Aug 15 2021 04:41 AM
Aug 15 2021 04:41 AM
What will happen if you and your colleague created conflicting endpoint security policies? Who will take precedence? And how to spot this right away?
Example1: Your colleague created a compliance policy that users must set up alphanumeric passwords not less than 10 characters long. Then the policy you created in device configuration profile is password must be numeric and not less than 8 char.
Example 2: An admin created conditional access applies to all users(not excluding anyone) to not access the company network on unmanaged devices. Then you created another policy that will allow access to certain administrators to access company networks even on unmanaged devices.
Aug 15 2021 10:27 PM - edited Aug 16 2021 12:16 AM
Good question... the microsoft docs for conlficting app protection policies are a lot better. But If a compliance policy evaluates against the same setting in another compliance policy, then the most restrictive compliance policy setting applies.
So for example one... I guess the 10 characters will be used. Using 10 characters should be the most restrictive...but I am not 100% how Microsoft thinks about this one...my guess both of the policies will give remediations errors... but I need to test it to be 100% sure. But beware using a password compliance policy can give you some trouble :p
And for example 2, it's the same... the most restrictive would win so all devices will be blocked...You will need to apply a filters or exclude on that one to rule some users out
Jul 02 2022 06:41 AM
Jul 03 2022 08:51 AM
Hi @Lee_Barton, to add to @Rudy_Ooms_MVP's reply: Compliance policy settings always have precedence over configuration profile settings. Have a look at this doc. Some more info there. A couple of weeks ago I did a fun presentation on security baselines, and also talked about conflicting policies. Here's the link. Hope this helps
Jul 06 2022 01:18 PM
@Oktay Sari - I read your Blog post and found it very interesting and entertaining!
Thanks for taking the time to reach out, I now have a fresh insight into Endpoint Manager as a result and will be retracing my steps with regard to Configuration Policies et all.