Forum Discussion
Solved
Device Config Policy vs Device Compliance Policy
Hi All Some clarification required on when to use Config Policy vs Compliance Policy or both. Is there any point in creating a device config policy when a similar compliance policy is set to ...
Hi Stuart,
compliance settings are mostly used in combination with conditional access to check a device for certain settings and then set a compliant flag or not. It can also be used just for reporting if certain settings are set like BitLocker. So it's a kind of simple check and remember if several compliance policies have the same setting, they are evaluated and the most restrictive value counts. Pin 4 and Pin 6 in two compliance policies, then pin length 6 is enforced.
Configuration policies instead are the way to configure and not to check. E.g. set creation of something like passwords to deny simple passwords. Its not a check, it will enforce the setting in the password example during creation of the password. If two configuration policies have same setting they are in conflict and the setting will not be applied.
Hope this helps in you decisions.
best,
Oliver
arnabmitra
Microsoft
MicrosoftImportant note - During a policy conflict, If the conflicting settings are from an Intune configuration policy and a compliance policy, the settings in the compliance policy take precedence over the settings in the configuration policy. This happens even if the settings in the configuration policy are more secure.
arnabmitra - In our Intune environment, we have the same password settings in compliance policies and in device configuration profiles. I made a change to the compliance policy and not to the device configuration profile, but the change did not hit my device until I made the change to the device configuration profiles. In my case, compliance policy settings did not take precedence, it was the other way around. Can you explain?
Roy_Kang Compliance policies always take precedence over configuration profile settings. Changing the password requirements for the compliance policy only affects whether or not the device is marked as compliant, plus any additional actions you've defined in the policy.
Once the device is marked accordingly, refer to this link to see how it affects each platform:
If a device is marked as non-compliant...
For iOS/iPadOS it is remediated. The device operating system enforces compliance.
For Android it is quarantined. The device operating system doesn't enforce compliance.
Hope this helps.
I thought Compliance polices are used JUST to be used to determine if any devices assigned to the Compliance policy were compliant. That compliance level could them be used in Conditional Access policies. Configuration policies are used to ensure that devices are configured in a way that they would be in-line with Compliance polices thus being compliant (clear, low, medium or high risk).
Is this not true?
For example PW length in Compliance Policy says length of 12 when a user has a current PW of 6 could make the user a low risk
Thanks,
Ray
vegarjb The end-user device behaviour will be different, depending on the platform type. As mentioned above, on iOS/iPadOS the compliance settings for device password will also enforce a change (similar to config policy), unlike on Android that only marks the device as non-compliant.
