You want to test some new Security Baselines in Intune, but you find that they are not working or settings keep turning on.
Sadly Intune does not tell you when you have two baselines with the same configuration but different settings that there's a conflict or anything...
You can tell if your device has multiple baselines applied to it if you login to Intune and go to Endpoint Security > Security Baselines > Open the baseline in question > Open the profile > Device assignment status > Generate Again > Find and click on the device that needs the policy applied > Click on one of the settings
On the right hand side should be a fold out with Source Profiles if it lists more than one profile, then the device is applying them both.
Sadly, Intune does not have a remove button remove baseline profiles. To remove the baseline profile from the device, you will need to do the following
- Make sure the device is excluded from the group from baseline configuration you don't want it to apply to.
- When you exclude a device using a separate group, make sure the device is not in the Included group as well. Include will win.
- Make a change in the baseline configuration that doesn't need to be applied to the device and save it. Then either remove the change or change it back to it's original value. It's important that a change has been made that needs to be processed!
This will cause Intune to recheck the policy again based on the included/excluded list and will remove the device you don't want the policy applied automatically
Check back in a few minutes and you can run the report again to check if the device still has the policy applied.