Koolitus
Moodul
Implement device compliance policies - Training
This module describes how to use compliance and conditional access policies to help protect access to organizational resources.
Policy CSP - ControlPolicyConflict
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
Device
./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
If set to 1 then any MDM policy that's set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies.
Märkus
MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the Defender CSP. As a result, it is recommended that the same settings should not be configured in both GPO and MDM policies unless the settings are under the control of MDMWinsOverGP. Otherwise, there will be a race condition and no guarantee which one wins.
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
Märkus
In Windows 10 version 1803, this policy doesn't support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1.
The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that:
- GP settings that correspond to MDM applied settings aren't conflicting
- The current Policy Manager policies are refreshed from what MDM has set
- Any values set by scripts/user outside of GP that conflict with MDM are removed
The Policy DDF contains the following tags to identify the policies with equivalent GP:
- <MSFT:ADMXBacked>
- <MSFT:ADMXMapped>
- <MSFT:GPRegistryMappedName>
- <MSFT:GPDBMappedName>
For the list MDM-GP mapping list, see Policies in Policy CSP supported by Group Policy.
The MDM Diagnostic report shows the applied configurations states of a device including policies, certificates, configuration sources, and resource information. The report includes a list of blocked GP settings because MDM equivalent is configured, if any. To get the diagnostic report, go to Settings > Accounts > Access work or school > and then click the desired work or school account. Scroll to the bottom of the page to Advanced Diagnostic Report and then click Create Report.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | . |
| 1 | The MDM policy is used and the GP policy is blocked. |
Lisaressursid
Dokumentatsioon
-
Deploy OMA-URIs to target a CSP through Intune, and a comparison to on-premises - Intune
This article describes the significance of CSPs, Open Mobile Alliance – Uniform Resources (OMA-URIs), and how custom mobile device management (MDM) policies are delivered to a Windows 10-based device with Microsoft Intune.
-
Learn more about the System Area in Policy CSP.
-
Learn more about the DeviceLock Area in Policy CSP.