If you have a device joined to a local Active Directory and is managed by intune the Local GPO will win over Intune if you have different settings for the same setting. When you move to an cloud first strategy it can be a good idea to switch to make Intune win when settings are in conflict.

First step is to see what’s your primary source today. Follow these steps

  1. Login to a computer affected by the policy
  2. Go to Settings>Access work or school account>Managed by Company
  3. Under Advanced Diagnostic Report click Create Report
  4. Export the report and open the file that you can find in this folder C:\Users\Public\Documents\MDMDiagnostics
  5. In this file you should look for ControlPolicyConflict. This one is set to 0 as default and this means that GPO will win over Intune Policies

With this information we will go to endpoint.microsoft.com to configure a configuration profile that will change this setting so that Intune will Win over GPO. If you want to test and pilot this you can create a Azure AD Group before you proceed with the steps below.

  1. Go to Endpoint.Microsoft.com and click on Devices>Configuration profiles>Create profile
  2. Select
    • Windows 10 and later
    • Templates
    • Custom
  3. Select an approriate name and description according to you naming convention
  4. Under Configuration Settings click Add OMA-URI Settings
    • Name: MDM wins over GP
    • Description:
    • OMA-URI: ./Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
    • Datatype: Integer
    • Value: 1
  5. Under Assignments you can select to assign it to All Users and Devices or if you like to test you can first scope it to a test group that you have created before this step.
  6. Skip application rules if you do not want to create any and and hit Create

Now you can force a Sync from the Endpoint portal or from within the device. After the sync you need to wait for a little time. Than you can go back to the steps where you create the diagnostic report. Now the setting should be updated from 0 to 1. If you like to test after you can create 1 GPO and 1 Intune policy that is in conflict to see that the Intune policy will win.

Hope this can be helpful. I mostly wrote this as a reminder for myself of how to make this update.