Forum Discussion
Difference between "Devices > Configuration Profiles" and "Endpoint Security > Manage"
Our organization is digging deeper into Intune and one thing that confuses us are the multiple places where you can configure the same thing and how that leads to conflicts, e.g. Folder Protection.
Folder Protection can be enabled through a configuration profile under Devices > Configuration profiles > Create profile > Endpoint Protection:
The same thing can be accomplished by using "Endpoint Security> Attack Surface Reduction":
Which of both approaches should be used? Why do conflicts appear when one option is set to Audit Only and Option is set to Enable - should the more the secure option be considered?
- Good point. Security baselines were added before Endpoint security profiles were really introduced. While security profiles are more direct, security baselines follow the same logic to that of baseline templates that are available in GPO. It is meant to be a baseline of security policies which you can deploy and then build over it. Device configuration, endpoint security profiles, security baselines have their own individual purposes and at the end of the day it will come down to organization's requirements.
6 Replies
A conflict arises when more than 1 policy is available and applicable of the same setting. Intune is just a delivery service. It doesn't decide which setting is best and enforce on its own. With that said, if your sole purpose is to target the security settings, then use endpoint security profiles as they are tailored specifically keeping device security in mind. For everything else, you can use device configuration profiles.
- Thank you, understood. One follow-up question: the profiles in "Security Baseline" do not seem to follow the logic of the "Endpoint Security" configuration, but of the "Device Configuration". Isn't Microsoft indirectly telling you to use "Device Configuration" when they are distributing the Security Baselines in this manner?
- Good point. Security baselines were added before Endpoint security profiles were really introduced. While security profiles are more direct, security baselines follow the same logic to that of baseline templates that are available in GPO. It is meant to be a baseline of security policies which you can deploy and then build over it. Device configuration, endpoint security profiles, security baselines have their own individual purposes and at the end of the day it will come down to organization's requirements.
