Conflicting Policy

Copper Contributor

What will happen if you and your colleague created conflicting endpoint security policies? Who will take precedence? And how to spot this right away?

 

Example1: Your colleague created a compliance policy that users must set up alphanumeric passwords not less than 10 characters long. Then the policy you created in device configuration profile is password must be numeric and not less than 8 char. 

 

Example 2: An admin created conditional access applies to all users(not excluding anyone) to not access the company network on unmanaged devices. Then you created another policy that will allow access to certain administrators to access company networks even on unmanaged devices.

5 Replies

Good question... the microsoft docs for conlficting app protection policies are a lot better. But If a compliance policy evaluates against the same setting in another compliance policy, then the most restrictive compliance policy setting applies.

So for example one... I guess the 10 characters will be used. Using 10 characters should be the most restrictive...but I am not 100% how Microsoft thinks about this one...my guess both of the policies will give remediations errors... but I need to test it to be 100% sure. But beware using a password compliance policy can give you some trouble :p

And for example 2, it's the same... the most restrictive would win so all devices will be blocked...You will need to apply a filters or exclude on that one to rule some users out

It would be nice if MS could show show, warn admins of conflicts like this. There are so many area's to set the same policy that it becomes a nightmare to unravel at times. Something like GPResult would be good.

Hi @Lee_Barton, to add to @Rudy_Ooms_MVP's reply:  Compliance policy settings always have precedence over configuration profile settings. Have a look at this doc. Some more info there. A couple of weeks ago I did a fun presentation on security baselines, and also talked about conflicting policies. Here's the link. Hope this helps

@Oktay Sari - I read your Blog post and found it very interesting and entertaining!

 

Thanks for taking the time to reach out, I now have a fresh insight into Endpoint Manager as a result and will be retracing my steps with regard to Configuration Policies et all.

 

Thanks!

 

Lee  

Hi @Lee_Barton, Happy to hear that. Have a great weekend!