How could we best eradicate the GPOs still applying to recent Co-managed devices as they will conflict with the MDM Policies being applied by Intune?

Spencer Ian 20 Reputation points
2024-03-14T11:37:42.75+00:00

We have moved several devices to Co-Management and they have appeared in Intune. MECM is configured in Pilot Intune mode. These test devices are configured in intune in groups which have Update and Feature update ring policies configured.  However looking at devices in Windows Update Settings there are still some non MDM GPO policies applied like “Disable all online services for Windows Updates except managed services” “Do noy connect to any Windows Update Internet locations” There are a number of configured GPO policies that seem to prevent access to WUFB which is what Intune needs.  We want to keep most of our organisation Win Group Policy GPO but ditch the items pushing only these test devices to not talk to WUFB.  How can we look to achieve this cleanly?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,563 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,300 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. glebgreenspan 1,125 Reputation points
    2024-03-14T12:15:10.2333333+00:00

    Hello Spencer

    To achieve this, you can create a Group Policy Object (GPO) specifically for the test devices that have been moved to Co-Management. This GPO can be configured to disable the specific settings that are preventing access to Windows Update for Business (WUFB).

    Here are the steps you can take:

    Create a new Organizational Unit (OU) in Active Directory for the test devices that have been moved to Co-Management. Move the test devices to this new OU.

    Create a new GPO in Group Policy Management Console (GPMC) specifically for the test devices. You can configure this GPO to disable the specific settings that are preventing access to WUFB.

    Apply the new GPO to the OU where the test devices are located. This will ensure that only the test devices have these specific settings applied, while the rest of the organization's devices will continue to be managed by the existing GPOs.

    Once the new GPO is applied to the test devices, monitor their behavior to ensure that they are now able to access WUFB and receive the necessary updates from Intune.


  2. Crystal-MSFT 42,631 Reputation points Microsoft Vendor
    2024-03-15T01:27:45.09+00:00

    @Spencer Ian, GPOs always win over Intune policy. So if there's the same setting in GPO. It will apply the setting in GPO.

    For the pilot devices, we can configure MDMWinsOverGP to them. But it only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings

    https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#mdmwinsovergp

    If the policy is not included in this scope, you need to remove the GPOs from these pilot devices.

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.