Endpoint security policies migrating to the unified settings platform in Microsoft Intune

By: Mike Danoski – Senior Product Manager | Microsoft Intune

As we update and simplify creating and managing configuration settings in Microsoft Intune, we’re migrating policies and settings to the unified settings platform. This platform is the foundation of the settings catalog, which provides quick access to policy and settings. Additionally, it provides consistency across naming, tooltips, and available values, and standardizes the “not configured” value for policy settings regardless of where you interact with the policy.

We’ve already published new templates as curated collections of settings for specific scenarios and baselines which are broader templates with the addition of recommended values for each setting. We’re migrating endpoint security policies created before April 2022, beginning with Microsoft Defender Antivirus policy. Policies created after April 2022 already leverage the unified settings platform. If you have Endpoint security policies configured from this time or before, you’ll be notified through the Message center. During the migration, you may see the message stating, "Endpoint security profiles are being migrated to the unified settings platform. Avoid editing policies as long as this message appears."

A screenshot of the message the admin will see in the Endpoint security, Antivirus pane during the migration.

This migration won’t impact your policies or the enforcement of the policies on your users' devices, as the configured settings and values will be moved over as they’re currently saved. You can still edit and interact with the policy even if you see the migration banner. If you do make a change, we’ll pause and restart the migration process for that policy.

After this migration, you’ll notice a new policy editing experience, improved reporting, and handling setting values of "not configured.” You’ll also be able to leverage new settings that have been added to these templates, scope tags, and assignment filters.

If you’re interacting with Endpoint security policies via the deviceManagement/templates or deviceManagement/intents Microsoft Graph API, you’ll be able to continue creating new policies, but they will be migrated later. Once migrated, the new policies will have new PolicyIDs and will be created on the deviceManagement/configurationPolicies API. We recommend switching to the new graph endpoints for policy creation as soon as possible.

Note that you may see a slight change in reporting numbers when these policies are migrated. For example, when a policy is edited, reporting records of devices that have previously applied and reported on policy results but are no longer managed or checking in, won’t appear in the new reports until they check in again.

Important: Endpoint security policy on the unified settings platform supports Microsoft Defender for Endpoint security settings management. If the policy type supports these devices, when it is migrated, it will begin applying to these devices.

Optional policy migration

We’re automatically moving existing policies over to the new framework for you. However, you may choose to move your profiles over now. To move your policies, complete the following steps:

1. Create a new policy from the new template, ensuring the values exactly match those in the original policy.
   • Review the settings and values carefully as some of the names have been updated to match the exact Windows or Defender setting name.

2. Assign the policy to the same groups as the existing policy. If all settings are configured to the same value as the original policy, there won’t be any conflicts. If you change the assignment to use filters or to start with a test group, make sure the policy will eventually be assigned to all desired devices.
3. Once reporting indicates the policy is applied successfully, it’s safe to unassign the original policy.

Key takeaways

Keep the following in mind, as we migrate Endpoint security policies to the unified settings platform:

• Use Security baselines to deploy the recommended settings and values for common scenarios. This is a great place to start, if you’re new to Intune.
• If you’re coming from on-premises, Active Directory, start with Group policy analytics to analyze your on-premises Group Policy objects (GPOs) to help you determine how your existing policy translates in the cloud.
• Use a template when configuring a collection of related settings that are focused on specific feature or scenario configuration. The Endpoint security templates are an example of this category and are the best way to configure policy for your security scenarios. Templates such as Device restrictions and general administrative templates will eventually be retired and functionally replaced by the settings catalog.

Use the settings catalog to create a policy by searching and adding only those settings that you specify. For a full list of available settings in the catalog, see https://aka.ms/catalogedsettings.

Once we finish migrating Endpoint security profiles, we’ll shift focus to device configuration profiles. We’ll replace existing templates with new versions and, where applicable, retire some templates. We'll also migrate policies created from templates, like device restrictions and administrative templates to settings catalog policy and retire the corresponding templates.

Let us know if you have any questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.

Post updates:

08/08/2023: Updated post to clarify the policies and settings migrating to the unified settings platform.