{"id":12420,"date":"2019-09-12T09:48:46","date_gmt":"2019-09-12T16:48:46","guid":{"rendered":"https:\/\/moderneuc.com\/?p=12420"},"modified":"2026-02-18T13:02:25","modified_gmt":"2026-02-18T20:02:25","slug":"transitioning-gpo-to-mdm-policies","status":"publish","type":"post","link":"https:\/\/jorgep.com\/blog\/transitioning-gpo-to-mdm-policies\/","title":{"rendered":"Transitioning GPO to MDM Policies"},"content":{"rendered":"\n<p>Transitioning from traditional Group Policy Objects (GPO) to Modern Device Management (MDM) Policies can be challenging.&nbsp; Some organizations have Group Policies that have been in place for over a decade and which may not be fully inventoried, or often understood.&nbsp; <\/p>\n\n\n\n<p>MDM do not have a 1-1 mapping for all legacy Group Policies.&nbsp; <\/p>\n\n\n\n<p>Microsoft created the MDM Migration Analysis Tool \u2013 aka MMAT &#8211; to help.<br>MMAT will determine which Group Policies have been set for a target user\/computer and cross-reference against its built-in list of supported MDM policies.  MMAT will then generate both XML and HTML reports indicating the level of support for each Group Policy in terms of MDM equivalents. <\/p>\n\n\n\n<p>You can find the  <a rel=\"noreferrer noopener\" aria-label=\"MDM Migration Analysis Tool here (opens in a new tab)\" href=\"https:\/\/github.com\/WindowsDeviceManagement\/MMAT\" target=\"_blank\">MDM Migration Analysis Tool here<\/a><\/p>\n\n\n\n<p>According <a rel=\"noreferrer noopener\" aria-label=\"to Microsoft (opens in a new tab)\" href=\"https:\/\/blogs.technet.microsoft.com\/cbernier\/2018\/04\/02\/windows-10-group-policy-vs-intune-mdm-policy-who-wins\/\" target=\"_blank\">to a very good and detailed 2018 Microsoft blog post<\/a>, the following describes which policy wins according to Windows 10 version.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Windows 10 versions 1709 and earlier Group Policy will override MDM policies, even if an identical policy is configured in MDM.<\/li><li>Windows 10 version 1803 and beyond there is a new Policy CSP setting called&nbsp;<strong>ControlPolicyConflict<\/strong>&nbsp;that includes the policy of MDMWinsOverGP, where the preference of which policy wins can be controlled, i.e. Microsoft Intune MDM policy.<\/li><li> What happens to the policy if the device is unenrolled from Intune?&nbsp;&nbsp;If applicable, Group Policy will re-apply the policies in this scenario. <\/li><\/ul>\n\n\n\n<p>For more details about the <a rel=\"noreferrer noopener\" aria-label=\"new ControlPolicyConfict settings found here (opens in a new tab)\" href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/client-management\/mdm\/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp\" target=\"_blank\">new ControlPolicyConfict settings found here<\/a> <\/p>\n\n\n\n<p>Other sources: <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Video: <a rel=\"noreferrer noopener\" href=\"https:\/\/www.youtube.com\/watch?v=oF2ffxWkEwY\" target=\"_blank\">GPOs &amp; Custom Settings Profiles using MMAT and Workspace ONE<\/a>, <\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Transitioning from traditional Group Policy Objects (GPO) to Modern Device Management (MDM) Policies can be challenging.&nbsp; Some organizations have Group Policies that have been in place for over a decade and which may not be fully inventoried, or often understood.&nbsp; MDM do not have a 1-1 mapping for all legacy Group Policies.&nbsp; Microsoft created the&#8230;<\/p>\n","protected":false},"author":2,"featured_media":368520,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","ngg_post_thumbnail":0,"episode_type":"","audio_file":"","podmotor_file_id":"","podmotor_episode_id":"","cover_image":"","cover_image_id":"","duration":"","filesize":"","filesize_raw":"","date_recorded":"","explicit":"","block":"","itunes_episode_number":"","itunes_title":"","itunes_season_number":"","itunes_episode_type":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[681,441],"tags":[711,712,726,742,769],"class_list":["post-12420","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-moderneuc2","category-tech-talk","tag-gpo","tag-group-policies","tag-mdm","tag-moderneuc1","tag-uem"],"taxonomy_info":{"category":[{"value":681,"label":"ModernEUC"},{"value":441,"label":"Tech Talk"}],"post_tag":[{"value":711,"label":"GPO"},{"value":712,"label":"Group Policies"},{"value":726,"label":"MDM"},{"value":742,"label":"ModernEUC"},{"value":769,"label":"UEM"}]},"featured_image_src_large":["https:\/\/jorgep.com\/blog\/wp-content\/uploads\/GPOvsMDM-FeaturedImage-730x430-updraft-pre-smush-original.jpg",730,430,false],"author_info":{"display_name":"Jorge Pereira","author_link":"https:\/\/jorgep.com\/blog\/author\/jorge\/"},"comment_info":0,"category_info":[{"term_id":681,"name":"ModernEUC","slug":"moderneuc2","term_group":0,"term_taxonomy_id":691,"taxonomy":"category","description":"","parent":0,"count":261,"filter":"raw","cat_ID":681,"category_count":261,"category_description":"","cat_name":"ModernEUC","category_nicename":"moderneuc2","category_parent":0},{"term_id":441,"name":"Tech Talk","slug":"tech-talk","term_group":0,"term_taxonomy_id":451,"taxonomy":"category","description":"","parent":0,"count":671,"filter":"raw","cat_ID":441,"category_count":671,"category_description":"","cat_name":"Tech Talk","category_nicename":"tech-talk","category_parent":0}],"tag_info":[{"term_id":711,"name":"GPO","slug":"gpo","term_group":0,"term_taxonomy_id":721,"taxonomy":"post_tag","description":"","parent":0,"count":2,"filter":"raw"},{"term_id":712,"name":"Group Policies","slug":"group-policies","term_group":0,"term_taxonomy_id":722,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":726,"name":"MDM","slug":"mdm","term_group":0,"term_taxonomy_id":736,"taxonomy":"post_tag","description":"","parent":0,"count":29,"filter":"raw"},{"term_id":742,"name":"ModernEUC","slug":"moderneuc1","term_group":0,"term_taxonomy_id":752,"taxonomy":"post_tag","description":"","parent":0,"count":284,"filter":"raw"},{"term_id":769,"name":"UEM","slug":"uem","term_group":0,"term_taxonomy_id":779,"taxonomy":"post_tag","description":"","parent":0,"count":47,"filter":"raw"}],"_links":{"self":[{"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/posts\/12420","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/comments?post=12420"}],"version-history":[{"count":1,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/posts\/12420\/revisions"}],"predecessor-version":[{"id":518879,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/posts\/12420\/revisions\/518879"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/media\/368520"}],"wp:attachment":[{"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/media?parent=12420"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/categories?post=12420"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/tags?post=12420"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}