In this post I will be discussing on the topic on how to resolve Intune and group policy conflict. If you have an on-premises infrastructure with Active Directory, then definitely there will be group policies assigned to devices and users. Once you are moving towards Intune in hybrid model, there are highly chance that you will be creating policies on Intune in form of Configuration profile. MDMWinsOverGP is the setting which can be used to control the behaviour and to override Group policy settings.
Which policy will win? Group Policy or Intune policy?
What will happen when there is same setting which is applied through Intune and Group Policy?
Default scenario would Group Policy taking precedence over Intune policies. But as part of modern management, you might want to apply Intune policies to be applied in case of any conflict occurring. Microsoft is having a solution for that by introducing MDMWinsOverGP setting which is a Policy CSP and can be implemented using OMA-URI setting.
MDMWinsOverGP setting is the name of ControlPolicyConflict policy. If MDMWinsOverGP is not set / not configured, the value will be treated as 0 and Group policy will always win. This setting can be verified through Event Viewer but is hidden, by default you won’t be able to see this value.
How to see MDMWinsOverGP setting in Event Viewer
Open Event Viewer (eventvwr.msc) and navigate to Applications and Services Logs \ Microsoft \Windows \DeviceManagement-Enterprise-Diagnostics-Provider. You can only see “Admin” and “Operational” view, there is nothing else visible.
How to check MDMWinsOverGP value in Event viewer
To see MDMWinsOverGP configuration, you have to enable verbose logging for event viewer.
How to enable analytics and Debug logs
Under Event Viewer, click on View and select Show Analytics and Debug Logs. The moment you select the option, 3rd setting option will be visible under DeviceManagement-Enterprise-Diagnostics-Provider with the name Debug.
Right click Debug and select Enable Log.
From this time onwards, Verbose and Debug logging is enabled. Once next Sync happens you will start getting all info.
Click on Right pane, and click on Find (or Ctrl + F), search for MDMWinsOverGP.
Here we see the entry showing:
MdmWinsOverGp Policy value is (0x0).
This gives us the confirmation of MdmWinsOverGp policy set to 0. Hence, Group Policy will take the precedence in this scenario (which is the default scenario).
Understanding Policy CSP for MDMWinsOverGP
To specify the OMA-URI Settings, we need to understand Policy CSP, as per ControlPolicyConflict settings defined by Microsoft.
ControlPolicyConflict/MDMWinsOverGP is the policy name which can only be applied to “Device” (as a scope). It is not meant for user profile.
For Device Scope, we have to use the following standards as per Policy CSP to configure the policy:
./Device/Vendor/MSFT/Policy/Config/AreaName/PolicyName
If it is device wide configuration only, we can get rid of “Device/” and may use:
./Vendor/MSFT/Policy/Config/AreaName/PolicyName
Here:
AreaName is ControlPolicyConflict
PolicyName is MDMWinsOverGP
Hence, the output for OMA-URI setting could be:
- ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
- ./Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
Again, as it is device wide configuration, both settings are ok. I will go with second option by omitting “./Device”
Create MDMWinsOverGP Configuration Profile
MDMWinsOverGP setting can be implemented in 2 ways, either using
- Settings Catalog or
- Custom OMA-URI Settings.
Option 1 : Create MDMWinsOverGP using Settings Catalog
Under MEM Admin Center, navigate to Devices > Windows > Configuration profiles, click on Create profile.
Under Basics page, provide name “ControlPolicyConflict” and click Next.
Under Configuration Settings page, click on Add settings to open Settings picker. Search for Control policy conflict, you will be able to see it under category. Select it which will eventually highlight Settings name as MDM Wins Over GP setting, select the checkbox.
This will return back to Configuration settings page, Under Control Policy Conflict setting, under MDM Wins Over GP select The MDM policy is used and the GP policy is blocked from drop down menu (there is only one option to select) and click Next.
Deploy the configuration profile to a group.
Option 2 : Create MDMWinsOverGP using Custom OMA-URI Settings
Login to MEM Admin Center and navigate to Devices > Windows > Configuration profiles, click on Create profile.
Under Create a profile, select Platform as “Windows 10 and later”, select Profile type as Templates and Template name as Custom, click on Create.
Specify,
Name: ControlPolicyConflict
Description: Resolve conflict by making MDM policy to take precedence over Group Policy
Under Configuration settings \ OMA-URI Settings, click on Add and provide values:
Name: Resolve Conflict
Description: Make MDM policy wins over Group Policy
OMA-URI: ./Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
Data type: Integar
Value: 1
Click on Save.
Our OMA-URI Settings is created, that’s it. This is all we want, click on Next.
Click on several clicks and deploy it on devices under Assignments.
Verify all settings under Review + create and click on Create to deploy configuration profile.
How to confirm if Intune policy is winning over Group Policy
Let’s verify if MDM policy has taken precedence of Group Policy. We can check this through multiple ways:
- Through Event Viewer
- Through Advanced Diagnostic Report
- Through Registry
Verify MDMWinsOverGP setting through Event Viewer
Navigate to Applications and Services Logs \ Microsoft \Windows \DeviceManagement-Enterprise-Diagnostics-Provider\Admin.
Search for MDMWinsOverGP, we can see the configuration profile arrived and applied successfully:
MDM PolicyManager: Set policy int, Policy: (MDMWinsOverGP), Area: (ControlPolicyConflict), EnrollmentID requesting merge: (5131251F-4468-4AE4-BD58-496B92F20322), Current User: (Device), Int: (0x1), Enrollment Type: (0x6), Scope: (0x0).
Verify MDMWinsOverGP setting through Registry
All policies applied via Intune are stored under:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device
We can see ControlPolicyConflict, the policy which we created is displayed and having MDMWinsOverGP and MDMWinsOverGP_ProviderSet to 1
Verify through Advanced Diagnostic Report
There are multiple entries over here to verify the option.
Navigate to Settings > Accounts > Access work or school and click on connected account’s Info button.
We can see Areas managed by section, ControlPolicyConflict policy is applied.
Scroll down until you see Advanced Diagnostic Report, click on Create Report and select Export. This will save MDMDiagReport.html file under c:\Users\Public\Documents\MDMDiagnostics.
This is a very good file to verify list of all policies applied via Intune (MDM authority) and will show all the settings applied. You can also see Group policies blocked as well.
Scroll down, under Managed Policies, you can see ControlPolicyConflict with MDMWinsOverGP setting showing default value as 0 and Current value as 1. A big indication of exact setting applied.
Scroll down further until you see Blocked Group Policies, list of all Group policy settings will be visible here which are getting blocked. It will also show Policy CSP setting in form of MDM Uris Blocking GP which shows which Intune Policy CSP is blocking the Group Policy.
Final Verification
Finally, verify the setting manually, for example Google Chrome setting or Delivery Optimization setting which I have applied. I can see and confirm that Intune policy is correctly getting deployed and no longer Group policies are taking precedence.
Important Links
Policy CSP – ControlPolicyConflict – Windows Client Management | Microsoft Docs
I would suggest to use Settings Catalog to create the same policy instead of using Custom OMA URI.
Thanks Abhinav for letting me know, yes I can see Setting catalog also have this option. I have updated the page now showing both the options.