Compliance Policies, Configuration Profiles, Windows Hello and Security Baselines

When designing your Intune security solution, you need to ensure that the settings match in all four sections or there will be conflicts and devices will show as non-compliant.

The Security Baseline, Configuration Profile for Device Restriction, Compliance Policy and Windows Hello settings must match.

Personally, I no longer create a Configuration Profile for Device Restriction to set the password requirements as the Security Baseline is the preferred route now.

My personal recommendation is the following -
Security Baseline - configure as per business needs
Windows Hello for Business - match the Security Baseline configuration
Compliance Policy - update to match the Security Baseline configuration
Configuration Profile (Device Restriction) - Password settings not needed - do not create


Examples of the mismatch of default configurations -

Configuration Profile for Device Restriction - Default minimum password length - four

Compliance Policy - Default length for minimum password length is four

Windows Hello for Business default - six digit Minimum PIN length

Security Baseline default - 8 digit minimum password length


About the author -

Terry Munro is an IT specialist based in Brisbane, Australia.
He draws upon over 20 years experience designing and delivering technical solutions to a variety of enterprise clients in the private, Government and Education sectors, to revolutionise client businesses through collaboration and getting the most value from a variety of cloud solutions.
He is passionate about learning new technologies and is a firm believer in sharing knowledge to provide a better experience for all.
You can connect with Terry on LinkedIn -


No comments:

Post a Comment