Event banner
Event details
When enabling co-management and specially moving over the device configuration to intune how should we approach group policy migration. Device management is pretty straightforward, but how about user group policy? How to you recommending balancing users that may need to access devices that are co-managed vs. not..
- Jason_Sandys
Microsoft
Whatever works for you really. Using GP Analytics (which is built into Intune) is a good choice for initial analysis and possible migration, however, in general, we recommend that you take a step back and define your actual policy requirements as what you have captured in your current set of group policies is not necessarily a reflection of your requirements but is instead the culmination of a bunch of different opinions on configuration that have piled up over the last 10-20 years. Stepping back to your requirements and rationalizing your current policies so that you can implement only what you truly need is what we recommend orgs do as this embraces the entire point of moving to cloud-native which is simplification of management. Cloud-native management should be approach with what the mindset of what you should do and manage and not what you can do or manage. This will lead to the best path for success in both the short term as well as the long term. To add to this question, if I enable Intune policy management slider via co-management in configuration manager. Is on prem group policy still honored in a hybrid scenario while we start migrating policies? How does it handle conflicts between on prem and Intune?
- Jason_SandysYes and no. Conflicts are possible and likely. Co-management is not about arbitrating between group policy and Intune. The best way to avoid these conflicts is not attempt to apply the same policy or settings from two different authorities as this will lead to hardship and confusion. Use selective targeting in either group policy (using WMI filters, OUs, groups, etc) or in Intune (using Entra ID groups or filters) if and as needed to avoid conflicts is the path of least resistance here.
- Jason_SandysYes and no. Conflicts are possible and likely. Co-management is not about arbitrating between group policy and Intune. The best way to avoid these conflicts is not attempt to apply the same policy or settings from two different authorities as this will lead to hardship and confusion. Use selective targeting in either group policy (using WMI filters, OUs, groups, etc) or in Intune (using Entra ID groups or filters) if and as needed to avoid conflicts is the path of least resistance here.
- I've seen it apply some items and not apply others. I know stuff around security like firewalls just reset to Windows default config and blow out all group policy firewall rules. but others seem to apply without issue. Would be nice to see a reference list to see how all this stuff gets handled
- Joe_Lurie
Nathan_Lockwood and Anthonymelwhrhs GPO and Configuration Manager policies are unrelated. If you move a slider in the co-management console, it should not affect the GPOs applying, except maybe WSUS/WUfB policies. But other group policies should not be impacted by the co-management confoguration.
