Forum Discussion
Solved
Difference between "Devices > Configuration Profiles" and "Endpoint Security > Manage"
Our organization is digging deeper into Intune and one thing that confuses us are the multiple places where you can configure the same thing and how that leads to conflicts, e.g. Folder Protection. ...
- Good point. Security baselines were added before Endpoint security profiles were really introduced. While security profiles are more direct, security baselines follow the same logic to that of baseline templates that are available in GPO. It is meant to be a baseline of security policies which you can deploy and then build over it. Device configuration, endpoint security profiles, security baselines have their own individual purposes and at the end of the day it will come down to organization's requirements.
A conflict arises when more than 1 policy is available and applicable of the same setting. Intune is just a delivery service. It doesn't decide which setting is best and enforce on its own. With that said, if your sole purpose is to target the security settings, then use endpoint security profiles as they are tailored specifically keeping device security in mind. For everything else, you can use device configuration profiles.
- Thank you, understood. One follow-up question: the profiles in "Security Baseline" do not seem to follow the logic of the "Endpoint Security" configuration, but of the "Device Configuration". Isn't Microsoft indirectly telling you to use "Device Configuration" when they are distributing the Security Baselines in this manner?
- Good point. Security baselines were added before Endpoint security profiles were really introduced. While security profiles are more direct, security baselines follow the same logic to that of baseline templates that are available in GPO. It is meant to be a baseline of security policies which you can deploy and then build over it. Device configuration, endpoint security profiles, security baselines have their own individual purposes and at the end of the day it will come down to organization's requirements.
- So basically anything that can be configured in "Endpoint security" should be configured using "Endpoint security" policies, and policies which are only availble in "Device configuration" should be configured in "Device configuration".
