Planning for Deployment Windows Intune in Enterprises that Are Managed by Using Group Policy

Because some configurations that are managed by Windows Intune are also managed by Group Policy, policy application conflicts can occur on computers that are targeted by both systems. This topic describes recommended methods to avoid policy conflicts.

Windows Intune offers policy management functionality in the Policy workspace. Policy management, as implemented in this release of Windows Intune, is not connected to Group Policy. Although the two policy management systems serve the same purpose, their scopes of management vary, and they operate independently in this release of Windows Intune.

Domain-level Group Policy typically takes precedence over Windows Intune policy, unless a domain-joined client computer cannot connect to the domain controller. If connectivity to the domain controller is unavailable, Windows Intune policy is applied to the client computer.

Important

To ensure that Windows Intune computers receive the Updates that have been approved by the admin in the Windows Intune administrator console, the follow Windows Server Update Services (WSUS) Group Policy settings, Specify Intranet Microsoft update service location do not get applied to the computers that have been registered with Windows Intune.

To avoid policy conflicts that can occur from having competing policy management systems, we recommend that administrators who deploy the Windows Intune client software make sure that client computers that are managed by Windows Intune policy are not also receiving direction from Group Policy for the same configuration settings.

The following three deployment options can help you prevent policy management problems on client computers that you want to manage by using Windows Intune.

Option 1: Isolate service-enrolled computers from Group Policy by moving them to a new organizational unit

Option 2: Filter existing Group Policy Objects to avoid conflicts with service-enrolled computers

Option 3: Change existing Group Policy Objects to remove conflicting settings