Group Policy Vs Intune Policy after Intune Unenrollment Microsoft Intune Policies AD Group Policy

In my previous post (Group policy Vs Intune Policy), we discussed Intune policy wins over GP when there is a policy conflict. We covered the workflow with example setting (IE Home Page). In this post, we will see how Windows 10 handles conflicting GP settings if Intune is un-enrollment from the Windows 10 computer.

Workflow – Group Policy Vs Intune Policy – Intune Unenrollment

I try to explain the workflow of policy after the removal of Intune management from a Windows 10 machine via Registry and Event Logs. Go through the post to get more details about workflow, testing, and research.

  • Turned off “Mdmwinovergp” registry. Now machine understands Intune MDM policy will not win over GP.
Group Policy Vs Intune Policy

• Evaluates if there is any GP blocking record created.

Patch My PC
Found existing blocking records. Re-evaluating
GP Block record Group Policy Vs Intune Policy

• Identified there is block record for IE Home Page setting. In previous post, we discussed how GP block records gets created when there is policy conflict.

Found a blocking record reg key that needs to be deleted. Parent Key: (Software/Policies/Microsoft/MicrosoftEdge/Internet Settings), Child key: (ProvisionedHomePages).
GP Block record identifiedIntune policy conflict Group Policy Vs Intune Policy

• GP value restored from Registry backup. In previous post, we have seen how Intune back up GP settings during policy conflict.

Attempted to restore GP Value. GP Location: (Software/Policies/Microsoft/MicrosoftEdge/Internet Settings), GP ValueName: (ProvisionedHomePages), Result: (The operation completed successfully.).
Intune backup GP setting

• Blocking record deleted.

1E Nomad
Trying to delete the blocking record reg key. Key: (ProvisionedHomePages), Level: (0x3), Result:(The operation completed successfully.). Failures are expected if this key has child nodes.
Delete MDMWinGP Block records

• Block record registry key deleted.

Trying to delete the blocking record reg key. Key: (Software/Policies/Microsoft/MicrosoftEdge/Internet Settings), Level: (0x2), Result:(The operation completed successfully.). Failures are expected if this key has child nodes.
MDMWinGP delete registry

• After registry key deletion. You can see there is no block records inside registry hive “MDMWins”.

no block record inside MDMWins

• Verifies whether all conflicting GP setting unblocked.At last Intune policy removed and all the GP settings applied back… 😉

All GP locations that were to be unblocked have been unblocked successfully. Forced? : (0x1)
UnBlocked GP locations

Additional Tips

MDM CSP (Configuration Service Provider) is an interface in the client operating system between configuration settings specified in a provisioning document and configuration settings on the device. MDM is the primary channel of Management for AAD Joined Devices.

Microsoft provides options to configure Windows 10 settings via traditional management via WMI bridge and WMI provider. Common Device Configurator – helps devices to automatically resolve the conflicts and select the best secured policy. Segregation of Intune policies depending on the complexity of implementation.

  • Out of box Intune console (easy)
  • Custom CSP > OMA – URI (medium)
  • ADMX files (complex)

References :-

  1. Microsoft.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.