How to make Intune MDM policy win over GPO. MDM policy is preferred over GPO’s for the simple reason that GPO require line of sight to a domain controller to apply, while MDM only requires an Internet connection. MDM policy with Intune is also much more reliable, and provides significantly better reporting over GPO.
The big downside used to be that GPO would always win if there was a conflict between a policy from any other source. That is no longer the case, in Windows 10 1803 (and newer builds), Microsoft implemented a custom policy in Intune that we can define to ensure that MDM policy win over GPO whenever there are conflicts. This makes the goal of moving away from GPO to MDM much easier as we no longer have to worry about any potential conflicts from some undocumented and long ago forgotten group policy.
OMA-URI: ControlPolicyConflict MDM Wins Over GPO
We need to define the following custom policy to make Intune policy win over group policy.
This CSP is supported on the following editions of Windows 10, starting from Windows 10 1803 and newer.
|Windows 10 Home||No|
|Windows 10 Professional||Yes|
|Windows 10 Business||Yes|
|Windows 10 Enterprise||Yes|
|Windows 10 Education||Yes|
How To Make Intune MDM Policy Win over GPO
Go to Devices -> Configuration Profile. Click Create profile. Select Windows 10 and later as platform, and Custom as profile.
Type the name of your policy. I went with Windows 10 – MDM Policy Wins over GPO.
Type a suitable name for the OMA-URI setting and the OMA-URI, Data type and value shown in the image below (and specified earlier in this post).
That is all there is to it. Assign the policy to a group containing your users or devices where you want Intune MDM policy to win over GPO.
Note: If a device with this policy unenrolls from Intune, this policy is no longer in effect. If the device is still part of a domain, any group policy where Intune previously won will once again apply. Also note that only Windows 10 1909 and newer builds supports switching back from this policy.
I hope you found my guide on “how to make Intune MDM policy win over GPO” useful. Let me know in the comments if you have any questions, thoughts or gotchas.