Windows-itpro-docs: IMPORTANT: Can anybody confirm whether MDMWinsOverGP applies to setting which are not in Policy CSP

Created on 17 Apr 2020 · 9Comments · Source: MicrosoftDocs/windows-itpro-docs

This document mentions that MDMWinsOverGP is applicable to only settings in Policy CSP. So I have tried Firewall CSP settings as follows:
GPO -> Firewall = Disabled
Intune -> Firewall = Enabled
MDMWinsOverGP = 1
Result: Firewall gets enabled. which is Intune value
But as per the Documentation, MDMWinsOverGP should not work for non Policy CSP settings, but in my analysis, it is working.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: becd9bd1-6396-3f4a-cc78-c9a06b781516
Version Independent ID: efeec2a0-08b0-d1fc-72c5-14c23fa11397
Content: Policy CSP - ControlPolicyConflict - Windows Client Management
Content Source: windows/client-management/mdm/policy-csp-controlpolicyconflict.md
Product: w10
Technology: windows
GitHub Login: @ManikaDhiman
Microsoft Alias: dansimp

mdm policy settings

Source

yogeshasalkar

All 9 comments

Any updates on this?

yogeshasalkar on 20 Apr 2020

This is an interesting one. If you go to the Firewall CSP docs.microsoft.com page and look at '/EnableFirewall', it reads:

"The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. Default value is true."

As you have a GPO to disable it and the policy looks at the resultant GPO policy and respects that, you'd expect it to stay disabled. Unless this is out of date and non-Policy CSPs can have tags linked to a GPO such as GP path and GP name?

ruairidhlc on 20 Apr 2020

👍1

I have used this GPO path in the above example Computer config -> Windows setting -> Security setting -> Windows defender firewall with advanced security.
And conflict might not happen, so the system took the intune value.
can anybody clarify this?

yogeshasalkar on 22 Apr 2020

Hello @yogeshasalkar,
yes, the note could be outdated (it was added by this PR two years ago), and it looks like MDMWinsOverGP works not only for Policy CSP
According to MMAT Policy Mapping documentation, three CSPs contain MDM equivalents of GP: Policy, Firewall and Bitlocker.

Dear @ManikaDhiman, could you please confirm that MDMWinsOverGP would affect all three CSPs above?

Thank you

MaratMussabekov on 27 Apr 2020

👍1

Hi @mypil, the product team is currently reviewing this issue. I will update the doc as soon as I get any update. Thanks!

ManikaDhiman on 11 May 2020

👍1

@yogeshasalkar, can you provide a dump of hklm\software\microsoft\MDMWinsOverGP?

You gave us the high level steps that set the GPO value but could you be more specific with details.
Could you supply the Firewall CSP syncml you used?

pkaufman628 on 12 May 2020

@yogeshasalkar, do you see the following behavior even if you don't set MDMWinsOverGP to 1?

GPO -> Firewall = Disabled
Intune -> Firewall = Enabled
MDMWinsOverGP = 1
Result: Firewall gets enabled. which is Intune value

pkaufman628 on 12 May 2020

In the contrary to @yogeshasalkar, we find that when the Firewall is disabled through GPO and Intune is set to Enable the firewall (domain profile), that even with MDMWinsOverGP=1 the firewall remains disabled, therefore reinforcing the documentation...

So, what's the verdict on this one? Should it work, or is what I describe expected behavior?

tc-mivh on 24 Sep 2020

I wish @tc-mivh 's question had been answered. I also wish this docs page was physical paper so I could tear it up. It is hard not to get frustrated when you see the documentation be left unclarified and uncertain even within Microsoft. Might as well not even have this Policy CSP setting since nobody knows for certain how it's supposed to work, or how it actually does work.