In Windows Intune, you can author multiple policies and target them to different computer groups. Ever wondered what would happen if conflicting policies were targeted at different computer – which policy would finally win?

Let’s say you have the computer group ‘Seattle’ under the ‘All Computers’ computer group:

clip_image002

Let’s say you have the following Malware protection policies:

  • Policy 1: Quick scan is scheduled at 2:00AM
  • Policy 2: Quick scan is scheduled at 10:00AM

Policy 1 is deployed to the ‘All Computers’ group and Policy 2 is deployed to the ‘Seattle’ group.

clip_image002[5]

For a computer belonging to the Seattle group, you would expect it to receive both policies. But which policy would win?

Rule 1: Policies targeted to the deepest computer group wins!

So, Policy 2, which is deployed to the deepest computer group (Seattle), wins. Computers belonging to the Seattle computer group would be configured to perform their quick scans at 10:00AM.

Now, let’s say that you author another policy, Policy 3 with the quick scan schedule set at 12:00PM. Policy 3 is deployed to the Seattle computer group.

clip_image002[7]

Rule 2: When policies are in conflict, the newest policy wins!

So, Policy 3, which is the most recently edited policy wins and computers belonging to the Seattle computer group are configured to perform Quick Scans at 12:00PM.

In summary, the conflict resolution rules for policy conflict are:

  • Rule 1: Policies targeted to the deepest computer group wins.
  • Rule 2: If policies are still in conflict, the newest policy wins.

As always, we welcome your comments and feedback on Windows Intune!