Export (0) Print
Expand All
2 out of 2 rated this helpful - Rate this topic

Planning Around Group Policy When Using Windows Intune

Updated: December 17, 2012

Applies To: Windows Intune

Because some configurations that are managed by Windows Intune are also managed by Group Policy, policy application conflicts can occur on computers that are targeted by both systems. This topic describes recommended methods to avoid policy conflicts.

Planning for Deployment in Enterprises that Are Managed by Using Group Policy

Windows Intune offers policy management functionality in the Policy workspace. Policy management, as implemented in this release of Windows Intune, is not connected to Group Policy. Although the two policy management systems serve the same purpose, their scopes of management vary, and they operate independently in this release of Windows Intune.

Domain-level Group Policy typically takes precedence over Windows Intune policy, unless a domain-joined client computer cannot connect to the domain controller. If connectivity to the domain controller is unavailable, Windows Intune policy is applied to the client computer.

ImportantImportant
To ensure that Windows Intune computers receive the Updates that have been approved by the admin in the Windows Intune administrator console, the follow Windows Server Update Services (WSUS) Group Policy settings, Specify Intranet Microsoft update service location do not get applied to the computers that have been registered with Windows Intune.

To avoid policy conflicts that can occur from having competing policy management systems, we recommend that administrators who deploy the Windows Intune client software make sure that client computers that are managed by Windows Intune policy are not also receiving direction from Group Policy for the same configuration settings.

The following three deployment options can help you prevent policy management problems on client computers that you want to manage by using Windows Intune.

Option 1: Isolate service-enrolled computers from Group Policy by moving them to a new organizational unit

If it is possible, restructure the organizational unit (OU) hierarchy to isolate Windows Intune-enrolled computers into one or more separate OUs that are not modifiable by conflicting Group Policy settings. Organizing the OU hierarchy in this manner simplifies policy management to allow the Windows Intune OUs to be targeted only by specific policy settings.

Before you install the Windows Intune client software in your enterprise, create or move client computers that you want to manage by using Windows Intune into an OU that satisfies conditions described in this section.

For more information about how to create an OU on domain controllers that are running Windows Server 2003, see Create a New Organizational Unit on the Microsoft website. For more information about how to create an OU on domain controllers that are running Windows Server 2008, see Create a New Organizational Unit on the Microsoft website.

Block Group Policy inheritance on OUs that contain computers enrolled in Windows Intune to which you do not want to apply Group Policy settings. Then make sure that the Enforce setting is disabled for the Group Policy Objects (GPOs) of the parent OU or domain.

To block Group Policy inheritance on an OU

  1. Open the Group Policy Management console.

  2. In the console tree, expand the forest that contains the OU of client computers that you want to manage by using Windows Intune.

  3. Expand the domain, and any additional subordinate nodes, to locate the OU.

  4. Right-click the OU, and then click Block Inheritance.

Option 2: Filter existing Group Policy Objects to avoid conflicts with service-enrolled computers

Identify Group Policy Objects (GPOs) with settings that can conflict with Windows Intune, and then for those GPOs, use either of the following filtering methods to restrict those GPOs only to computers that are not managed by using Windows Intune.

  • Use WMI filters. WMI filters selectively apply GPOs to computers that satisfy the conditions of a query. To apply a WMI filter, deploy a WMI class instance to all computers in the enterprise before you enroll any computers in the Windows Intune service.

    To apply WMI filters to a GPO

    1. Create a management object file by copying and pasting the following into a text file, and then saving it to a convenient location as WIT.mof. The file contains the WMI class instance that you deploy to computers that you want to enroll in the Windows Intune service.

      //Beginning of MOF file.
      #pragma classflags("forceupdate")
      #pragma namespace ("\\\\.\\Root")
      instance of __Namespace
      {
         Name = "WindowsIntune";
      };
      
      #pragma namespace ("\\\\.\\Root\\WindowsIntune")
      [ 
         Description("This class defines Windows Intune common properties")
      ]
      class WindowsIntune_ManagedNode
      {
         [ read, Description("This defines whether Windows Intune Policy is enabled"): DisableOverride ToSubClass ]
         boolean WindowsIntunePolicyEnabled;
         [ read, key, Description("This property defines the version." "Example: 1.0"): ToSubClass ]
         string Version;
      };
      
      instance of WindowsIntune_ManagedNode
      {
         Version = "1.0";
         WindowsIntunePolicyEnabled = 1;
      };
      
    2. Use either a startup script or Group Policy to deploy the file. The following is the deployment command for the startup script. The MOFCOMP command is typically located in C:/Windows/System32/Wbem. The WMI class instance must be deployed before you enroll client computers in the Windows Intune service.

      MOFCOMP <path to MOF file>\wit.mof

    3. Run either of the following commands to create the following WMI filters, depending on whether the GPO you want to filter applies to computers that are managed by using Windows Intune or to computers that are not managed by using Windows Intune.

      • For GPOs that apply to computers that are not managed by using Windows Intune, use the following:

        Namespace:root\WindowsIntune
        Query:  SELECT WindowsIntunePolicyEnabled FROM WindowsIntune_ManagedNode WHERE WindowsIntunePolicyEnabled=0
        
      • For GPOs that apply to computers that are managed by Windows Intune, use the following:

        Namespace:root\WindowsIntune
        Query:  SELECT WindowsIntunePolicyEnabled FROM WindowsIntune_ManagedNode WHERE WindowsIntunePolicyEnabled=1
        
    4. Edit the GPO in the Group Policy Management console to apply the WMI filter that you created in the previous step.

      • For GPOs that should apply only to computers that you want to manage by using Windows Intune, apply the filter WindowsIntunePolicyEnabled=1.

      • For GPOs that should apply only to computers that you do not want to manage by using Windows Intune, apply the filter WindowsIntunePolicyEnabled=0.

    For more information about how to apply WMI filters in Group Policy, see Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences.

  • Use security group filters. Group Policy lets you apply GPOs to only those security groups specified in the Security Filtering area of the Group Policy Management console for a selected GPO. By default, GPOs apply to Authenticated Users. In the Active Directory Users and Computers snap-in, create a new security group that contains computers and user accounts that you do not want to manage by using Windows Intune. For example, the group can be named Not In Windows Intune. In the Group Policy Management console, on the Delegation tab for the selected GPO, right-click the new security group to delegate appropriate Read and Apply Group Policy permissions to both users and computers in the security group. (Apply Group Policy permissions are available on the Advanced dialog box.) Then apply the new security group filter to a selected GPO, and remove the Authenticated Users default filter. The new security group must be maintained as enrollment in the Windows Intune service changes.

Option 3: Change existing Group Policy Objects to remove conflicting settings

Instead of isolating Windows Intune-enrolled computers, creating new Group Policy Objects (GPOs), or filtering GPOs, you can manually disable specific GPOs—or settings within GPOs—that conflict with Windows Intune policy settings. Set GPOs that will conflict with settings that are applied to Windows Intune-managed computers to Not configured. Then define and deploy Windows Intune policy for those GPOs that are set to Not configured.

noteNote
If you manage policy conflicts by using this option, GPOs must be analyzed and frequently changed to avoid policy conflicts.

See Also

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.