Skip to Content
AutomationBulk OperationsBulk Policy Deploy

Bulk Policy Deploy

Maintain a library of standardized policy templates for rapid deployment across tenants. Policy templates capture best practices for security, compliance, and device management configurations that can be deployed consistently.

Note: Templates are stored centrally and can be deployed to any managed tenant. Customize parameters during deployment while maintaining core configuration standards.

Template Categories

Device Compliance

Compliance policies that define device health requirements. Enforce encryption, OS versions, and security settings.

  • Windows compliance baseline
  • macOS compliance baseline
  • iOS/iPadOS requirements
  • Android Enterprise rules

Device Configuration

Configuration profiles for device settings, features, and restrictions across platforms.

  • Windows device restrictions
  • Wi-Fi and VPN profiles
  • Email configuration
  • Certificate deployment

Conditional Access

Conditional Access policy templates for identity protection and access control.

  • Require MFA for all users
  • Block legacy authentication
  • Require compliant devices
  • Location-based access

App Protection

MAM policies protecting corporate data in mobile apps on managed and unmanaged devices.

  • iOS app protection
  • Android app protection
  • Data transfer restrictions
  • PIN and encryption

Security Baselines

Microsoft security baseline configurations for Windows, Edge, and Microsoft 365 Apps.

  • Windows security baseline
  • Microsoft Edge baseline
  • Defender for Endpoint
  • Office security settings

Update Policies

Windows Update for Business configurations for quality and feature update management.

  • Quality update rings
  • Feature update policies
  • Driver update profiles
  • Expedited updates

Built-in Templates

TemplateDescriptionTag
Zero Trust Starter KitFoundation CA policies: require MFA, block legacy auth, enforce device compliance, require app protectionRecommended
Windows Endpoint SecurityBitLocker encryption, Windows Defender AV, firewall rules, attack surface reductionPopular
Mobile Device ManagementiOS/Android compliance policies and app protection policies
Windows Update ManagementTiered update rings: Pilot (0 day), Standard (7 day), Broad (14 day deferral), plus feature update policy

Template Parameters

Templates support parameterization for deployment-time customization:

ParameterTypeDescriptionDefault
minOsVersionstringMinimum required OS version10.0.19045
requireEncryptionbooleanRequire device encryptiontrue
gracePeriodDaysnumberNon-compliance grace period3
targetGroupsarrayGroups to assign policyAll Users

Template Deployment Process

  1. Select Template — Choose template from library. View settings preview and version information.
  2. Configure Parameters — Set values for template parameters. Use defaults or customize for target tenant.
  3. Select Target Tenants — Choose one or more tenants for deployment. Parameter values can vary per tenant.
  4. Configure Assignments — Map to groups in target tenants. Select include and exclude groups.
  5. Deploy — Execute deployment. Policies are created in target tenants with tracking for rollback.

Template Versioning

Templates are versioned to track changes and ensure consistency:

VersionChangesAuthorDate
v2.1 (current)Added TPM requirementadmin@msp.comJan 15, 2026
v2.0Updated minimum OS versionadmin@msp.comDec 1, 2025
v1.0Initial releaseadmin@msp.comSep 15, 2025

Creating Custom Templates

Export from Existing Policy

Export a working policy from a reference tenant as a template. The export process captures all settings and creates parameterized versions of tenant-specific values.

  1. Navigate to the source policy in a tenant
  2. Click Export as Template
  3. Configure parameter mappings
  4. Save to template library

Create from Scratch

Build templates manually using the JSON configuration editor. Define all settings and parameters directly.

{
  "name": "Windows Compliance - Standard",
  "type": "deviceCompliancePolicy",
  "platform": "windows10",
  "settings": {
    "osMinimumVersion": "{{minOsVersion}}",
    "bitLockerEnabled": "{{requireEncryption}}",
    "secureBootEnabled": true,
    "codeIntegrityEnabled": true
  },
  "parameters": {
    "minOsVersion": {
      "type": "string",
      "default": "10.0.19045"
    },
    "requireEncryption": {
      "type": "boolean",
      "default": true
    }
  }
}

Drift Detection

Monitor deployed policies for configuration drift from templates:

TenantStatus
Contoso CorpIn sync
Fabrikam Inc2 drifted settings
Northwind LLCIn sync

Drift Resolution

  • Sync to template — Override tenant changes with template values
  • Update template — Incorporate tenant changes into template
  • Ignore drift — Mark as intentional deviation

Best Practices

  • Start with built-in templates — Built-in templates follow Microsoft best practices and are regularly updated
  • Use parameters for tenant-specific values — Avoid hardcoding values that differ between tenants (group IDs, domain names)
  • Version templates with meaningful notes — Document what changed in each version for audit and troubleshooting

Warning: Enable drift detection for critical policies. Monitor security-critical policies for unauthorized changes.

API Reference

  • GET /api/automation/policy-templates — List all policy templates
  • POST /api/automation/policy-templates — Create new policy template
  • GET /api/automation/policy-templates/:id/versions — Get template version history
  • POST /api/automation/policy-templates/:id/deploy — Deploy template to tenants
  • GET /api/automation/policy-templates/:id/drift — Check for configuration drift
Last updated on
Bulk License AssignmentBulk User Management