Microsoft Intune – Control Policy Conflicts within a Hybrid environment. MDM Wins Over Group Policys.

Microsoft Intune – Control Policy Conflicts within a Hybrid environment. MDM Wins Over Group Policys.

Starting with Windows 10 1803 a policy configuration service provider (CSP) called “ControlPolicyConflict/MDMWinsOverGP was born by to handle policy conflicts when a Windows 10 device was hybrid Azure AD Joined. As default starting from Windows 10 1803 local group policies would be applied to a device. So now we are able to create a custom device configuration profile and add a Uniform Resource Identifier (OMA-URI) that blocks local om-prem domain polices and lets the MDM policies flow.

So if Microsoft Intune don´t have a GUI bottom for the setting? Make a custom Uniform Resource Identifier (OMA-URI) custom profile and deploy it to the Windows 10 device from Microsoft Intune.

The string and value setting for this CSP, are:

./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP

  • 0 (default)
  • 1 – The MDM policy is used and the GP policy is blocked

Read more about the policy here -> https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp

To learn more about user and device scopes please visit: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#policy-scope

My Environment:

  • Windows 10 Device 1909 (20H1) Insider.
  • Oracle Virtual box.
  • Microsoft Intune.

Prerequisites:

  • A Windows 10 Device 1803 or later
  • Microsoft Intune and license (I use a Microsoft 365 E5).
  • A user with access to Intune portal like Intune service administrator or Global admin.

This video shows how to create a custom profile with the specific OMA-URI setting that blocks GPs.

Or skip this video and follow the blog post down below for a traditional text and picture guideline.

Lets create the configuration profile and Add OMA-URI settings.

  • Provide Name, Description (optional), Platform and Profile type and then click Add:
  • Provide a Name, Description (optional), OMA-URI, Data type, Value and click OK:
  • Now click Create:
  • The last thing we need to do is assign the profile to a group of devices or All devices (I use all devices in this scenario) click then Save:

Lets see the result on the device.

Happy deployment.

Leave a Reply

Your email address will not be published. Required fields are marked *