Windows 10 MDM CSP Policies Override Group Policy Settings

0
MDM CSP Group Policy

Windows 10 modern device management relies on CSP for security & other configurations. There are many discussions happening whether CSP can replace Group policy (GP). By default, GP have higher precedence over CSP when there is a setting conflict. But, starting with Windows 10 1803, this behavior is controllable with CSP “MDMWinsOverGP”. With this new CSP setting we are clear what is Microsoft long term road map for modern device management. MDM CSP Group Policy !

Prerequisite

Windows 10 1803 version 
Microsoft Intune
Active Directory Group Policy

Scenario – CSP Policies Override Group Policy Settings

In this post, we will go through “MDMWinsOverGPsetting along with conflicting setting. For demo, I deployed different Home page URL using Intune CSP and GP . Finally, we will see who wins.

OMA-URI: ./Vendor/MSFT/Policy/Config/Browser/Homepages
Value (home page example): CSP.com

MDM CSP Group Policy

For MDM CSP to override GP we need to enable setting “MDMWinsOverGP“. For more details refer MS Documentation.

Intune Configuration of “MDMWinsOverGP”

Login to Azure portal – Navigate via Intune blade – Create profile – Settings – Configure – Custom OMA-URI Settings – Windows 10 and later – Add OMA-URI settings (as shown below)

./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP

MDM CSP Group Policy

Validation of MDMWinsOverGP (CSP Policies Override Group Policy Settings)

Now we will observe the client side events using the Event Viewer in the following location:

  • Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider
  • Value for “MdmWinsOverGp” is 0 before applying the CSP
MdmWinsOverGp Policy value is (0x0)

MDM CSP Group Policy

  • “MdmWinsOverGp” value changes from 0 to 1 after applying the CSP
MdmWinsOverGp Policy value is (0x1)

MDM CSP Group Policy

  • Policy is set for MdmWinsOverGp
MdmWinsOverGp Policy is being set.

MDM CSP Group Policy

Registry Analysis of CSP Policies Override Group Policy Settings

Registry created to set MDM as higher precedence than GP

Computer\HKEY_LOCAL_MACHINE_Microsoft\PolicyManager\current\device\ControlPolicyConflict
Default - Value Not Set
MDMWinsOverGP - 0x000000001 (1)
MDMWinsOverGP_ProviderSet - 0x000000001 (1)

MDM CSP Group Policy

  • If there is a GPO and MDM CSP conflict for a setting. Then, existing GP value saved before CSP take precedence.
Attempted to save existing GP Value. GP Location: (Software\Policies\Microsoft\MicrosoftEdge\Internet Settings),
 GP ValueName: (ProvisionedHomePages), Result: (The operation completed successfully.). Failures are expected if this location isn't set.

MDM CSP Group Policy

  • GP value gets deleted . Example: GP value “ProvisionedHomePages” deleted
Attempted to delete existing GP Value. GP Location: (Software\Policies\Microsoft\MicrosoftEdge\Internet Settings),
 GP ValueName: (ProvisionedHomePages), Result: (The operation completed successfully.). Failures are expected if this location isn't set.

MDM CSP Group Policy

  • Block record  created to ensure MDM Wins over GP.
  • GP enforcement for the home page value is blocked.
Created a blocking record. Record: (Software\Microsoft\MDMWins\device\Software/Policies/Microsoft/MicrosoftEdge/Internet Settings\ProvisionedHomePages). 
Uri: (./Device/Vendor/MSFT/Policy/Config/Browser/Homepages

MDM CSP Group Policy

End result – CSP Policies Override Group Policy Settings

  • Finally, MDM CSP wins over GP.
  • As shown below ,MDM CSP configures “Home Page” value.
HomePages - CSP.com

MDM CSP Group Policy

  • Verify the MDM Diagnostics report ( Section “Blocked Group Policies” ).This report give detailed information the list of GP values blocked by MDM CSP.
Blocked GP Entity - device\software/Policies/Microsoft/MicrosoftEdge/Internet Settings
Blocked GP value Name - ProvisionedHomePages
Blocked Value - http://GPO.com
MDM Uris Blocking GP - ./Device/Vendor/MSFT/Policy/Config/Browser/Homepages

MDM CSP Group Policy

References :-

  1. Microsoft. https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here