In this post I will be discussing on the topic on how to resolve Intune and group policy conflict. If you have an on-premises infrastructure with Active Directory, then definitely there will be group policies assigned to devices and users. Once you are moving towards Intune in hybrid model, there are highly chance that you will be creating policies on Intune in form of Configuration profile. MDMWinsOverGP is the setting which can be used to control the behaviour and to override Group policy settings.

Which policy will win? Group Policy or Intune policy?

What will happen when there is same setting which is applied through Intune and Group Policy?

Default scenario would Group Policy taking precedence over Intune policies. But as part of modern management, you might want to apply Intune policies to be applied in case of any conflict occurring. Microsoft is having a solution for that by introducing MDMWinsOverGP setting which is a Policy CSP and can be implemented using OMA-URI setting.

MDMWinsOverGP setting is the name of ControlPolicyConflict policy. If MDMWinsOverGP is not set / not configured, the value will be treated as 0 and Group policy will always win. This setting can be verified through Event Viewer but is hidden, by default you won’t be able to see this value.

Event Viewer MDMWinsOverGP
ResolveIntuneGroupPolicyConflict 03

How to see MDMWinsOverGP setting in Event Viewer

Open Event Viewer (eventvwr.msc) and navigate to Applications and Services Logs \ Microsoft \Windows \DeviceManagement-Enterprise-Diagnostics-Provider. You can only see “Admin” and “Operational” view, there is nothing else visible.

How to check MDMWinsOverGP value in Event viewer

To see MDMWinsOverGP configuration, you have to enable verbose logging for event viewer.

How to enable analytics and Debug logs

ResolveIntuneGroupPolicyConflict 02

Under Event Viewer, click on View and select Show Analytics and Debug Logs. The moment you select the option, 3rd setting option will be visible under DeviceManagement-Enterprise-Diagnostics-Provider with the name Debug.

Right click Debug and select Enable Log.

From this time onwards, Verbose and Debug logging is enabled. Once next Sync happens you will start getting all info.

Click on Right pane, and click on Find (or Ctrl + F), search for MDMWinsOverGP.

ResolveIntuneGroupPolicyConflict 04

Here we see the entry showing:

MdmWinsOverGp Policy value is (0x0).
ResolveIntuneGroupPolicyConflict 05

This gives us the confirmation of MdmWinsOverGp policy set to 0. Hence, Group Policy will take the precedence in this scenario (which is the default scenario).

Understanding Policy CSP for MDMWinsOverGP

To specify the OMA-URI Settings, we need to understand Policy CSP, as per ControlPolicyConflict settings defined by Microsoft.

ControlPolicyConflict/MDMWinsOverGP is the policy name which can only be applied to “Device” (as a scope). It is not meant for user profile.

For Device Scope, we have to use the following standards as per Policy CSP to configure the policy:


If it is device wide configuration only, we can get rid of “Device/” and may use:



AreaName is ControlPolicyConflict
is MDMWinsOverGP

Hence, the output for OMA-URI setting could be:

  1. ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
  2. ./Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP

Again, as it is device wide configuration, both settings are ok. I will go with second option by omitting “./Device

Create MDMWinsOverGP Configuration Profile

MDMWinsOverGP setting can be implemented in 2 ways, either using

  • Settings Catalog or
  • Custom OMA-URI Settings.

Option 1 : Create MDMWinsOverGP using Settings Catalog

Under MEM Admin Center, navigate to Devices > Windows > Configuration profiles, click on Create profile.

ResolveIntuneGroupPolicyConflict 06
Under Create a profile, select Platform “Windows 10 and later” and profile type as “Settings Catalog (preview)
ResolveIntuneGroupPolicyConflict 19

Under Basics page, provide name “ControlPolicyConflict” and click Next.

ResolveIntuneGroupPolicyConflict 20

Under Configuration Settings page, click on Add settings to open Settings picker. Search for Control policy conflict, you will be able to see it under category. Select it which will eventually highlight Settings name as MDM Wins Over GP setting, select the checkbox.

ResolveIntuneGroupPolicyConflict 21

This will return back to Configuration settings page, Under Control Policy Conflict setting, under MDM Wins Over GP select The MDM policy is used and the GP policy is blocked from drop down menu (there is only one option to select) and click Next.

ResolveIntuneGroupPolicyConflict 22

Deploy the configuration profile to a group.

Option 2 : Create MDMWinsOverGP using Custom OMA-URI Settings

Login to MEM Admin Center and navigate to Devices > Windows > Configuration profiles, click on Create profile.

ResolveIntuneGroupPolicyConflict 06

Under Create a profile, select Platform as “Windows 10 and later”, select Profile type as Templates and Template name as Custom, click on Create.

ResolveIntuneGroupPolicyConflict 07


ResolveIntuneGroupPolicyConflict 08

Name: ControlPolicyConflict
Description: Resolve conflict by making MDM policy to take precedence over Group Policy

Under Configuration settings \ OMA-URI Settings, click on Add and provide values:

Name: Resolve Conflict

Description: Make MDM policy wins over Group Policy

OMA-URI:  ./Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP

Data type: Integar

Value: 1

Click on Save.

ResolveIntuneGroupPolicyConflict 09

Our OMA-URI Settings is created, that’s it. This is all we want, click on Next.

ResolveIntuneGroupPolicyConflict 10

Click on several clicks and deploy it on devices under Assignments.

Verify all settings under Review + create and click on Create to deploy configuration profile.

ResolveIntuneGroupPolicyConflict 11

How to confirm if Intune policy is winning over Group Policy

Let’s verify if MDM policy has taken precedence of Group Policy. We can check this through multiple ways:

  1. Through Event Viewer
  2. Through Advanced Diagnostic Report
  3. Through Registry

Verify MDMWinsOverGP setting through Event Viewer

Navigate to Applications and Services Logs \ Microsoft \Windows \DeviceManagement-Enterprise-Diagnostics-Provider\Admin.

ResolveIntuneGroupPolicyConflict 12

Search for MDMWinsOverGP, we can see the configuration profile arrived and applied successfully:

MDM PolicyManager: Set policy int, Policy: (MDMWinsOverGP), Area: (ControlPolicyConflict), EnrollmentID requesting merge: (5131251F-4468-4AE4-BD58-496B92F20322), Current User: (Device), Int: (0x1), Enrollment Type: (0x6), Scope: (0x0).

Verify MDMWinsOverGP setting through Registry

All policies applied via Intune are stored under:


We can see ControlPolicyConflict, the policy which we created is displayed and having MDMWinsOverGP and MDMWinsOverGP_ProviderSet to 1

ResolveIntuneGroupPolicyConflict 13

Verify through Advanced Diagnostic Report

There are multiple entries over here to verify the option.

Navigate to Settings > Accounts > Access work or school and click on connected account’s Info button.

ResolveIntuneGroupPolicyConflict 14

We can see Areas managed by section, ControlPolicyConflict policy is applied.

Scroll down until you see Advanced Diagnostic Report, click on Create Report and select Export. This will save MDMDiagReport.html file under c:\Users\Public\Documents\MDMDiagnostics.

Advanced Diagnostic Report

This is a very good file to verify list of all policies applied via Intune (MDM authority) and will show all the settings applied. You can also see Group policies blocked as well.

Scroll down, under Managed Policies, you can see ControlPolicyConflict with MDMWinsOverGP setting showing default value as 0 and Current value as 1. A big indication of exact setting applied.

MDMWinsOverGP Current Value

Scroll down further until you see Blocked Group Policies, list of all Group policy settings will be visible here which are getting blocked. It will also show Policy CSP setting in form of MDM Uris Blocking GP which shows which Intune Policy CSP is blocking the Group Policy.

Blocked Group Policies Diagnostic Report

Final Verification

Finally, verify the setting manually, for example Google Chrome setting or Delivery Optimization setting which I have applied. I can see and confirm that Intune policy is correctly getting deployed and no longer Group policies are taking precedence.

Important Links

Policy CSP – ControlPolicyConflict – Windows Client Management | Microsoft Docs

Policy CSP – Windows Client Management | Microsoft Docs