Forum Discussion

SimonR's avatar
SimonR
Brass Contributor
Apr 14, 2020

When is a configuration profile not a configuration profile?!

Apologies if this has been asked here before, I'm starting to setup our endpoint security workloads as part of M365 and have found multiple points of crossover in the Intune console where precedence ...
endpoint security
Intune
neilcarden's avatar
neilcarden
Brass Contributor
Apr 14, 2020
Hi Simon, self taught here so just sharing my thoughts. I agree there seems to be some duplication of where things are set. So where you previously would create a Config Policy under Endpoint Protection for the encryption side of things, there is now a blade/option in Endpoint Management for the duplicate settings. Microsoft are pushing out lots of changes at the minute and i'm finding it difficult to keep up!!
Does one override the other? I do not know... Do we need to move to the 'new' options? I don't know that either.
You're right for the compliance side though, they only scan the device to see if what you have marked as compliant is applied by the config profiles.
Thanks
Neil
  • SimonR's avatar
    SimonR
    Brass Contributor
    Apr 17, 2020

    neilcarden Thanks for the reply, I think I'm going to stick with configuration profiles until the Endpoint Management options have been matured. For example, there's no option to set firewall rules in the current EP Firewall policy.

     

    It also looks like the Security baseline might be affecting some settings as I applied a whole bunch of stuff as part of a rebuild and somehow got stuck with installing store apps only!

     

    Back to applying policies one at a time until I can work out what I broke 😞

    • SimonR's avatar
      SimonR
      Brass Contributor
      Apr 20, 2020

      So I'm going to try and keep posting my progress with this. So far I've realised I'm better having multiple configuration profiles rather than one big baseline one.

       

      I'm creating one for each Win10 group of settings. For example I currently have one for Windows10-EndpointProtection-MicrosoftDefenderFirewall and a separate one for Windows10-EndpointProtection-MicrosoftDefenderSmartScreen. I might end up merging some of these in the end but right now I'm applying each of these to my pilot devices and confirming behaviour before moving on.

       

      I'm avoiding Security Baseline completely at the moment, although I'd really like to use them there are just too many settings in one place with no way to confirm what's going to change. I'd really like to see a monitor mode for security baseline so I can understand what is going to change if I apply it.

      • neilcarden's avatar
        neilcarden
        Brass Contributor
        Apr 20, 2020

        SimonR That's exactly how I have been doing it although I did make a few 'big' ones and wish I hadnt, as its so easy to forget what you have enabled or configured on some of them. There are some good scripts for exporting them as well - so you can then re-import or move to a dev environment.

    • Thijs Lecomte's avatar
      Thijs Lecomte
      Bronze Contributor
      Apr 17, 2020
      You are right, Security Baselines also change settings.

      Device Compliance is the only one that checks settings, but doesn't change it.

      I agree that it's really confusing to choose if you use configuration policies, disk encryption policy or security baselines.

      I only use configuration policies, to maintain an overview

Resources