Windows Intune and Group Policy

Windows Intune and Group Policy

  • Comments 2
  • Likes

Windows Intune provides the ability for IT administrators to configure specialized set of settings through the Policy workspace. These settings support configuring the Windows Intune agents and some Windows components, specifically the:

 

·         Windows Update agent

·         Windows Intune Malware Protection agent

·         Windows Intune Tools launcher application

·         Windows Firewall

 

Policy management is a complex area. In this first release of Windows Intune our goal is to use it only to:

1.      Simplify the process of creating standard settings for Windows Intune managed computers.

2.      Maintain our own 'backyard', by focusing on configuring the agents that the Windows Intune deploys

3.      Enable you to centrally configure the Windows firewall settings

4.      And finally, to get feedback from users like you that will allow us to add the features you want to see!

 

 

Some of these settings, such as Windows firewall and update settings, can conflict with the policy settings in the Group Policy Objects (GPO’s) you create with Group Policy. Windows Intune is designed to let Group Policy 'win' when such conflicts occur. Why? Because Group Policy is the industry standard policy management system for Windows, and it allows you to do more by way of policy management than Windows Intune currently does. If you are using Group Policy in your environment currently the chances are you are using it for more than the settings that Windows Intune can control. Therefore, we have ensured that your Group Policy settings are preserved even if a Windows Intune administrator sets conflicting settings in the Windows Intune service.

 

So what can you do if you want to make sure your Windows Intune policies take effect on your computers, even if you are also using Group Policy? Well you can do one of several things:

1.      Review your GPOs for settings that can conflict with those in Windows Intune policies, such as Automatic Update options and Windows Firewall settings, and set them to 'Not configured'. By doing this you are essentially instructing Group Policy to leave these settings alone so that another 'policy authority', such as Windows Intune, can configure them. If you have a small number of GPOs in your environment, this might be the easiest option.

2.      Create a separate Organization Unit (OU) for all the computers you wish to manage through Windows Intune and block this OU from inheriting the GPOs from its parent OUs. And then you can specifically link those GPOs that you know will not conflict with Windows Intune policies with the OU you just created.

3.      Create a security group containing all computers that you do not want to manage through Windows Intune, and apply a security filter to those GPOs that you know will conflict with Windows Intune settings. For more information review the following TechNet page: Security filtering using GPMC

4.      Leverage WMI filters to selectively apply GPOs to computers that are either managed only by Windows Intune or managed only by Group Policy. The Windows Intune online help illustrates one way to create this WMI filter. Note that you may use other filters that suit your need - for example, if you had Windows Intune deployed only to machines running Windows 7, you can use the query "select * from Win32_OperatingSystem where Caption like '%Windows 7%'" in the WMI filter. For more information review the following TechNet page: WMI filtering using GPMC

 

Written by TVG Prabhu, Test Lead with the Windows Intune Team

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • hi,

    there are not all tha tmany policy settings in InTune.  Would it be possible for you to identify specifically which GPOs are likley to conflict with the InTune policies?

    thx

  • I have conflicts with the default GPO's created by the Small Business Server 2011 installation.  I understood that Windows InTune management was the "desired evolution" from SBS management, especially for hybrid sites.  I expected that the Windows InTune Team could delineate the specific steps for configuring the GPO's to resolve the conflict on a default installation of SBS on a much more granular level.