Intune & MECM Co-management

Bojan Zivkovic 21

Hi, I am in testing phase of Intune & MECM Co-management (worked a lot with MECM but new in Intune territory). There are 2 test Windows 10 1809 machines (VM & Physical). Device Configuration (Endpoint Protection/Resource access policies) and Windows Update policies workloads are set to Pilot Intune and staged to collection containing those 2 test machines. For testing purposes, I assigned AV (Defender) policy/Windows 10 Update ring profile to group containing those 2 test machines.

What if I set only some settings in Intune AV policy and not all defined in MECM antimalware policy deployed before to these machines (leaving as not configured)? I assume that settings defined in Intune AV policy will take precedence over same settings defined in MECM antimalware policy in case of the conflict? How to check if test machine got Defender definition updates from "Intune"?

Regarding Windows 10 Update Rings, physical test machine got quality/feature updates and now is running Windows 10 2004 while on virtual test machine nothing happened - it is still at 1809 and quality updates for 1809 were not automatically installed. My idea is to achieve automatic installation of quality updates after some deadline with version staying at 1809.

Any help would be appreciated.

7 answers

Bojan Zivkovic 461 Reputation points

2020-12-20T16:21:21.68+00:00

I checked on both machines and NoAutoUpdate is set as 1. These 2 machines are in same OU so same GPOs are being applied to them - simply on VM update to 2004 is not happening. As I said before, my idea is to achieve automatic installation of quality updates after some deadline with version staying at 1809. Here obviously I did not "prevent" feature update happening on physical system.

We want to use Intune to manage/deploy windows 10 quality updates/windows defender definition updates/bitlocker on laptops only.
Please sign in to rate this answer.
Crystal-MSFT 49,436 Reputation points Microsoft Vendor

2020-12-21T06:07:25.12+00:00

@Bojan Zivkovic , When both Windows 10 Group policy and Intune MDM policy are applied to the same device, Windows 10 versions 1709 and earlier Group Policy will override MDM policies, even if an identical policy is configured in MDM. Windows 10 version 1803 and beyond there is a new Policy CSP setting called ControlPolicyConflict that includes the policy of MDMWinsOverGP, where the preference of which policy wins can be controlled, i.e. Microsoft Intune MDM policy.
https://uem4all.com/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/
Note: Non-Microsoft link, just for the reference.

For our issue, we can choose one of the following suggestions:

Remove the GPO and let the the Intune MDM policy to take effect.

Add Policy CSP setting called ControlPolicyConflict and set Microosft Intune MDM policy with high preference.

Hope it can help.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Bojan Zivkovic 461 Reputation points

2020-12-21T10:07:47.117+00:00

Still do not get why one machine was upgraded to 2004 and one not - same OU, same GPOs, same MECM collection, both being co-managed as pilot devices ... Only difference one being physical and other virtual which should be irrelevant of course.

Yes, I know about that setting needed if you want to be sure MDM policy will take precedence over GPO policy in case of the conflict.
Please sign in to rate this answer.
Crystal-MSFT 49,436 Reputation points Microsoft Vendor

2020-12-22T02:32:18.797+00:00

@Bojan Zivkovic , Thanks for the reply. To know the reason, this detailed log analysis is needed. As Q&A is not the best channel to do this, we suggest to open case via the steps in the following link:
https://learn.microsoft.com/en-us/mem/get-support

Thanks for the understanding.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Intune & MECM Co-management

7 answers

Your answer