Intune Group Policy Conflict Resolution

Intune Group Policy Conflict Resolution

This is a short blogpost to tell you how to handle Intune Group Policy conflict.

Occasionally, when switching from Group Policy to Intune you will experience issues where the policy setting in Intune are different from the policy setting in Group Policy. This can happen for a number of reasons. Usually its because the group policies are your old design and when creating Intune policies, you refresh your device behaviour.

The Problem

When the device is presented with two sets of policy data that differ from Intune and Group Policy, what usually happens, Group Policy wins.

This is fine, if the policy settings are the same but not if you are using Intune to change your device behaviour.

You can easily find yourself waiting for policy settings to apply from Intune that are never going to apply because they are blocked due to a Intune Group Policy conflict.

The Fix

Its a simple fix that we need to apply from the Intune side. Personally, I like to set this as its own Configuration Profile so its clear when looking through settings.

Login to Intune

Go to Devices | Configuration Profiles

Create a new profile

Choose the platform as Windows 10 or later

Select the profile type as Settings Catalog

Click Create

Give the profile a name such as “MDM wins over GPO” and include a suitable description

Click Next

Click Add settings

Search for “MDM wins

Tick the box next to MDM Wins Over GP (as shown below)

Intune Configuration Profile MDM Wins over GP

Change the policy setting for MDM Wins Over GP to “The MDM policy is used and the GP policy is blocked.

Intune MDM Wins over GP policy setting

Click Next and choose the assignment. Personally, I select Add All Users and Add All Devices. This ensures that the policy will get applied.

If you are introducing pilots or ring deployments, feel free to add groups of users or devices here by clicking the Add Groups option instead.

Set any scope tags you have defined

Finally click Create.

Remember

One thing you need to remember, once you have made a change in Intune, you need to sync your device settings.

You can hurry the process up by going to Settings | Accounts | Access Work or School | Click the connected Domain | Info | Sync

You may experience a delay for your settings to sync, I have seen this take 30 minutes plus, even with hitting the sync button.

Further Reading

If you want to find out more about policy conflicts, you can read this Microsoft documentation Policy CSP – ControlPolicyConflict – Windows Client Management | Microsoft Docs

Comments are closed.