Home

Best Practice for Multiple Configuration Policies

%3CLINGO-SUB%20id%3D%22lingo-sub-275893%22%20slang%3D%22en-US%22%3EBest%20Practice%20for%20Multiple%20Configuration%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-275893%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20looking%20for%20some%20guidance%20on%20the%20best%20practice%20setup%20when%20dealing%20with%20multiple%26nbsp%3Brestriction%20policies%20for%20multiple%20user%20groups.%26nbsp%3B%20Should%20I%20be%20creating%20complete%20restriction%20policies%20for%20each%20department%2C%20or%20am%20I%20better%20off%20creating%20a%20single%2C%20overarching%20restriction%20policy%20for%20my%20organization%20and%20then%20creating%20more%20targeted%20restriction%20policies%20if%20I%20need%20to%26nbsp%3Bmodify%20specific%20settings%20for%20specific%20departments%3F%26nbsp%3B%20How%20is%20it%20determined%20which%20restriction%20policy%20would%20take%20precedence%20if%20they%20contain%20conflicting%20settings%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-275893%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-276100%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Practice%20for%20Multiple%20Configuration%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-276100%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Jason%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20general%20there%20is%20no%20precedence%20for%20same%20device%20configuration%20settings%2C%20this%20will%20result%20in%20conflicting%20setting%20and%20the%20setting%20is%20dropped%2Fnot%20applied.%20So%20user%20groups%20or%20departments%20should%20be%20target%20of%20only%20one%20configuration%20policy%20which%20defines%20all%20needed%20settings.%20Global%20settings%20can%20be%20set%20by%20a%20global%20one%20but%20can't%20be%20overwritten%20so%20they%20must%20be%20really%20global.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20official%20documentation%20for%20this%20here%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EIf%20multiple%20policies%20are%20assigned%20to%20the%20same%20user%20or%20device%2C%20how%20do%20I%20know%20which%20settings%20gets%20applied%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fdevice-profile-troubleshoot%23if-multiple-policies-are-assigned-to-the-same-user-or-device-how-do-i-know-which-settings-gets-applied%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fdevice-profile-troubleshoot%23if-multiple-policies-are-assigned-to-the-same-user-or-device-how-do-i-know-which-settings-gets-applied%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%5B...%5D%20If%20a%20configuration%20policy%20setting%20conflicts%20with%20a%20setting%20in%20a%20different%20configuration%20policy%2C%20this%20conflict%20displays%20in%20the%20Azure%20portal.%20In%20this%20scenario%2C%20manually%20resolve%20these%20conflicts.%3C%2FP%3E%0A%3CP%3E%26lt%3B%3D%20that's%20the%20important%20sentence%20for%20configuration%20policies!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhat%20happens%20when%20a%20profile%20is%20deleted%20or%20no%20longer%20applicable%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fdevice-profile-troubleshoot%23what-happens-when-a-profile-is-deleted-or-no-longer-applicable%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fdevice-profile-troubleshoot%23what-happens-when-a-profile-is-deleted-or-no-longer-applicable%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3C%2FP%3E%0A%3CP%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E
Jason Mull
Occasional Visitor

I'm looking for some guidance on the best practice setup when dealing with multiple restriction policies for multiple user groups.  Should I be creating complete restriction policies for each department, or am I better off creating a single, overarching restriction policy for my organization and then creating more targeted restriction policies if I need to modify specific settings for specific departments?  How is it determined which restriction policy would take precedence if they contain conflicting settings?

1 Reply

Hi Jason,

 

In general there is no precedence for same device configuration settings, this will result in conflicting setting and the setting is dropped/not applied. So user groups or departments should be target of only one configuration policy which defines all needed settings. Global settings can be set by a global one but can't be overwritten so they must be really global.

 

See official documentation for this here:

 

If multiple policies are assigned to the same user or device, how do I know which settings gets applied?

https://docs.microsoft.com/en-us/intune/device-profile-troubleshoot#if-multiple-policies-are-assigne...

 

[...] If a configuration policy setting conflicts with a setting in a different configuration policy, this conflict displays in the Azure portal. In this scenario, manually resolve these conflicts.

<= that's the important sentence for configuration policies!

 

What happens when a profile is deleted or no longer applicable?

https://docs.microsoft.com/en-us/intune/device-profile-troubleshoot#what-happens-when-a-profile-is-d...

 

best,

Oliver

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies