Security baselines

%3CLINGO-SUB%20id%3D%22lingo-sub-1369128%22%20slang%3D%22en-US%22%3ESecurity%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1369128%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20testing%20the%20security%20baseline%20profiles%20for%20deploying%20to%20our%20Windows%2010%20devices.%20I'm%20finding%20it%20quite%20tedious%20to%20try%20and%20consolidate%20settings%20between%20baseline%20policies%20and%20other%20configuration%20policies%20in%20Intune.%20There%20are%20duplicate%20settings%20between%20policies%20and%20also%20there%20are%20settings%20in%20config%20policies%20which%20are%20missing%20in%20baseline%20polices.%20Is%20there%20any%20guidance%20or%20tips%20how%20this%20can%20be%20done%20more%20efficiently%3F%20Also%20how%20do%20these%20get%20applied%20if%20there%20are%20duplicate%20policies%2C%20what%20is%20the%20logic%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1369128%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1369609%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baselines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1369609%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F3471%22%20target%3D%22_blank%22%3E%40Paul%20Mathanarajah%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Egood%20planning%20and%20creation%20of%20no%20duplicate%20settings%2C%20as%20these%20will%20result%20in%20conflicts.%20Configuration%20profile%20conflict%20settings%20are%20not%20applied%20at%20all%2C%20manually%20resolve%20them%20and%20make%20sure%20only%20one%20config%20profile%20configures%20your%20setting.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22if-multiple-policies-are-assigned-to-the-same-user-or-device-how-do-i-know-which-settings-gets-applied%22%20id%3D%22toc-hId--1353397780%22%20id%3D%22toc-hId--1353397780%22%3EIf%20multiple%20policies%20are%20assigned%20to%20the%20same%20user%20or%20device%2C%20how%20do%20I%20know%20which%20settings%20gets%20applied%3F%3C%2FH2%3E%0A%3CP%3EWhen%20two%20or%20more%20policies%20are%20assigned%20to%20the%20same%20user%20or%20device%2C%20then%20the%20setting%20that%20applies%20happens%20at%20the%20individual%20setting%20level%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CP%3ECompliance%20policy%20settings%20always%20have%20precedence%20over%20configuration%20profile%20settings.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3EIf%20a%20compliance%20policy%20evaluates%20against%20the%20same%20setting%20in%20another%20compliance%20policy%2C%20then%20the%20most%20restrictive%20compliance%20policy%20setting%20applies.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3EIf%20a%20configuration%20policy%20setting%20conflicts%20with%20a%20setting%20in%20another%20configuration%20policy%2C%20this%20conflict%20is%20shown%20in%20Intune.%20Manually%20resolve%20these%20conflicts.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fconfiguration%2Fdevice-profile-troubleshoot%23what-actions-cause-intune-to-immediately-send-a-notification-to-a-device%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fconfiguration%2Fdevice-profile-troubleshoot%23what-actions-cause-intune-to-immediately-send-a-notification-to-a-device%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3C%2FP%3E%0A%3CP%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

I'm testing the security baseline profiles for deploying to our Windows 10 devices. I'm finding it quite tedious to try and consolidate settings between baseline policies and other configuration policies in Intune. There are duplicate settings between policies and also there are settings in config policies which are missing in baseline polices. Is there any guidance or tips how this can be done more efficiently? Also how do these get applied if there are duplicate policies, what is the logic? 

1 Reply
Highlighted

Hey @PMLIO,

 

good planning and creation of no duplicate settings, as these will result in conflicts. Configuration profile conflict settings are not applied at all, manually resolve them and make sure only one config profile configures your setting.

 

If multiple policies are assigned to the same user or device, how do I know which settings gets applied?

When two or more policies are assigned to the same user or device, then the setting that applies happens at the individual setting level:

  • Compliance policy settings always have precedence over configuration profile settings.

  • If a compliance policy evaluates against the same setting in another compliance policy, then the most restrictive compliance policy setting applies.

  • If a configuration policy setting conflicts with a setting in another configuration policy, this conflict is shown in Intune. Manually resolve these conflicts.

https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#what-actions-c...

 

best,

Oliver