Microsoft Intune – Control Policy Conflicts within a Hybrid environment. MDM Wins Over Group Policys.

Starting with Windows 10 1803 a policy configuration service provider (CSP) called “ControlPolicyConflict/MDMWinsOverGP” was born by to handle policy conflicts when a Windows 10 device was hybrid Azure AD Joined. As default starting from Windows 10 1803 local group policies would be applied to a device. So now we are able to create a custom device configuration profile and add a Uniform Resource Identifier (OMA-URI) that blocks local om-prem domain polices and lets the MDM policies flow.

So if Microsoft Intune don´t have a GUI bottom for the setting? Make a custom Uniform Resource Identifier (OMA-URI) custom profile and deploy it to the Windows 10 device from Microsoft Intune.

The string and value setting for this CSP, are:

./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP

• 0 (default)
• 1 – The MDM policy is used and the GP policy is blocked

Read more about the policy here -> https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp

To learn more about user and device scopes please visit: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#policy-scope

My Environment:

• Windows 10 Device 1909 (20H1) Insider.
• Oracle Virtual box.
• Microsoft Intune.

Prerequisites:

• A Windows 10 Device 1803 or later
• Microsoft Intune and license (I use a Microsoft 365 E5).
• A user with access to Intune portal like Intune service administrator or Global admin.

This video shows how to create a custom profile with the specific OMA-URI setting that blocks GPs.

Or skip this video and follow the blog post down below for a traditional text and picture guideline.

Lets create the configuration profile and Add OMA-URI settings.

• Login to Intune portal -> https://devicemanagement.microsoft.com
• Browse to Device Configuration – Profiles and click Create profile:

• Provide Name, Description (optional), Platform and Profile type and then click Add:

• Provide a Name, Description (optional), OMA-URI, Data type, Value and click OK:

• Now click Create:

• The last thing we need to do is assign the profile to a group of devices or All devices (I use all devices in this scenario) click then Save:

Lets see the result on the device.

Happy deployment.