When is a configuration profile not a configuration profile?!

%3CLINGO-SUB%20id%3D%22lingo-sub-1306402%22%20slang%3D%22en-US%22%3EWhen%20is%20a%20configuration%20profile%20not%20a%20configuration%20profile%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1306402%22%20slang%3D%22en-US%22%3E%3CP%3EApologies%20if%20this%20has%20been%20asked%20here%20before%2C%20I'm%20starting%20to%20setup%20our%20endpoint%20security%20workloads%20as%20part%20of%20M365%20and%20have%20found%20multiple%20points%20of%20crossover%20in%20the%20Intune%20console%20where%20precedence%20or%20differentiation%20isn't%20clear.%20For%20example%2C%20You%20seem%20to%20be%20able%20to%20describe%20Bitlocker%20settings%20in%20multiple%20ways%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Create%20a%20standard%20Windows%20Encryption%20configuration%20profile%20under%20Devices%3C%2FP%3E%3CP%3E2)%20Create%20a%20Device%20Compliance%20policy%20under%20Devices%20%26gt%3B%20Compliance%20Policies%3C%2FP%3E%3CP%3E3)%20Create%20a%20Disk%20Encryption%20policy%20under%20Endpoint%20Security%26gt%3BManage%3C%2FP%3E%3CP%3E4)%20Create%20a%20Windows%2010%20Security%20Baseline%20under%20Endpoint%20Security%26gt%3BSecurity%20Baselines%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAm%20I%20right%20in%20thinking%20that%201)%20and%202)%20are%20the%20original%20workflows%20for%20doing%203)%20and%204)%3F%20So%20that%20any%20work%20I%20start%20doing%20now%20should%20be%20done%20in%20the%20Endpoint%20Security%20node%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20a%20compliance%20policy%20or%20security%20baseline%20actually%20affect%20the%20settings%20on%20a%20device%20or%20is%20it%20just%20giving%20you%20the%20non-compliant%2Fcompliant%20flag%20and%20it's%20the%20Disk%20Encryption%20and%20Configuration%20Profiles%20that%20actually%20change%20the%20settings%20on%20the%20device%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFinally%20has%20anyone%20else%20noticed%20that%20when%20you%20edit%20a%20Disk%20Encryption%20policy%20a%20bunch%20of%20the%20settings%20are%20missing%20and%20can't%20be%20seen%20or%20changed%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1306402%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eendpoint%20security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1306951%22%20slang%3D%22en-US%22%3ERe%3A%20When%20is%20a%20configuration%20profile%20not%20a%20configuration%20profile%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1306951%22%20slang%3D%22en-US%22%3EHi%20Simon%2C%20self%20taught%20here%20so%20just%20sharing%20my%20thoughts.%20I%20agree%20there%20seems%20to%20be%20some%20duplication%20of%20where%20things%20are%20set.%20So%20where%20you%20previously%20would%20create%20a%20Config%20Policy%20under%20Endpoint%20Protection%20for%20the%20encryption%20side%20of%20things%2C%20there%20is%20now%20a%20blade%2Foption%20in%20Endpoint%20Management%20for%20the%20duplicate%20settings.%20Microsoft%20are%20pushing%20out%20lots%20of%20changes%20at%20the%20minute%20and%20i'm%20finding%20it%20difficult%20to%20keep%20up!!%3CBR%20%2F%3EDoes%20one%20override%20the%20other%3F%20I%20do%20not%20know...%20Do%20we%20need%20to%20move%20to%20the%20'new'%20options%3F%20I%20don't%20know%20that%20either.%3CBR%20%2F%3EYou're%20right%20for%20the%20compliance%20side%20though%2C%20they%20only%20scan%20the%20device%20to%20see%20if%20what%20you%20have%20marked%20as%20compliant%20is%20applied%20by%20the%20config%20profiles.%3CBR%20%2F%3EThanks%3CBR%20%2F%3ENeil%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1315745%22%20slang%3D%22en-US%22%3ERe%3A%20When%20is%20a%20configuration%20profile%20not%20a%20configuration%20profile%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1315745%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346060%22%20target%3D%22_blank%22%3E%40neilcarden%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20reply%2C%20I%20think%20I'm%20going%20to%20stick%20with%20configuration%20profiles%20until%20the%20Endpoint%20Management%20options%20have%20been%20matured.%20For%20example%2C%20there's%20no%20option%20to%20set%20firewall%20rules%20in%20the%20current%20EP%20Firewall%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20also%20looks%20like%20the%20Security%20baseline%20might%20be%20affecting%20some%20settings%20as%20I%20applied%20a%20whole%20bunch%20of%20stuff%20as%20part%20of%20a%20rebuild%20and%20somehow%20got%20stuck%20with%20installing%20store%20apps%20only!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBack%20to%20applying%20policies%20one%20at%20a%20time%20until%20I%20can%20work%20out%20what%20I%20broke%20%3A(%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1316109%22%20slang%3D%22en-US%22%3ERe%3A%20When%20is%20a%20configuration%20profile%20not%20a%20configuration%20profile%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1316109%22%20slang%3D%22en-US%22%3EYou%20are%20right%2C%20Security%20Baselines%20also%20change%20settings.%3CBR%20%2F%3E%3CBR%20%2F%3EDevice%20Compliance%20is%20the%20only%20one%20that%20checks%20settings%2C%20but%20doesn't%20change%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20agree%20that%20it's%20really%20confusing%20to%20choose%20if%20you%20use%20configuration%20policies%2C%20disk%20encryption%20policy%20or%20security%20baselines.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20only%20use%20configuration%20policies%2C%20to%20maintain%20an%20overview%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1320766%22%20slang%3D%22en-US%22%3ERe%3A%20When%20is%20a%20configuration%20profile%20not%20a%20configuration%20profile%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1320766%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20I'm%20going%20to%20try%20and%20keep%20posting%20my%20progress%20with%20this.%20So%20far%20I've%20realised%20I'm%20better%20having%20multiple%20configuration%20profiles%20rather%20than%20one%20big%20baseline%20one.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20creating%20one%20for%20each%20Win10%20group%20of%20settings.%20For%20example%20I%20currently%20have%20one%20for%20Windows10-EndpointProtection-MicrosoftDefenderFirewall%20and%20a%20separate%20one%20for%26nbsp%3BWindows10-EndpointProtection-MicrosoftDefenderSmartScreen.%20I%20might%20end%20up%20merging%20some%20of%20these%20in%20the%20end%20but%20right%20now%20I'm%20applying%20each%20of%20these%20to%20my%20pilot%20devices%20and%20confirming%20behaviour%20before%20moving%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20avoiding%20Security%20Baseline%20completely%20at%20the%20moment%2C%20although%20I'd%20really%20like%20to%20use%20them%20there%20are%20just%20too%20many%20settings%20in%20one%20place%20with%20no%20way%20to%20confirm%20what's%20going%20to%20change.%20I'd%20really%20like%20to%20see%20a%20monitor%20mode%20for%20security%20baseline%20so%20I%20can%20understand%20what%20is%20going%20to%20change%20if%20I%20apply%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1320913%22%20slang%3D%22en-US%22%3ERe%3A%20When%20is%20a%20configuration%20profile%20not%20a%20configuration%20profile%3F!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1320913%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F255877%22%20target%3D%22_blank%22%3E%40SimonR%3C%2FA%3E%26nbsp%3BThat's%20exactly%20how%20I%20have%20been%20doing%20it%20although%20I%20did%20make%20a%20few%20'big'%20ones%20and%20wish%20I%20hadnt%2C%20as%20its%20so%20easy%20to%20forget%20what%20you%20have%20enabled%20or%20configured%20on%20some%20of%20them.%20There%20are%20some%20good%20scripts%20for%20exporting%20them%20as%20well%20-%20so%20you%20can%20then%20re-import%20or%20move%20to%20a%20dev%20environment.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Apologies if this has been asked here before, I'm starting to setup our endpoint security workloads as part of M365 and have found multiple points of crossover in the Intune console where precedence or differentiation isn't clear. For example, You seem to be able to describe Bitlocker settings in multiple ways:

 

1) Create a standard Windows Encryption configuration profile under Devices

2) Create a Device Compliance policy under Devices > Compliance Policies

3) Create a Disk Encryption policy under Endpoint Security>Manage

4) Create a Windows 10 Security Baseline under Endpoint Security>Security Baselines

 

Am I right in thinking that 1) and 2) are the original workflows for doing 3) and 4)? So that any work I start doing now should be done in the Endpoint Security node?

 

Does a compliance policy or security baseline actually affect the settings on a device or is it just giving you the non-compliant/compliant flag and it's the Disk Encryption and Configuration Profiles that actually change the settings on the device?

 

Finally has anyone else noticed that when you edit a Disk Encryption policy a bunch of the settings are missing and can't be seen or changed??

 

Thanks in advance 

5 Replies
Hi Simon, self taught here so just sharing my thoughts. I agree there seems to be some duplication of where things are set. So where you previously would create a Config Policy under Endpoint Protection for the encryption side of things, there is now a blade/option in Endpoint Management for the duplicate settings. Microsoft are pushing out lots of changes at the minute and i'm finding it difficult to keep up!!
Does one override the other? I do not know... Do we need to move to the 'new' options? I don't know that either.
You're right for the compliance side though, they only scan the device to see if what you have marked as compliant is applied by the config profiles.
Thanks
Neil

@neilcarden Thanks for the reply, I think I'm going to stick with configuration profiles until the Endpoint Management options have been matured. For example, there's no option to set firewall rules in the current EP Firewall policy.

 

It also looks like the Security baseline might be affecting some settings as I applied a whole bunch of stuff as part of a rebuild and somehow got stuck with installing store apps only!

 

Back to applying policies one at a time until I can work out what I broke :(

You are right, Security Baselines also change settings.

Device Compliance is the only one that checks settings, but doesn't change it.

I agree that it's really confusing to choose if you use configuration policies, disk encryption policy or security baselines.

I only use configuration policies, to maintain an overview

So I'm going to try and keep posting my progress with this. So far I've realised I'm better having multiple configuration profiles rather than one big baseline one.

 

I'm creating one for each Win10 group of settings. For example I currently have one for Windows10-EndpointProtection-MicrosoftDefenderFirewall and a separate one for Windows10-EndpointProtection-MicrosoftDefenderSmartScreen. I might end up merging some of these in the end but right now I'm applying each of these to my pilot devices and confirming behaviour before moving on.

 

I'm avoiding Security Baseline completely at the moment, although I'd really like to use them there are just too many settings in one place with no way to confirm what's going to change. I'd really like to see a monitor mode for security baseline so I can understand what is going to change if I apply it.

@SimonR That's exactly how I have been doing it although I did make a few 'big' ones and wish I hadnt, as its so easy to forget what you have enabled or configured on some of them. There are some good scripts for exporting them as well - so you can then re-import or move to a dev environment.