Windows 10 has the possibility to be member of a on-prem active directory domain and MDM managed with Intune. Before Windows 10 1709 it was a manual process to get Windows 10 domain joined devices under MDM management, with the 1709 release Microsoft has created a GPO setting that allows hybrid joined devices to be automatic MDM enrolled. This is pretty cool for now it is useful in many scenarios, like Co-management or light way management of Windows 10 for companies that is on the cloud journey.  The MDM auto enrollment has been available for AzureAD joined devices since the first release of Windows 10.

With the next major Windows 10 update there will be a new settings – I have tested this with Windows 10 insider build 17093, In this blog post I will walk through the new feature. When we are using this new MDM we can control the MDM settings always wins over the same settings coming from a GPO.

Before you begin you need this setup:

  • Windows 10 hybrid AzureAD joined devices
  • Windows insider build 17093 or later
  • Automatic MDM enrollment GPO deployed
  • Intune and AzureAD licens for the user

How to setup Control Policy Conflict:

First you need to create a Windows 10 custom Device configuration profile in Intune.

ControlPolicy-ConflictMDMWinsOverGP - 02

1 – The MDM policy is used and the GP policy is blocked.
Data Type:

The supported value is:
0 (default)
1 – The MDM policy is used and the GP policy is blocked.

The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that:

  • GP settings that correspond to MDM applied settings are not conflicting
  • The current Policy Manager policies are refreshed from what MDM has set
  • Any values set by scripts/user outside of GP that conflict with MDM are removed

Where can we deploy this new policy:

ControlPolicy-ConflictMDMWinsOverGP - 01


How does it look from the client-side:

In the settings app under Managed by. we can seethe new COntrolPolicyConflict area

ControlPolicy-ConflictMDMWinsOverGP  - 03.png

When we are creating a advanced diagnostic report we can see more detailed which Group Policy that has been blocked.

MDM Enroll Domain Joined - 06

From Windows 10 insider build 17115 this is showing up in the MDMDiagReport so now we can see what MDM settings and what GPO settings gets applied on the device.

More information:

How to configure hybrid Azure Active Directory joined devices

Policy CSP – ControlPolicyConflict