After Removing GPO, Intune Policies Not Applying

Here’s the expected behavior:

Security baseline settings are set by both Intune and GPO. By default, GPO wins, so the Intune setting is not applied.When the GPO settings are removed, at some point in the next 24 hours (I believe it happens every 8) all Intune policies are reapplied whether or not they have changed. With the GPOs gone, MDM policies that were once blocked by group policy are applied.The end result: all security policies are applied, but most of them are coming from Intune (MDM) instead of from GPOs.

However, this is not what is happening. While Intune claims the security baseline have applied, the settings that were once overridden by GPOs never apply and the computer effectively has no security baseline.

Here’s what I’ve done to try to fix this:

Make a copy of the existing baseline with a new name and assign it to the computers, unassign the original baseline. This does not work. The policies claim to have applied, but never apply on the endpoint.Change a single setting in the baseline hoping the change triggers the whole configuration reapplying. The endpoint only applies the changed setting, other settings in the baseline do not get applied.Unassign the baseline entirely, wait for the computer to sync and reassign the baseline. This works, but is not a viable solution for a large fleet of computers. This would be fine if all of our computers were receiving GPO updates regularly, but they’re not (they are remote). This only works if the computer syncs one time while no settings are applied and again after the configurations are reassigned. We can’t negotiate the timing on this for our whole fleet of computers.Apply the policy that makes MDM policies take precedence over GPOs. This did not work.

Here’s what we’re not willing to try (I’m preempting some of Microsoft’s usual boilerplate responses):

We will not reset the computers – there are too many for this to be a scalable solution.We will not unjoin and rejoin the computers from MDM – there are too many for this to be a scalable solution.

While I’m tempted to open a support case with Microsoft, this has only ever been a time-consuming and frivolous process. I expect they would pass the ticket around and eventually apologize to me when they decide this is a support case I should actually pay for.

Why would MDM policies not apply even after the group policies that once conflicted with them have been removed? This is impacting all Entra Hybrid Joined computers, the vast majority of which are running the latest build of Windows 11 23H2. Some of these computers have sat for 48 hours in this state, so I don’t think this is something that will be resolved with time.

Any advice would be greatly appreciated!

Part of our fleet remains Entra Hybrid Join (as computers are refreshed, they are Entra Joined instead). We apply Windows Security Baselines through both Group Policy and Intune. Recently, we evaluated the differences between the two baselines and determined they are nearly identical. Accordingly, we decided to disable GPO based security baselines for Entra Hybrid Joined devices and let Intune push security settings for the baseline instead. Here’s the expected behavior:Security baseline settings are set by both Intune and GPO. By default, GPO wins, so the Intune setting is not applied.When the GPO settings are removed, at some point in the next 24 hours (I believe it happens every 8) all Intune policies are reapplied whether or not they have changed. With the GPOs gone, MDM policies that were once blocked by group policy are applied.The end result: all security policies are applied, but most of them are coming from Intune (MDM) instead of from GPOs.However, this is not what is happening. While Intune claims the security baseline have applied, the settings that were once overridden by GPOs never apply and the computer effectively has no security baseline. Here’s what I’ve done to try to fix this:Make a copy of the existing baseline with a new name and assign it to the computers, unassign the original baseline. This does not work. The policies claim to have applied, but never apply on the endpoint.Change a single setting in the baseline hoping the change triggers the whole configuration reapplying. The endpoint only applies the changed setting, other settings in the baseline do not get applied.Unassign the baseline entirely, wait for the computer to sync and reassign the baseline. This works, but is not a viable solution for a large fleet of computers. This would be fine if all of our computers were receiving GPO updates regularly, but they’re not (they are remote). This only works if the computer syncs one time while no settings are applied and again after the configurations are reassigned. We can’t negotiate the timing on this for our whole fleet of computers.Apply the policy that makes MDM policies take precedence over GPOs. This did not work.Here’s what we’re not willing to try (I’m preempting some of Microsoft’s usual boilerplate responses):We will not reset the computers – there are too many for this to be a scalable solution.We will not unjoin and rejoin the computers from MDM – there are too many for this to be a scalable solution.While I’m tempted to open a support case with Microsoft, this has only ever been a time-consuming and frivolous process. I expect they would pass the ticket around and eventually apologize to me when they decide this is a support case I should actually pay for. Why would MDM policies not apply even after the group policies that once conflicted with them have been removed? This is impacting all Entra Hybrid Joined computers, the vast majority of which are running the latest build of Windows 11 23H2. Some of these computers have sat for 48 hours in this state, so I don’t think this is something that will be resolved with time. Any advice would be greatly appreciated! Read More

Cart

Cart