Policy Conflict Resolution

%3CLINGO-SUB%20id%3D%22lingo-sub-2143404%22%20slang%3D%22en-US%22%3EPolicy%20Conflict%20Resolution%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2143404%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20are%20there%20any%20plans%20on%20improving%20tools%20for%20policy%20conflict%20resolution%3F%20With%20so%20many%20areas%20to%20configure%20duplicate%20policy%20settings%20it%20can%20be%20confusing%20to%20resolve%20these%20conflicts%20as%20they%20happen.%20I%20can't%20click%20into%20the%20policies%20that%20are%20shown%20in%20conflict%2C%20or%20the%20settings%2C%20without%20looking%20around%20for%20where%20those%20policies%20are.%20It%20would%20be%20helpful%20to%20click%20the%20policy%20and%20be%20taken%20directly%20to%20where%20it%20is%20configured%20so%20that%20we%20can%20more%20easily%20resolve%20it.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%20I%20have%20a%20policy%20in%20conflict%20currently%2C%20with%20a%20ticket%20open%20for%20the%20issue%2C%20which%20is%20EDR%20conflicting%20with%20the%20built%20in%20onboarding%20policy%20for%20instance.%20I%20can't%20dig%20into%20the%20onboarding%20policy%20at%20all%2C%20and%20the%20only%20thing%20configured%20with%20EDR%20is%20to%20enable%20sample%20sharing%20for%20all%20files.%20That%20settings%20is%20set%20to%20not%20configured%20on%20the%20Defender%20ATP%20Sensor%20Configuration%20Policy%20(all%20that%20is%20configured%20there%20is%20Microsoft%20Defender%20for%20Endpoint%20client%20config%20package%20type%20being%20set%20to%20onboard)%20and%20that's%20about%20all%20the%20insight%20I%20have%20into%20the%20settings.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdditionally%2C%20are%20there%20plans%20to%20extend%20features%20available%20for%20Server%202016%2F2019%20to%20Server%202012%20R2%20or%20are%20we%20expected%20to%20upgrade%20our%20environments%20if%20we%20want%20to%20be%20able%20to%20take%20actions%20against%20them%20in%20the%20ATP%20portal%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2143625%22%20slang%3D%22en-US%22%3ERe%3A%20Policy%20Conflict%20Resolution%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2143625%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F969786%22%20target%3D%22_blank%22%3E%40BrandonD930%3C%2FA%3E%26nbsp%3Bgreat%20questions.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20How%20did%20you%20set%20the%20policies%3F%20Through%20MEM%3F%20Right%20now%2C%20if%20two%20policies%20conflict%2C%20MEM%20will%20show%20an%20error.%20We%20have%20conflict%20resolution%20on%20the%20roadmap%2C%20but%20I%20don't%20have%20a%20specific%20timeline%20to%20share%20at%20this%20point.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2.%20Yes%20for%20Server%202012%20R2%20-%20there%20is%20work%20in%20progress%20to%20get%20to%20feature%20parity%20with%20the%20capabilities%20that%20are%20available%20for%20Server%202019.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2143673%22%20slang%3D%22en-US%22%3ERe%3A%20Policy%20Conflict%20Resolution%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2143673%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68663%22%20target%3D%22_blank%22%3E%40Maayan%20Bar-Niv%3C%2FA%3E%26nbsp%3BThank%20you%20for%20the%20response!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Yes%2C%20I%20had%20started%20with%20the%20Security%20Baselines%20inside%20MEM%20in%20the%20overview%20area%2C%20then%20quickly%20realized%20that%20setting%20further%20more%20narrowly%20scoped%20policies%20up%20inside%20Endpoint%20Security%20would%20cause%20massive%20conflicts%20as%20policies%20clashed.%20I%20removed%20all%20the%20baseline%20policies%20and%20have%20defaulted%20to%20configuring%20items%20individually%20to%20try%20an%20eliminate%20any%20conflicts.%20That%20was%20working%20well%2C%20as%20I%20had%20zero%20conflicts%2C%20until%20very%20recently%20when%20the%20issue%20I%20spoke%20of%20above%20came%20about.%20No%20changes%20were%20made%20to%20any%20policies%2C%20I've%20just%20been%20rolling%20more%20machines%20into%20my%20Test%20Pilot.%20I%20should%20also%20mention%20that%20we%20are%20co-managed%20between%20SCCM%202002%20and%20Intune%20with%20a%20pilot%20group%20of%20around%20270%20machines%20currently.%20Better%20troubleshooting%20tools%20would%20be%20much%20appreciated%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20Good%20to%20know%20that%20features%20are%20coming%20to%20bring%20feature%20parity%20across%20all%20currently%20supported%20products%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello, are there any plans on improving tools for policy conflict resolution? With so many areas to configure duplicate policy settings it can be confusing to resolve these conflicts as they happen. I can't click into the policies that are shown in conflict, or the settings, without looking around for where those policies are. It would be helpful to click the policy and be taken directly to where it is configured so that we can more easily resolve it. 

 

For example I have a policy in conflict currently, with a ticket open for the issue, which is EDR conflicting with the built in onboarding policy for instance. I can't dig into the onboarding policy at all, and the only thing configured with EDR is to enable sample sharing for all files. That settings is set to not configured on the Defender ATP Sensor Configuration Policy (all that is configured there is Microsoft Defender for Endpoint client config package type being set to onboard) and that's about all the insight I have into the settings. 

 

Additionally, are there plans to extend features available for Server 2016/2019 to Server 2012 R2 or are we expected to upgrade our environments if we want to be able to take actions against them in the ATP portal

2 Replies

@BrandonD930 great questions. 

1. How did you set the policies? Through MEM? Right now, if two policies conflict, MEM will show an error. We have conflict resolution on the roadmap, but I don't have a specific timeline to share at this point. 

2. Yes for Server 2012 R2 - there is work in progress to get to feature parity with the capabilities that are available for Server 2019.  

@Maayan Bar-Niv Thank you for the response! :)

 

1) Yes, I had started with the Security Baselines inside MEM in the overview area, then quickly realized that setting further more narrowly scoped policies up inside Endpoint Security would cause massive conflicts as policies clashed. I removed all the baseline policies and have defaulted to configuring items individually to try an eliminate any conflicts. That was working well, as I had zero conflicts, until very recently when the issue I spoke of above came about. No changes were made to any policies, I've just been rolling more machines into my Test Pilot. I should also mention that we are co-managed between SCCM 2002 and Intune with a pilot group of around 270 machines currently. Better troubleshooting tools would be much appreciated :) 

 

2) Good to know that features are coming to bring feature parity across all currently supported products :)

www.000webhost.com