Export (0) Print
Expand All
1 out of 1 rated this helpful - Rate this topic

How Windows Intune Policies are Applied

Updated: December 17, 2012

Applies To: Windows Intune

In the Windows Intune administrator console, you can deploy a policy to device groups or user groups that you select. If the policy was already deployed, you can remove the policy from the specific groups or deploy the policy to additional groups.

The following table describes which policies are deployed to device groups and which policies are deployed to user groups, and whether the policies apply to computers or mobile devices.

 

Windows Intune Policy Deployed to Policy Applies to:

Windows Firewall Policy

Device groups

Computers

Windows Intune Agent Settings

Device groups

Computers

Windows Intune Center Settings

Device groups

Computers

Mobile Device Security Policy

User groups

Mobile devices

Policy processing

This section describes how polices are applied and conflicts are resolved in the following two scenarios:

  • Polices applied to computers

  • Policies applied to mobile devices

Policies applied to computers

This section applies to the following policies:

  • Windows Firewall Policy

  • Windows Intune Agent Settings

  • Windows Intune Center Setting

Changes to policy are available to be downloaded by Windows Intune managed computers within a few minutes of saving the policy. The Windows Intune managed computers will check for updates between 8 to 22 hours, depending on the configuration of Windows Intune Agent policies, and download new or updated policies that have been deployed to it. After the policies have been downloaded they are enacted on computers by the Microsoft Online Management Policy agent (Policy agent). Policy cannot be applied on demand. If two or more policies have been deployed to a computer all of the settings configured in the policies are enacted on the computer.

You can force a refresh of policy on computers by using the Refresh Policies remote task. For more information, see Refreshing Windows Intune Policies.

This allows you to create general policies that you can apply to All Devices and create more specific policies that are applied only to computers in specific groups.

When you delete a policy from the Windows Intune administrator console, you also remove that policy from all groups to which the policy was deployed. Unless another policy takes over the management of the settings previously managed by the deleted policy, those settings are reset on computers to which that policy is deployed.

  • Endpoint Protection settings: The values of configured Windows Intune Endpoint Protection settings on the computers are reset to the default state for Windows Intune. Except for the Join Microsoft Active Protection Service setting, the default values are the same as the recommended values for the policy settings. For Join Microsoft Active Protection Service, the default value is No.

  • Updates settings: The values of configured Updates settings on the computers are reset to the default state for the operating system.

  • Windows Intune Center settings: Any support contact information that was configured by the policy is deleted from the computers.

  • Windows Firewall settings: The values of the Windows Firewall settings configured by that policy on those computers are reset to the values that are in the default state of the operating system.

Conflict resolution

When a setting is configured in two policies that are both deployed to the same computer, only the value from the winning policy is applied. The winning policy setting is determined as follows:

  • If a computer is a member of two groups, and one policy is deployed to one group, while the other policy is deployed to another group, the policy associated with the deepest group in the group tree structure wins. You can view the computer group tree structure in the Groups workspace.

  • If both policies are deployed to the same group, or if both groups are at the same depth in the group tree structure, the setting from the policy with the most recent Last Modified Time wins.

Policy applied to users

This section applies to Mobile Device Security Policies.

Windows Intune Mobile Device Security policies are deployed to user groups.

If you are using Exchange ActiveSync to manage mobile devices, Windows Intune calculates the effective policy for a user and creates the required Exchange ActiveSync mailbox policy, saves the policy to Exchange, and applies the policy to the user’s mailbox. Windows Intune created Exchange ActiveSync mailbox policies use the following naming convention: WindowsIntune_{PolicyGUID#}. The Windows Intune created Exchange ActiveSync mailbox policy will be applied to the mobile device the next time the device syncs with Exchange. When the effective policy is the same for multiple users, Windows Intune will apply the same policy to multiple mailboxes.

ImportantImportant
After the Exchange Connector is installed, management of the user’s mobile device policy settings should be only performed in the Windows Intune administrator console. Windows Intune will save mobile device security policy to the Exchange server and apply it to the appropriate mailbox. If you change the user’s mailbox settings by using the Exchange management tools, unexpected results might occur.

When you delete a policy from the Windows Intune administrator console, you also remove that policy from all groups to which the policy was deployed. If no other policy is deployed to the user, Windows Intune will apply the Exchange ActiveSync mailbox policy that is marked as the default policy to the user’s mailbox.

Conflict resolution

The user’s effective policy is determined by merging all policies that have deployed to a user. When a setting is configured in two policies that are both deployed to the same user, only the value from the winning policy is applied. The winning policy setting is determined as follows:

  • If a user is a member of two groups, and one policy is deployed to one group, while the other policy is deployed to another group, the policy associated with the deepest group in the group tree structure wins. You can view the user group tree structure in the Groups workspace.

  • If both policies are deployed to the same group, or if both groups are at the same depth in the group tree structure, the older policy setting wins and a Policy Conflict alert is raised. Mobile policy setting conflicts can be viewed in Policy Conflicts page of the Policy workspace.

  • If a user’s device is managed by policy settings from both Windows Intune direct management and Exchange ActiveSync, the more secure policy settings are applied.

See Also

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.