Forum Discussion

AlexR91's avatar
AlexR91
Brass Contributor
Jul 25, 2024

After Removing GPO, Intune Policies Not Applying

Part of our fleet remains Entra Hybrid Join (as computers are refreshed, they are Entra Joined instead). We apply Windows Security Baselines through both Group Policy and Intune. Recently, we evaluated the differences between the two baselines and determined they are nearly identical. Accordingly, we decided to disable GPO based security baselines for Entra Hybrid Joined devices and let Intune push security settings for the baseline instead.

 

Here's the expected behavior:

  1. Security baseline settings are set by both Intune and GPO. By default, GPO wins, so the Intune setting is not applied.
  2. When the GPO settings are removed, at some point in the next 24 hours (I believe it happens every 😎 all Intune policies are reapplied whether or not they have changed. With the GPOs gone, MDM policies that were once blocked by group policy are applied.
  3. The end result: all security policies are applied, but most of them are coming from Intune (MDM) instead of from GPOs.

However, this is not what is happening. While Intune claims the security baseline have applied, the settings that were once overridden by GPOs never apply and the computer effectively has no security baseline.

 

Here's what I've done to try to fix this:

  1. Make a copy of the existing baseline with a new name and assign it to the computers, unassign the original baseline. This does not work. The policies claim to have applied, but never apply on the endpoint.
  2. Change a single setting in the baseline hoping the change triggers the whole configuration reapplying. The endpoint only applies the changed setting, other settings in the baseline do not get applied.
  3. Unassign the baseline entirely, wait for the computer to sync and reassign the baseline. This works, but is not a viable solution for a large fleet of computers. This would be fine if all of our computers were receiving GPO updates regularly, but they're not (they are remote). This only works if the computer syncs one time while no settings are applied and again after the configurations are reassigned. We can't negotiate the timing on this for our whole fleet of computers.
  4. Apply the policy that makes MDM policies take precedence over GPOs. This did not work.

Here's what we're not willing to try (I'm preempting some of Microsoft's usual boilerplate responses):

  1. We will not reset the computers - there are too many for this to be a scalable solution.
  2. We will not unjoin and rejoin the computers from MDM - there are too many for this to be a scalable solution.

While I'm tempted to open a support case with Microsoft, this has only ever been a time-consuming and frivolous process. I expect they would pass the ticket around and eventually apologize to me when they decide this is a support case I should actually pay for.

 

Why would MDM policies not apply even after the group policies that once conflicted with them have been removed? This is impacting all Entra Hybrid Joined computers, the vast majority of which are running the latest build of Windows 11 23H2. Some of these computers have sat for 48 hours in this state, so I don't think this is something that will be resolved with time.

 

Any advice would be greatly appreciated!

  • AlexR91 This issue has, inexplicably, resolved itself. Thanks to those of you who provided input.

  • rahuljindal-MVP's avatar
    rahuljindal-MVP
    Bronze Contributor
    How are you validating that the settings from Intune security baseline are not applying on the endpoints?
    • AlexR91's avatar
      AlexR91
      Brass Contributor
      I first noticed when our device secure score within the Microsoft Defender portal dropped dramatically. When I went and looked why, it showed policies that were once applied by the baseline were no longer applied. I was able to verify this by looking at some of these settings on the impacted endpoints. For example, I can see if the policy to disable unsolicited remote assistance is working because the setting is visible to the end user within Windows. There are several other settings I was able to verify like this on the endpoint.
    • It doesnt work with all policies though... only for the ones in the policcymanager.. but it could work indeed... depending if the intune policy is in the cache...
    • AlexR91's avatar
      AlexR91
      Brass Contributor
      I believe policies should have been refreshing every 8 hours by default and these endpoints were allowed to be in this state for 48+ hours without this issue resolving itself. That said, this may be a useful tool in troubleshooting this further. Thanks for sharing!
    • AlexR91's avatar
      AlexR91
      Brass Contributor

      Interestingly, config refresh did resolve this issue - once I ran the config refresh scheduled task, all the policies applied like they are supposed to. The problem here is that config refresh requires Windows 11. It should come as no surprise that most of the Hybrid joined computers this impacts run Windows 10 (if we upgrade to Windows 11, we reset and Entra join).

  • Hi

    1. to be honest... targetting the device with intune policies and gpo is bad... there are different solutions to make sure the device wasn't targetted in the first place with the intune policies or making sure the gpo wasn't targeting those devices.
    2. Are you 100% sure the gpo isn't any longer on those devices? what happens with a gpresult on those devices, what does it mention?
    3.DId you manually checked a device to find out if the policies are still there in the registry

    Could you tell us a bit more what you checked?
    • AlexR91's avatar
      AlexR91
      Brass Contributor
      I agree that targeting the devices with both Intune and GPO enforcing the same policy is a bad idea. The purpose of removing the GPO baselines was to make it so we're no longer doing this.

      I am 100% sure the policies are not applying. They do not appear in the registry and do not show up in gpresult. Most importantly. when using the device, I can see tell the settings are not applying based on the behavior of the computer (no UAC prompts when there should be, settings enabled and working that should not be, etc...).
  • AlexR91's avatar
    AlexR91
    Brass Contributor

    AlexR91 This issue has, inexplicably, resolved itself. Thanks to those of you who provided input.

Resources