Group Policy Vs Intune Policy after Intune Unenrollment Microsoft Intune Policies AD Group Policy

In my previous post (Group policy Vs. Intune Policy), we discussed Intune policy wins over GP when there is a policy conflict. We covered the workflow with an example setting (IE Home Page).

This post will see how Windows 10 handles conflicting GP settings if Intune is un-enrollment from the Windows 10 computer.

Workflow – Group Policy Vs. Intune Policy – Intune Unenrollment

I try to explain the workflow of the policy after the removal of Intune management from a Windows 10 machine via Registry and Event Logs. Go through the post to get more details about workflow, testing, and research.

Patch My PC
  • I turned off the “Mdmwinovergp” registry. Now machine understands Intune MDM policy will not win over GP.
  • Computer\HKEY_LOCAL_MACHINE_Microsoft\PolicyManager\current\device\ControlPolicyConflict
Group Policy Vs Intune Policy
Group Policy Vs. Intune Policy after Intune Unenrollment Microsoft Intune Policies AD Group Policy 1

• Evaluates if there is any GP blocking record created.

  • Found existing blocking records. Re-evaluating
GP Block record Group Policy Vs Intune Policy
Group Policy Vs. Intune Policy after Intune Unenrollment Microsoft Intune Policies AD Group Policy 2

• Identified there is a block record for IE Home Page setting. In the previous post, we discussed how GP block records get created when there is policy conflict.

  • Found a blocking record reg key that needs to be deleted. Parent Key: (Software/Policies/Microsoft/MicrosoftEdge/Internet Settings), Child key: (ProvisionedHomePages).
GP Block record identifiedIntune policy conflict Group Policy Vs Intune Policy
Group Policy Vs. Intune Policy after Intune Unenrollment Microsoft Intune Policies AD Group Policy 3

• GP value restored from Registry backup. In the previous post, we have seen how Intune back up GP settings during policy conflict.

  • Attempted to restore GP Value. GP Location: (Software/Policies/Microsoft/MicrosoftEdge/Internet Settings), GP ValueName: (ProvisionedHomePages), Result: (The operation completed successfully.).
Intune backup GP setting
Group Policy Vs. Intune Policy after Intune Unenrollment Microsoft Intune Policies AD Group Policy 4

• Blocking record deleted.

  • I am trying to delete the blocking record reg key. Key: (ProvisionedHomePages), Level: (0x3), Result:(The operation completed successfully.). Failures are expected if this key has child nodes.
Delete MDMWinGP Block records
Group Policy Vs. Intune Policy after Intune Unenrollment Microsoft Intune Policies AD Group Policy 5

• Block record registry key deleted.

  • Trying to delete the blocking record reg key. Key: (Software/Policies/Microsoft/MicrosoftEdge/Internet Settings), Level: (0x2), Result:(The operation completed successfully.). Failures are expected if this key has child nodes.
MDMWinGP delete registry
Group Policy Vs. Intune Policy after Intune Unenrollment Microsoft Intune Policies AD Group Policy 6

• After registry key deletion. There are no block records inside the registry hive “MDMWins.”

  • Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\MDMWins
no block record inside MDMWins
Group Policy Vs. Intune Policy after Intune Unenrollment Microsoft Intune Policies AD Group Policy 7

• Verifies whether all conflicting GP settings are unblocked. At last, Intune, the policy was removed, and all the GP settings were applied back… 😉

  • All GP locations that were to be unblocked have been unblocked successfully. Forced? : (0x1)
UnBlocked GP locations
Group Policy Vs. Intune Policy after Intune Unenrollment Microsoft Intune Policies AD Group Policy 8

Additional Tips

MDM CSP (Configuration Service Provider) is an interface in the client operating system between configuration settings specified in a provisioning document and configuration settings on the device. MDM is the primary channel of Management for AAD Joined Devices.

Microsoft provides options to configure Windows 10 settings via traditional management via WMI bridge and WMI provider.

Common Device Configurator – helps devices automatically resolve the conflicts and select the best-secured policy. Segregation of Intune policies depends on the complexity of implementation.

  • Out of box Intune console (easy)
  • Custom CSP > OMA – URI (medium)
  • ADMX files (complex)

References

  1. Microsoft. https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.