Forum Discussion

StuartK73's avatar
StuartK73
Steel Contributor
Sep 20, 2018
Solved

Device Config Policy vs Device Compliance Policy

Hi All   Some clarification required on when to use Config Policy vs Compliance Policy or both.   Is there any point in creating a device config policy when a similar compliance policy is set to ...
Conditional Access
Intune
mobile device management (mdm)
  • Oliver Kieselbach's avatar
    Oliver Kieselbach
    Sep 21, 2018

    Hi Stuart,

    compliance settings are mostly used in combination with conditional access to check a device for certain settings and then set a compliant flag or not. It can also be used just for reporting if certain settings are set like BitLocker. So it's a kind of simple check and remember if several compliance policies have the same setting, they are evaluated and the most restrictive value counts. Pin 4 and Pin 6 in two compliance policies, then pin length 6 is enforced.

    Configuration policies instead are the way to configure and not to check. E.g. set creation of something like passwords to deny simple passwords. Its not a check, it will enforce the setting in the password example during creation of the password. If two configuration policies have same setting they are in conflict and the setting will not be applied.

     

    Hope this helps in you decisions.

    best,

    Oliver

arnabmitra's avatar
arnabmitra
Icon for Microsoft rankMicrosoft
Sep 21, 2018
Important note - During a policy conflict, If the conflicting settings are from an Intune configuration policy and a compliance policy, the settings in the compliance policy take precedence over the settings in the configuration policy. This happens even if the settings in the configuration policy are more secure.
reditguy's avatar
reditguy
Iron Contributor
Jan 15, 2019

Thanks, this was helpful.  I have a few more questions...

 

1)  How do I create a compliance policy that the device MUST be Azure or Intune joined to be able to used the Desktop Apps?

2) In general, I think Compliance Policies vs Configuration Policies are confusing....so I plan on just using Compliance Policies with Conditional Access....so how do I make it so that they cannot access resources unless they are compliant?