In my previous post (Group Policy Vs. Intune Policy), we discussed how Intune policy wins over GP when there is a policy conflict. We covered the workflow with an example setting (IE Home Page).
This post will show how Windows 10 handles conflicting GP settings if Intune is unenrolled from the Windows 10 computer.
I try to explain the policy workflow after removing Intune management from a Windows 10 machine via Registry and Event Logs. Review the post for more details about workflow, testing, and research.
In this post, you will get all the details of the Group Policy Vs Intune Policy after Intune Unenrollment Microsoft Intune Policies AD Group Policy. When a device is unenrolled from Microsoft Intune, its impact on policies varies depending on whether it was deployed via Intune or Group Policy.
Intune policies, which are applied through mobile device management (MDM), typically get removed from the device upon enrollment.
Table of Contents
Workflow – Group Policy Vs. Intune Policy – Intune Unenrollment
I turned off the “Mdmwinovergp” registry. Now, the machine understands Intune MDM policy will not win over GP.
- Computer\HKEY_LOCAL_MACHINE_Microsoft\PolicyManager\current\device\ControlPolicyConflict
- MDM Wins Over GPO Group Policy Vs Intune Policy
- Fix MDM Profile Installation Failed with 401 Error during Intune Enrollment for Apple Devices
- How to Configure Automatic Intune MDM Enrollment | Auto Enrollment
- Troubleshoot MDM Enrollment Error Code 80180004
- iOS iPadOS Intune Enrollment Method is Based on Web Based
- FIX Intune Windows Enrollment Invalid_Client Error
Evaluate if any GP blocking record has been created.
- Found existing blocking records. Re-evaluating
I identified a block record for the IE Home Page setting. In the previous post, we discussed how GP block records are created when there is a policy conflict.
- I found a blocking record reg key that needs to be deleted. The Parent Key is (Software/Policies/Microsoft/MicrosoftEdge/Internet Settings), and the Child key is (ProvisionedHomePages).
GP value restored from Registry backup. In the previous post, we saw how Intune backs up GP settings during policy conflicts.
- Attempted to restore GP Value. GP Location: (Software/Policies/Microsoft/MicrosoftEdge/Internet Settings), GP ValueName: (ProvisionedHomePages), Result: (The operation completed successfully.).
The blocking record was deleted.
- I am trying to delete the blocking record reg key. Key: (ProvisionedHomePages), Level: (0x3), Result:(The operation completed successfully.). Failures are expected if this key has child nodes.
Block record registry key deleted.
- I’m trying to delete the blocking record reg key. Key: (Software/Policies/Microsoft/MicrosoftEdge/Internet Settings), Level: (0x2), Result:(The operation completed successfully.). Failures are expected if this key has child nodes.
After registry key deletion. There are no block records inside the registry hive “MDMWins.”
- Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\MDMWins
Verifies whether all conflicting GP settings are unblocked. At last, Intune, the policy was removed, and all the GP settings were applied back
- All GP locations that were to be unblocked have been unblocked successfully. Forced? : (0x1)
Additional Tips
MDM CSP (Configuration Service Provider) is an interface in the client operating system between configuration settings specified in a provisioning document and configuration settings on the device. It is the primary management channel for AAD Joined Devices.
Microsoft provides options to configure Windows 10 settings via traditional management via WMI bridge and WMI provider.
Common Device Configurator helps devices automatically resolve conflicts and select the best-secured policy. The segregation of Intune policies depends on the complexity of implementation.
Additional Tips |
---|
Out-of-box Intune console (easy) |
Custom CSP > OMA – URI (medium) |
ADMX files (complex) |
References
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Vimal has more than 10 years of experience in SCCM device management solutions. His primary focus is Device Management technologies like Microsoft Intune, ConfigMgr (SCCM), OS Deployment, and Patch Management. He writes about technologies like SCCM, Windows 10, Microsoft Intune and MDT.