Share via

finding the source of GPO application

Steven Stanley 1 Reputation point
2021-11-08T00:49:31.98+00:00

We have a Hybrid setup with Azure AD and local AD synchronized. I'm relatively new to Azure domain management, but reasonably experienced with local Domains.

I have the situation where a policy is being applied which is blocking Windows Update on more than one client, however I cannot find the source of the policy - it is not in local as far as I can tell by checking the (few) policies there - and Group Policies seem remarkably hard to find anywhere in the Azure tenancy online.

I've poked about at length and cannot find anywhere that looks like group policy management in Azure.

Groups don't show policies applied, devices don't show policies applied, Endpoint Management appears to be first run "Welcome to Azure!".

Checking the documentation seems to suggest that I'm supposed to create a whole new Azure Windows Server VM and join it to the domain, then load RSAT to get gpedit just to do policy management which doesn't sound right to me, especially if I have to pay for the VM.

I know the local policies don't sync with AD Sync. This is a long existing tenancy, which had a lack of endpoint management which I'm trying to rectify.

I've configured local policies to activate Windows update, however the other setting appears to be blocking them. NB the existing setup is not at all a complicated GPO setup, basic drive mounting, some password policies and Windows update policies.

I need two things -

  1. where can I see the current policies being applied by Azure to my devices/users
  2. how can interrogate the local client computer and get information about the source of the policies applied - i.e. which ones are from the local domain, and which ones are from the Azure AD policy (and ideally which aspect of Azure I might find these seeing as Endpoint Manager appears to have never been used)

Obviously having a policy you cannot find blocking windows updates on your clients is unacceptable. I can't continue to bring devices under management until I sort this issue.

Thanks in advance

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee
    2021-11-09T11:55:18.793+00:00

    @Steven Stanley It looks like your devices got Auto-enrolled to Microsoft Endpoint manager (Formally Microsoft Intune) and some policies are being applied from there when you did a hybrid Azure AD joined.

    The autoenrollment into Intune setting can be found at : https://learn.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid#set-up-windows-automatic-enrollment

    Coming to your questions :

    1) On a windows 10 machine, go to Settings - Accounts - Access work or School Account -
    Click on the registered account that you see and then click on Info. That will show all the policies and applications coming from Microsoft Intune.

    2) Create the Advanced diagnostic report from same page after clicking Info, it will show you the authority of the policy coming down.
    Use this link to find the place where you need to export it from.

    147766-image.png

    147789-image.png

    Do let me know if this helps, we can discuss further if you need something else.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.