Windows 10 modern device management relies on CSP for security & other configurations. There are many discussions happening whether CSP can replace Group policy (GP). By default, GP have higher precedence over CSP when there is a setting conflict. But, starting with Windows 10 1803, this behavior is controllable with CSP “MDMWinsOverGP”. With this new CSP setting we are clear what is Microsoft long term road map for modern device management. Group Policy Vs Intune Policy who wins?
Windows 10 1803 version Microsoft Intune Active Directory Group Policy
Scenario – Group Policy Vs Intune Policy Conflicts
In this post, we will go through “MDMWinsOverGP” setting along with conflicting setting. For demo, I deployed different Home page URL using Intune CSP and GP . Finally, we will see who wins.
OMA-URI: ./Vendor/MSFT/Policy/Config/Browser/Homepages Value (home page example): CSP.com
For MDM CSP to override GP we need to enable setting “MDMWinsOverGP“. For more details refer MS Documentation.
Intune Configuration of “MDMWinsOverGP” – Decides the Winner Group Policy Vs Intune Policy
Login to Azure portal – Navigate via Intune blade – Create profile – Settings – Configure – Custom OMA-URI Settings – Windows 10 and later – Add OMA-URI settings (as shown below)
Validation of MDMWinsOverGP (CSP Policies Override Group Policy Settings)
Now we will observe the client side events using the Event Viewer in the following location:
- Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider
- Value for “MdmWinsOverGp” is 0 before applying the CSP
MdmWinsOverGp Policy value is (0x0)
- “MdmWinsOverGp” value changes from 0 to 1 after applying the CSP
MdmWinsOverGp Policy value is (0x1)
- Policy is set for MdmWinsOverGp
MdmWinsOverGp Policy is being set.
Group Policy Vs Intune Policy who will win and Microsoft gives us an option to select who will win.
Registry Analysis of CSP Policies Override Group Policy Settings
Registry created to set MDM as higher precedence than GP
Default - Value Not Set MDMWinsOverGP - 0x000000001 (1) MDMWinsOverGP_ProviderSet - 0x000000001 (1)
- If there is a GPO and MDM CSP conflict for a setting. Then, existing GP value saved before CSP take precedence.
Attempted to save existing GP Value. GP Location: (Software\Policies\Microsoft\MicrosoftEdge\Internet Settings), GP ValueName: (ProvisionedHomePages), Result: (The operation completed successfully.). Failures are expected if this location isn't set.
- GP value gets deleted . Example: GP value “ProvisionedHomePages” deleted
Attempted to delete existing GP Value. GP Location: (Software\Policies\Microsoft\MicrosoftEdge\Internet Settings), GP ValueName: (ProvisionedHomePages), Result: (The operation completed successfully.). Failures are expected if this location isn't set.
- Block record created to ensure MDM Wins over GP.
- GP enforcement for the home page value is blocked.
Created a blocking record. Record: (Software\Microsoft\MDMWins\device\Software/Policies/Microsoft/MicrosoftEdge/Internet Settings\ProvisionedHomePages). Uri: (./Device/Vendor/MSFT/Policy/Config/Browser/Homepages
End result – Intune Policies Override Group Policy Settings – Winner is here Group Policy Vs Intune Policy
- Finally, MDM CSP wins over GP.
- As shown below ,MDM CSP configures “Home Page” value.
HomePages - CSP.com
- Verify the MDM Diagnostics report ( Section “Blocked Group Policies” ).This report give detailed information the list of GP values blocked by MDM CSP.
Blocked GP Entity - device\software/Policies/Microsoft/MicrosoftEdge/Internet Settings Blocked GP value Name - ProvisionedHomePages Blocked Value - http://GPO.com MDM Uris Blocking GP - ./Device/Vendor/MSFT/Policy/Config/Browser/Homepages
- Microsoft. https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp