In my previous post (Group policy Vs Intune Policy), we discussed Intune policy wins over GP when there is a policy conflict. We covered the workflow with example setting (IE Home Page). In this post, we will see how Windows 10 handles conflicting GP settings if Intune is un-enrollment from the Windows 10 computer.
Workflow – Group Policy Vs Intune Policy – Intune Unenrollment
I try to explain the workflow of policy after the removal of Intune management from a Windows 10 machine via Registry and Event Logs. Go through the post to get more details about workflow, testing, and research.
- Turned off “Mdmwinovergp” registry. Now machine understands Intune MDM policy will not win over GP.
• Evaluates if there is any GP blocking record created.
Found existing blocking records. Re-evaluating
• Identified there is block record for IE Home Page setting. In previous post, we discussed how GP block records gets created when there is policy conflict.
Found a blocking record reg key that needs to be deleted. Parent Key: (Software/Policies/Microsoft/MicrosoftEdge/Internet Settings), Child key: (ProvisionedHomePages).
• GP value restored from Registry backup. In previous post, we have seen how Intune back up GP settings during policy conflict.
Attempted to restore GP Value. GP Location: (Software/Policies/Microsoft/MicrosoftEdge/Internet Settings), GP ValueName: (ProvisionedHomePages), Result: (The operation completed successfully.).
• Blocking record deleted.
Trying to delete the blocking record reg key. Key: (ProvisionedHomePages), Level: (0x3), Result:(The operation completed successfully.). Failures are expected if this key has child nodes.
• Block record registry key deleted.
Trying to delete the blocking record reg key. Key: (Software/Policies/Microsoft/MicrosoftEdge/Internet Settings), Level: (0x2), Result:(The operation completed successfully.). Failures are expected if this key has child nodes.
• After registry key deletion. You can see there is no block records inside registry hive “MDMWins”.
• Verifies whether all conflicting GP setting unblocked.At last Intune policy removed and all the GP settings applied back… 😉
All GP locations that were to be unblocked have been unblocked successfully. Forced? : (0x1)
MDM CSP (Configuration Service Provider) is an interface in the client operating system between configuration settings specified in a provisioning document and configuration settings on the device. MDM is the primary channel of Management for AAD Joined Devices.
Microsoft provides options to configure Windows 10 settings via traditional management via WMI bridge and WMI provider. Common Device Configurator – helps devices to automatically resolve the conflicts and select the best secured policy. Segregation of Intune policies depending on the complexity of implementation.
- Out of box Intune console (easy)
- Custom CSP > OMA – URI (medium)
- ADMX files (complex)
- Microsoft. https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp