compliant, Config Policies and others will not get applied.
Config Policies, Policies that you can make changes to your devices similar to any other vendor MDM policies.
Security Baseline, I describe it to my customers as GPO or recommended settings, they get updated with new release of Windows version.
1. I would use Config Policy/ Administrative Templates.
2. You use Config Policy when devices are Compliant with your Compliance Policies.
3. Use it if you can find setting not available in Config Policy.
4. I like to use Silent Encryption, Config Policy and specifically this url for setup:
https://www.inthecloud247.com/windows-10-failed-to-enable-silent-encryption/
5. You certainly can’t silent encrypt devices without TPM 2.0 using Intune.
6. Config policy, same article shared above.
7. It will prompt them to encrypt their PCs then they go there and see Red X. I would exclude PCs without TPMs.
Hope this answers the questions!
Moe
- Bryan HallAug 12, 2020Brass Contributor
Thanks Moe_Kinani for taking the time to reply.
- Do compliance policies actually make/enforce changes or do they only check if the configuration is set?
- If a device is receiving a config for the same device setting through both Compliance and Configuration policies, I understand that Compliance policies take precedence. If that's the case, what is the best method to ensure that a device is configured with the appropriate settings (via Intune) and ensure compliance? If the device fails the Compliance policy from the start, can the Configuration policy for that item still get applied?
Thanks again
- Moe_KinaniAug 12, 2020Bronze ContributorHi Bryan,
1. Compliance policies are just rules and settings that devices must meet to be compliant. It doesn’t force config setting on devices.
2. Config and other policies get applied on Compliant devices only, so you need to setup your Compliance Policy and have the devices marked as compliant then start to apply your config policies.
Hope this helps!
Moe- Bryan HallAug 13, 2020Brass Contributor
Thanks, this definitely helps!
Re: #2, how would such timing be put into practice? Say, in an AutoPilot scenario, where we'd like to ultimately/eventually apply both configurations and require compliance, how could we configure the device before requiring compliance automatically?
The manual way would seem to be add the computers to a group that the Compliance Policy is applied to only after the configurations have been applied.