Microsoft Intune

How To Make Intune MDM Policy Win over GPO

How to make Intune MDM policy win over GPO. MDM policy is preferred over GPO’s for the simple reason that GPO require line of sight to a domain controller to apply, while MDM only requires an Internet connection. MDM policy with Intune is also much more reliable, and provides significantly better reporting over GPO.

The big downside used to be that GPO would always win if there was a conflict between a policy from any other source. That is no longer the case, in Windows 10 1803 (and newer builds), Microsoft implemented a custom policy in Intune that we can define to ensure that MDM policy win over GPO whenever there are conflicts. This makes the goal of moving away from GPO to MDM much easier as we no longer have to worry about any potential conflicts from some undocumented and long ago forgotten group policy.

OMA-URI: ControlPolicyConflict MDM Wins Over GPO

We need to define the following custom policy to make Intune policy win over group policy.

OMA-URI/Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
Data typeInteger
Value1

Supported systems

This CSP is supported on the following editions of Windows 10, starting from Windows 10 1803 and newer.

Windows EditionSupported
Windows 10 HomeNo
Windows 10 ProfessionalYes
Windows 10 BusinessYes
Windows 10 EnterpriseYes
Windows 10 EducationYes

How To Make Intune MDM Policy Win over GPO

Go to Devices -> Configuration Profile. Click Create profile. Select Windows 10 and later as platform, and Custom as profile.

Make Intune MDM Policy Win over GPO

Type the name of your policy. I went with Windows 10 – MDM Policy Wins over GPO.

Make Intune MDM Policy Win over GPO

Type a suitable name for the OMA-URI setting and the OMA-URI, Data type and value shown in the image below (and specified earlier in this post).

Make Intune MDM Policy Win over GPO

That is all there is to it. Assign the policy to a group containing your users or devices where you want Intune MDM policy to win over GPO.

Note: If a device with this policy unenrolls from Intune, this policy is no longer in effect. If the device is still part of a domain, any group policy where Intune previously won will once again apply. Also note that only Windows 10 1909 and newer builds supports switching back from this policy.

Reference: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict

I hope you found my guide on “how to make Intune MDM policy win over GPO” useful. Let me know in the comments if you have any questions, thoughts or gotchas.

Anders Rødland

Anders Rødland started his IT career in 2006. My main focus is MS Configuration Manager and client management, and I have passed 17 Microsoft certifications since then. My main expertise is on client management with Microsoft Endpoint Manager: Intune and Configuration Manager. I also do a lot of work on the security side with Microsoft Defender for Endpoint. In addition to my Microsoft certification, I also have an ITIL v3 Foundation certification.This is my private blog and do not represent my employer. I use this to share information that I find useful. Sharing is caring.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.