Starting with Windows 10 1803 a policy configuration service provider (CSP) called “ControlPolicyConflict/MDMWinsOverGP” was born by to handle policy conflicts when a Windows 10 device was hybrid Azure AD Joined. As default starting from Windows 10 1803 local group policies would be applied to a device. So now we are able to create a custom device configuration profile and add a Uniform Resource Identifier (OMA-URI) that blocks local om-prem domain polices and lets the MDM policies flow.
So if Microsoft Intune don´t have a GUI bottom for the setting? Make a custom Uniform Resource Identifier (OMA-URI) custom profile and deploy it to the Windows 10 device from Microsoft Intune.
The string and value setting for this CSP, are:
./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
- 0 (default)
- 1 – The MDM policy is used and the GP policy is blocked
Read more about the policy here -> https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp
To learn more about user and device scopes please visit: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#policy-scope
My Environment:
- Windows 10 Device 1909 (20H1) Insider.
- Oracle Virtual box.
- Microsoft Intune.
Prerequisites:
- A Windows 10 Device 1803 or later
- Microsoft Intune and license (I use a Microsoft 365 E5).
- A user with access to Intune portal like Intune service administrator or Global admin.
This video shows how to create a custom profile with the specific OMA-URI setting that blocks GPs.
Or skip this video and follow the blog post down below for a traditional text and picture guideline.
Lets create the configuration profile and Add OMA-URI settings.
- Login to Intune portal -> https://devicemanagement.microsoft.com
- Browse to Device Configuration – Profiles and click Create profile:

- Provide Name, Description (optional), Platform and Profile type and then click Add:

- Provide a Name, Description (optional), OMA-URI, Data type, Value and click OK:

- Now click Create:

- The last thing we need to do is assign the profile to a group of devices or All devices (I use all devices in this scenario) click then Save:

Lets see the result on the device.
Happy deployment.