Let’s check MDM wins over GPO options available as Intune policy. The Group Policy Vs. Intune Policy Who wins? Windows modern device management relies on CSP for security & other configurations.
Many discussions about whether CSP can replace Group Policy (GPO). By default, GPO has higher precedence over CSP when there is a setting conflict.
But, starting with Windows 10 1803, this behavior is controllable with CSP “MDMWinsOverGP.” With this new Windows MDM CSP setting, we are clear about Microsoft’s long-term road map for modern device management. Group Policy Vs. Intune Policy, who wins?
Let’s also find more details of Migrating Group Policies GPOs to Intune Settings Catalog policy. You don’t have to migrate every GPO to MDM. If needed, you have to review each GPO and then migrate it to MDM.
Prerequisite MDM wins over GPO
Let’s check what the prerequisites are for MDM wins over GPO settings. This setting doesn’t work for any custom GPO out of ADMX like Edge etc.
NOTE! – This MDM wins over Group Policy CSP doesn’t work for Windows Update for Business policies as well. Hence when you use WUfB, ensure all the group policies are removed related to Windows Update.
- Windows 10 1803 version
- Microsoft Intune
- Active Directory Group Policy
MDM wins over GPO – MDM CSP Details
In this post, we will go through the “MDMWinsOverGP” setting and the conflicting settings. I deployed different Home page URLs for the demo using Intune CSP and GPO. Finally, we will see who wins.
- OMA-URI: ./Vendor/MSFT/Policy/Config/Browser/Homepages
- Value (home page example): CSP.com
For MDM CSP to override GP, we need to enable the ” MDMWinsOverGP ” setting. The following are the values for this MDM Wins Over GPO policy.
- 0 – (default) – GPO Wins over MDM?
- 1 – The MDM policy is used, and the GP policy is blocked.
Option #1 (New Method) – Intune Settings Catalog | Create MDM Wins Over GPO Policy
As explained in the following blog post, you can now create Intune Settings Catalog policy to deploy MDM wins over GPO policy. More details -> Create Intune Settings Catalog Policy.
- Sign in to theMicrosoft Endpoint Manager admin center (Endpoint.Microsoft.coom)
- SelectDevices->Windows -> Configuration profiles>Create profile.
- In Create Profile, You can selectPlatform:Windows 10 and laterandProfile:SelectSettings catalog (preview).
- Click onCreatebutton.
InConfiguration Settings, selectAdd settings and use the following search keyword “MDM Wins Over GP.” You need to choose the MDM Wins Over GP policy from the list.
Browse by category – “Control Policy Conflict.”
Category and Setting name = MDM Wins Over GP
Select the following option from the drop-down menu ->The MDM policy is used, and the GP policy is blocked.
Option #2 (Old) – Intune Configuration of “MDMWinsOverGP” – MDM Wins Over GP
Let’s follow the steps below to MDM Wins Over GPO.
- Login toMEM Admin Center Portal.
- Navigate Devices – Create a profile – Settings – Configure.
- Custom OMA-URI Settings – Windows 10 and later –Add OMA-URI settings (as shown below)
./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
Validation ofMDMWinsOverGP (CSP Policies Override Group Policy Settings)
Now we will observe the client-side events usingthe Event Viewer in the following location:
- Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider
- The value for “MdmWinsOverGp” is 0 before applying the CSP.
MdmWinsOverGp Policy value is (0x0)
“MdmWinsOverGp” value changes from 0 to 1 after applying the CSP
MdmWinsOverGp Policy value is (0x1)
The policy is set forMdmWinsOverGp
MdmWinsOverGp Policy is being set.
Group Policy Vs. Intune Policy who will win, and Microsoft gives us an option to select who will win.
Registry Analysis ofCSP Policies Override Group Policy Settings
The registry was created to set MDM as higher precedence than GP.
Computer\HKEY_LOCAL_MACHINE_Microsoft\PolicyManager\current\device\ControlPolicyConflict
- Default – Value Not Set
- MDMWinsOverGP – 0x000000001 (1)
- MDMWinsOverGP_ProviderSet – 0x000000001 (1)
If there is a GPO and MDM CSP conflict for a setting. Then, the current GP value saved before CSP takes precedence.
Attempted to save existing GP Value. GP Location: (Software\Policies\Microsoft\MicrosoftEdge\Internet Settings), GP ValueName: (ProvisionedHomePages), Result: (The operation completed successfully.). Failures are expected if this location isn’t set.
GP value gets deleted. Example: GP value “ProvisionedHomePages” deleted
Attempted to delete existing GP Value. GP Location: (Software\Policies\Microsoft\MicrosoftEdge\Internet Settings), GP ValueName: (ProvisionedHomePages), Result: (The operation completed successfully.). Failures are expected if this location isn’t set.
- Block record created to ensure MDM Wins over GP.
- GP enforcement for the home page value is blocked.
Created a blocking record. Record: (Software\Microsoft\MDMWins\device\Software/Policies/Microsoft/MicrosoftEdge/Internet Settings\ProvisionedHomePages).
Uri: (./Device/Vendor/MSFT/Policy/Config/Browser/Homepages
Result –Intune Policies Override Group Policy Settings – The winner is hereGroup Policy Vs. Intune Policy
- Finally, MDM CSP wins over GP.
- As shown below, MDM CSP configures the “Home Page” value.
HomePages – CSP.com
Verify the MDM Diagnostics report ( Section “Blocked Group Policies” ). This report gives detailed information on the list of GP values blocked by MDM CSP.
Blocked GP Entity – device\software/Policies/Microsoft/MicrosoftEdge/Internet Settings
Blocked GP value Name – ProvisionedHomePages
Blocked Value – http://GPO.com
MDM Uris Blocking GP – ./Device/Vendor/MSFT/Policy/Config/Browser/Homepages
Author
Vimal has more than ten years of experience in SCCM device management solutions. His main focus is on Device Management technologies like Microsoft Intune, ConfigMgr (SCCM), OS Deployment, and Patch Management. He writes about the technologies like SCCM, Windows 10, Microsoft Intune, and MDT.
