Forum Discussion
Bryan Hall
Aug 11, 2020Brass Contributor
Bitlocker Compliance/Configuration/Endpoint Security Policy Confusion
I'm relatively new to endpoint management and AutoPilot is my second foray into it (after MAM/APP). I'm confused as to the difference between Compliance and Configuration Policies, and Endpoint Secu...
Bryan Hall
Brass Contributor
Thanks Moe_Kinani for taking the time to reply.
- Do compliance policies actually make/enforce changes or do they only check if the configuration is set?
- If a device is receiving a config for the same device setting through both Compliance and Configuration policies, I understand that Compliance policies take precedence. If that's the case, what is the best method to ensure that a device is configured with the appropriate settings (via Intune) and ensure compliance? If the device fails the Compliance policy from the start, can the Configuration policy for that item still get applied?
Thanks again
Moe_Kinani
Aug 12, 2020Bronze Contributor
Hi Bryan,
1. Compliance policies are just rules and settings that devices must meet to be compliant. It doesn’t force config setting on devices.
2. Config and other policies get applied on Compliant devices only, so you need to setup your Compliance Policy and have the devices marked as compliant then start to apply your config policies.
Hope this helps!
Moe
1. Compliance policies are just rules and settings that devices must meet to be compliant. It doesn’t force config setting on devices.
2. Config and other policies get applied on Compliant devices only, so you need to setup your Compliance Policy and have the devices marked as compliant then start to apply your config policies.
Hope this helps!
Moe
- Bryan HallAug 13, 2020Brass Contributor
Thanks, this definitely helps!
Re: #2, how would such timing be put into practice? Say, in an AutoPilot scenario, where we'd like to ultimately/eventually apply both configurations and require compliance, how could we configure the device before requiring compliance automatically?
The manual way would seem to be add the computers to a group that the Compliance Policy is applied to only after the configurations have been applied.
- Moe_KinaniAug 13, 2020Bronze ContributorHi Bryan,
I won’t worry about the timing piece. Create Compliance policy that suits your environment so you know all your devices will be compliant after Enrollment. Intune will evaluate the device at Enrollment stage and then start applying policies. It should be quick!
Thanks!
Moe- Bryan HallAug 17, 2020Brass Contributor
Moe_Kinani thanks for your help!