Forum Discussion
Device Config Policy vs Device Compliance Policy
Hi Stuart,
compliance settings are mostly used in combination with conditional access to check a device for certain settings and then set a compliant flag or not. It can also be used just for reporting if certain settings are set like BitLocker. So it's a kind of simple check and remember if several compliance policies have the same setting, they are evaluated and the most restrictive value counts. Pin 4 and Pin 6 in two compliance policies, then pin length 6 is enforced.
Configuration policies instead are the way to configure and not to check. E.g. set creation of something like passwords to deny simple passwords. Its not a check, it will enforce the setting in the password example during creation of the password. If two configuration policies have same setting they are in conflict and the setting will not be applied.
Hope this helps in you decisions.
best,
Oliver
Thanks!
So if I have it sent to "Not Compliant" in the section you sent me and have MDM user scope set to All per this link:
https://docs.microsoft.com/en-us/intune/windows-enroll#enable-windows-10-automatic-enrollment
Then users will NOT be able to use or setup outlook/onedrive/Office apps on their devices UNLESS it is marked compliant, correct? FYI, I also have MFA enabled to enroll in Intune/Azure for extra security.
Basically yes but you need to make sure the user is only using modern authentication and not legacy auth because legacy auth will not be handled by CA. So SPO must be configured to use modern auth and in addition you need a policy to control EAS which uses legacy auth as well, see here: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditional-access-for-exo-and-spo)
To block legacy authentication see here: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication.
Ugh, not liking Intune right now.....we have a password policy set up in Compliance policy (12 characters, 1 non-alpanumeric required, 15 minute timeout), applied to a user group....we do not have any password policy set it configuration policy.
For some reason, MANY devices are giving an error of password length not being long enough even though it is over 12 characters (again, happening to many users).
So I am a bit confused on password policies....does it apply to ALL users account on a PC? We have some users that are logging into their PCs using local AD or local PC accounts, but PCs are joined to Intune. For some users, their local AD accounts for example are less than 10 characters (but again, their O365/Azure accounts are over 12), and it shows Compliant! But for others...it shows password is too short.
UGH, and thanks in advance.
if you are using Office 365 ProPlus (2016) and EXO and the default Office settings with Autodiscover etc. your clients should already use modern auth and you don't need to re-create anything.
Got it...last question (for now), so since I do have to enable Modern and disable Basic....is it true I will have to recreate Outlook profiles and/or reinstall Office?
the default of the tenant is depending on the time of creation. Newer tenants have it disabled by default, older tenants not.
Thanks! I was told by MS Support that Modern auth is not enabled on my tenant (but I thought it was enabled by default?), and if I enabled that and disable Basic Auth, I would have to recreate everyone's Outlook profile even thouogh they are all on Outlook 2016+
