In my previous post (Group policy Vs. Intune Policy), we discussed Intune policy wins over GP when there is a policy conflict. We covered the workflow with an example setting (IE Home Page).
This post will see how Windows 10 handles conflicting GP settings if Intune is un-enrollment from the Windows 10 computer.
Workflow – Group Policy Vs. Intune Policy – Intune Unenrollment
I try to explain the workflow of the policy after the removal of Intune management from a Windows 10 machine via Registry and Event Logs. Go through the post to get more details about workflow, testing, and research.
- I turned off the “Mdmwinovergp” registry. Now machine understands Intune MDM policy will not win over GP.
• Evaluates if there is any GP blocking record created.
- Found existing blocking records. Re-evaluating
• Identified there is a block record for IE Home Page setting. In the previous post, we discussed how GP block records get created when there is policy conflict.
- Found a blocking record reg key that needs to be deleted. Parent Key: (Software/Policies/Microsoft/MicrosoftEdge/Internet Settings), Child key: (ProvisionedHomePages).
• GP value restored from Registry backup. In the previous post, we have seen how Intune back up GP settings during policy conflict.
- Attempted to restore GP Value. GP Location: (Software/Policies/Microsoft/MicrosoftEdge/Internet Settings), GP ValueName: (ProvisionedHomePages), Result: (The operation completed successfully.).
• Blocking record deleted.
- I am trying to delete the blocking record reg key. Key: (ProvisionedHomePages), Level: (0x3), Result:(The operation completed successfully.). Failures are expected if this key has child nodes.
• Block record registry key deleted.
- Trying to delete the blocking record reg key. Key: (Software/Policies/Microsoft/MicrosoftEdge/Internet Settings), Level: (0x2), Result:(The operation completed successfully.). Failures are expected if this key has child nodes.
• After registry key deletion. There are no block records inside the registry hive “MDMWins.”
• Verifies whether all conflicting GP settings are unblocked. At last, Intune, the policy was removed, and all the GP settings were applied back… 😉
- All GP locations that were to be unblocked have been unblocked successfully. Forced? : (0x1)
MDM CSP (Configuration Service Provider) is an interface in the client operating system between configuration settings specified in a provisioning document and configuration settings on the device. MDM is the primary channel of Management for AAD Joined Devices.
Microsoft provides options to configure Windows 10 settings via traditional management via WMI bridge and WMI provider.
Common Device Configurator – helps devices automatically resolve the conflicts and select the best-secured policy. Segregation of Intune policies depends on the complexity of implementation.
- Out of box Intune console (easy)
- Custom CSP > OMA – URI (medium)
- ADMX files (complex)
- Microsoft. https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp