Solving the Mystery of MDMWinsOverGP Basics with Intune
Surprises are great when you are engrossed in a captivating movie. A good novel always has multiple twists that you don’t see coming. For the most part though, the world prefers predictability, especially when it comes to managing corporate enterprises. The whole purpose of deploying settings is to ensure conformity to your enterprise client devices. Group Policy and MDM were made to deliver a level of certainty to the enterprise.
So what happens when Group Policy Settings and MDM settings collide with one another? Because Windows 10 can potentially be a member of an on-prem active directory domain and be MDM enrolled as well, that is a distinct possibility. Starting with the 1709 release, Microsoft unveiled a GPO setting that allows hybrid joined devices to be automatically MDM enrolled. So let’s say we have a hybrid environment of Windows 10 laptops and just for grins we disabled Cortana using an MDM policy setting and enabled it using a Group Policy Setting. Which policy do you would win out?
If you had to guess, you would probably say Group Policy since it is the elder of the two. If you did, you would be sort of wrong. You would also be sort of wrong if you said MDM.
How can you be sort of wrong you ask?
Because when MDM and GP settings conflict, we honestly have no idea which one is going to win out.
In fact, that is the default, expected behavior. Yes, the default behavior is uncertainty. Just like the stock market doesn’t like uncertainty, neither do network admins.
So in order to add some stability to these conflicting scenarios, Microsoft introduced a Policy CSP called ControlPolicyConflict/MDMWinsOverGP. It uses an integer based data type for which there are two supported values:
- 0 (default state of uncertainty)
- 1 - The MDM policy is used and the GP policy is blocked.
To enable this policy, we have to create a custom OMA-URI setting as shown in the screenshot below.
So if MDM and the same Group Policy setting are contending to assign the SAME value to the SAME setting .. then you can use MDMWinsOverGP to force the MDM to always regardless of what GP is trying to do.
If you are managing a hybrid environment with MDM and GPO, it may in fact be good practice to enable this CSP for good measure just to ensure that certainty will always prevail. In the IT world, certainty is a good thing.