Forum Discussion
Difference between "Devices > Configuration Profiles" and "Endpoint Security > Manage"
- Good point. Security baselines were added before Endpoint security profiles were really introduced. While security profiles are more direct, security baselines follow the same logic to that of baseline templates that are available in GPO. It is meant to be a baseline of security policies which you can deploy and then build over it. Device configuration, endpoint security profiles, security baselines have their own individual purposes and at the end of the day it will come down to organization's requirements.
A conflict arises when more than 1 policy is available and applicable of the same setting. Intune is just a delivery service. It doesn't decide which setting is best and enforce on its own. With that said, if your sole purpose is to target the security settings, then use endpoint security profiles as they are tailored specifically keeping device security in mind. For everything else, you can use device configuration profiles.
- Good point. Security baselines were added before Endpoint security profiles were really introduced. While security profiles are more direct, security baselines follow the same logic to that of baseline templates that are available in GPO. It is meant to be a baseline of security policies which you can deploy and then build over it. Device configuration, endpoint security profiles, security baselines have their own individual purposes and at the end of the day it will come down to organization's requirements.
- So basically anything that can be configured in "Endpoint security" should be configured using "Endpoint security" policies, and policies which are only availble in "Device configuration" should be configured in "Device configuration".
KirilThat's completely correct.
I'll make it even more precise for you... there's a specific order to this madness and it all comes down to Settings Catalogs. You see, almost everything under Endpoint Security (including baselines) boils down to a Settings Catalog template with a fancy GUI. It looks like this is where Intune is moving, as more and more stuff gets added in this form.
Microsoft actually has an order of preference for you configurations:
- Endpoint Security > Security baselines
- Endpoint Security > Other templates
- Devices > Configuration profiles > Settings Catalog
- Devices > Configuration profiles > Other templates
- Devices > Scripts
This opens up a whole new can of worms when it comes to conflict resolution. All these things can cause conflicts with each other and to make things worse Settings Catalogs (or derivatives) tend to use different names for settings than other configuration profiles.
Luckily though, MEM is getting better and better at telling you when and where a conflict arises.
For more information about Settings Catalogs and the options they give you:
https://docs.microsoft.com/en-us/mem/intune/configuration/settings-catalog
https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference
