Forum Discussion

drivesafely's avatar
drivesafely
Brass Contributor
Oct 20, 2024

Intune policy conflict

Hello All,

We currently manage settings locally on our workgroup devices via gpedit. We are now planning to enroll these devices in Intune and configure the same settings using device configuration policies.

How will conflicts between local and Intune policies be handled? Is it possible to enforce Intune policies across all devices in this scenario?

Your guidance would be appreciated. Thanks!

  • drivesafely Hello, when a device is enrolled in Intune, conflicts can occur between local policies managed by Group Policy (GPO) and those enforced by Intune. In general, if there is a direct conflict between a policy defined by Intune (MDM) and a locally managed policy by Group Policy, Intune (MDM) will take precedence, overriding the local settings. However, this behavior is not true for all types of settings, and some local configurations may continue to be applied if they are not directly overridden by Intune. It is important to keep in mind that Intune cannot automatically remove all configurations previously defined by local GPO.

    To help you manage these conflicts, Microsoft provides a tool called Group Policy Conflicts in the Endpoint Manager portal. This report helps you identify conflicts between local and Intune policies, helping you adjust your configurations accordingly. If you want to ensure that Intune policies are applied correctly on all devices, it is recommended that you disable local Group Policy configurations before enrolling devices in Intune, thus avoiding possible overlaps or conflicts.

    For domain-joined devices, you can configure Intune auto-enrollment via Group Policy, ensuring that they consistently follow MDM policies. For workgroup devices, you may want to reset or remove old Group Policy configurations before enrolling in Intune, using tools like PowerShell or a full reset process, to avoid conflicts with new policies.

    Before proceeding with a large-scale deployment, it is recommended that you conduct a pilot test on a small group of devices. This will allow you to observe how Intune policies behave in the presence of local policies that are still active, and identify any specific conflicts, and fine-tune your configurations based on the results. In conclusion, it is possible to override Intune policies on all devices, but it is critical to manage or disable existing local policies to avoid conflicts. While Intune (MDM) often overrides local Group Policy, it is always prudent to test and monitor carefully to ensure that all settings are applied correctly.

  • micheleariis's avatar
    micheleariis
    Steel Contributor

    drivesafely Hello, when a device is enrolled in Intune, conflicts can occur between local policies managed by Group Policy (GPO) and those enforced by Intune. In general, if there is a direct conflict between a policy defined by Intune (MDM) and a locally managed policy by Group Policy, Intune (MDM) will take precedence, overriding the local settings. However, this behavior is not true for all types of settings, and some local configurations may continue to be applied if they are not directly overridden by Intune. It is important to keep in mind that Intune cannot automatically remove all configurations previously defined by local GPO.

    To help you manage these conflicts, Microsoft provides a tool called Group Policy Conflicts in the Endpoint Manager portal. This report helps you identify conflicts between local and Intune policies, helping you adjust your configurations accordingly. If you want to ensure that Intune policies are applied correctly on all devices, it is recommended that you disable local Group Policy configurations before enrolling devices in Intune, thus avoiding possible overlaps or conflicts.

    For domain-joined devices, you can configure Intune auto-enrollment via Group Policy, ensuring that they consistently follow MDM policies. For workgroup devices, you may want to reset or remove old Group Policy configurations before enrolling in Intune, using tools like PowerShell or a full reset process, to avoid conflicts with new policies.

    Before proceeding with a large-scale deployment, it is recommended that you conduct a pilot test on a small group of devices. This will allow you to observe how Intune policies behave in the presence of local policies that are still active, and identify any specific conflicts, and fine-tune your configurations based on the results. In conclusion, it is possible to override Intune policies on all devices, but it is critical to manage or disable existing local policies to avoid conflicts. While Intune (MDM) often overrides local Group Policy, it is always prudent to test and monitor carefully to ensure that all settings are applied correctly.

Resources