When some computers are managed by both Windows Intune and Group Policy, policy conflicts can occur. Group Policy is given precedence and policy defined in Group Policy is the policy that is effective on the managed computer.
In the current beta of Windows Intune conflict with Group Policy can occur for the settings in the following templates:
- Windows Firewall
- Windows Update Agent
Planning for deployment of Windows Intune Policy in enterprises that are managed by Group Policy
To eliminate overlapping or conflicting policies, the administrator has the following options:
Option 1: Isolate service-enrolled computers from Group Policy by moving them to a new organizational unit (OU): Restructure the organizational unit (OU) hierarchy to isolate Windows Intune-enrolled computers into one or more separate OUs that are not modifiable by conflicting Group Policy settings. Organizing the OU hierarchy in this manner simplifies policy management to allow the Windows Intune OUs to be targeted only by specific policy settings.
Option 2: Filter existing Group Policy objects to avoid conflicts with service-enrolled computers: Identify Group Policy objects (GPOs) with settings that can conflict with Windows Intune, and then for those GPOs, use WMI or security group filtering methods to restrict those GPOs only to computers that are not managed by using Windows Intune.
Option 3: Change existing Group Policy objects to remove conflicting settings: Instead of isolating Windows Intune-enrolled computers, creating new Group Policy objects (GPOs), or filtering GPOs, you can manually disable specific GPOs—or settings within GPOs—that conflict with Windows Intune policy settings. Set GPOs that will conflict with settings that are applied to Windows Intune-managed computers to Not configured. Then define and deploy Windows Intune policy for those GPOs that are set to Not configured. Periodic review and analysis of GPOs must be done to ensure there are no avoid policy conflicts.
More information about these configuration options are detailed in the Online help documentation.
Careful consideration must be given to managing computers using both Windows Intune and Group Policy. If both Windows Intune and Group Policy must be used to manage the same set of computers, then the administrator must take precautions to eliminate the confusion of overlapping or conflicting intent.
Written by Sumanta Nandy, Program Manager on the Windows Intune team