Policy CSP - ControlPolicyConflict
MDMWinsOverGP
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
If set to 1 then any MDM policy that's set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies.
Note
MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the Defender CSP. As a result, it is recommended that the same settings should not be configured in both GPO and MDM policies unless the settings are under the control of MDMWinsOverGP. Otherwise, there will be a race condition and no guarantee which one wins.
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
Note
In Windows 10 version 1803, this policy doesn't support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1.
The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that:
- GP settings that correspond to MDM applied settings aren't conflicting
- The current Policy Manager policies are refreshed from what MDM has set
- Any values set by scripts/user outside of GP that conflict with MDM are removed
The Policy DDF contains the following tags to identify the policies with equivalent GP:
- <MSFT:ADMXBacked>
- <MSFT:ADMXMapped>
- <MSFT:GPRegistryMappedName>
- <MSFT:GPDBMappedName>
For the list MDM-GP mapping list, see Policies in Policy CSP supported by Group Policy.
The MDM Diagnostic report shows the applied configurations states of a device including policies, certificates, configuration sources, and resource information. The report includes a list of blocked GP settings because MDM equivalent is configured, if any. To get the diagnostic report, go to Settings > Accounts > Access work or school > and then click the desired work or school account. Scroll to the bottom of the page to Advanced Diagnostic Report and then click Create Report.
Description framework properties:
Property name | Property value |
---|---|
Format | int |
Access Type | Add, Delete, Get, Replace |
Default Value | 0 |
Allowed values:
Value | Description |
---|---|
0 (Default) | . |
1 | The MDM policy is used and the GP policy is blocked. |