Share via

Policy precedence and recommended policy configuration order in Intune

Marco Janse 0 Reputation points
2023-03-30T10:01:11.7866667+00:00

I am looking for guidance for configuring policies and profiles for users and devices in the best order, as there are so many different locations now you can configure policies and a lot of settings can be configured at multiple locations, which can result in policy conflicts.

As far as I can find, the current Intune documentation on Microsoft Learn isn't completely clear on this. It would be great if there was a guideline document on Microsoft Learn which would also be referenced from the policy configuration panes in the Intune portal.

Like what should be the preferred locations to configure policies and profiles and in which order should you configure them and will they be applied?

At the moment, I'm using the following policies and profiles and configure them in this order:

  1. Compliance policies
  2. EndPoint Security
    1. Antivirus
    2. Disk Encryption
    3. Firewall
    4. EndPoint detection and response
    5. Attack Surface reduction
    6. Account protection
  3. Configuration Profiles

It's also not clear to me where security baselines should be positioned in this compared to EndPoint Security and Configuration profiles and which locations will be actively developed by the Intune team in the future.

So if I started from scratch with Intune, what should be the order in which to configure these policies and should I include as much settings in one policy or is it better to create more separate policies for specific components assuming they can all be scoped to the same targets?

P.S. I have also submitted this as an issue for the Intune docs: Policy precedence and recommended policy configuration order in Intune #3726 | Microsoft Docs on GitHub.com and on the Feedback hub: Recommended policy configuration order in Intune - Microsoft Feedback Hub

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,080 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 48,746 Reputation points Microsoft Vendor
    2023-03-31T02:04:08.43+00:00

    @Marco Janse, Thanks for posting in Q&A.

    In General, Compliance policy settings always have precedence over configuration profile settings. If a configuration policy setting conflicts with a setting in another configuration policy, this conflict is shown in Intune. Manually resolve these conflicts. Here is a link with more details:

    https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#compliance-and-device-configuration-policies-that-conflict

    For Security Baseline, it is a feature which Intune is developing to make it easy to deploy Windows security baselines to help you secure and protect your users and devices.

    For these policies, there's no recommended order. One way to avoid conflicts is to not use different baselines, instances of the same baseline, or different policy types and instances to manage the same settings on a device. You can configure all the settings in one type of policy.

    https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security#avoid-policy-conflicts

    For the settings in the policy, if all these settings are targeting to the same group, you can put them in one policy. if they are for different group, we can create different policies for them.

    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.