Best Practice for Multiple Configuration Policies

Copper Contributor

I'm looking for some guidance on the best practice setup when dealing with multiple restriction policies for multiple user groups.  Should I be creating complete restriction policies for each department, or am I better off creating a single, overarching restriction policy for my organization and then creating more targeted restriction policies if I need to modify specific settings for specific departments?  How is it determined which restriction policy would take precedence if they contain conflicting settings?

1 Reply

Hi Jason,

 

In general there is no precedence for same device configuration settings, this will result in conflicting setting and the setting is dropped/not applied. So user groups or departments should be target of only one configuration policy which defines all needed settings. Global settings can be set by a global one but can't be overwritten so they must be really global.

 

See official documentation for this here:

 

If multiple policies are assigned to the same user or device, how do I know which settings gets applied?

https://docs.microsoft.com/en-us/intune/device-profile-troubleshoot#if-multiple-policies-are-assigne...

 

[...] If a configuration policy setting conflicts with a setting in a different configuration policy, this conflict displays in the Azure portal. In this scenario, manually resolve these conflicts.

<= that's the important sentence for configuration policies!

 

What happens when a profile is deleted or no longer applicable?

https://docs.microsoft.com/en-us/intune/device-profile-troubleshoot#what-happens-when-a-profile-is-d...

 

best,

Oliver