This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 7.000000000000001%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPA%3C/text%3E%3C/svg%3E)
Hey everybody, I have got a question from my customer which I didn't find answer in Microsoft documents, so I hope I find it here from more experienced guys. If there is a computer enrolled with Intune and he is domain joined as well (I know its kinda contradict itself), and both of the them have password complexity policy (not windows hello from intune), Which one is overtaking over the other?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Porat Arzouan , Based as I know, windows 10 versions 1709 and earlier Group Policy will override MDM policies, even if an identical policy is configured in MDM. On Windows 10 version 1803 and beyond there is a new Policy CSP setting called ControlPolicyConflict that includes the policy of MDMWinsOverGP, where the preference of which policy wins can be controlled, i.e. Microsoft Intune MDM policy. We can see more details in the following link:
https://video2.skills-academy.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp
Meanwhile, share a link I find with a detailed description of this:
https://www.anoopcnair.com/windows-10-mdm-csp-policies-override-group-policy-settings/
Note: Non-Microsoft link, just for the reference.
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
This is not completely correct. The settings noted, MDMWinsOverGP, only applies to settings configured within the PolicyCSP -- this is clearly called out in the link posted. In this case, assuming that the customer is using the DeviceLock settings, then these are part of the PolicyCSP. However, the MDMWinsOverGP isn't always universally applied to all settings so counting on this behavior is setting yourself up for failure. Additionally, as noted, the DeviceLock settings apply to local accounts only and not domain accounts which is probably not what the customer is concerned about.
I know its kinda contradict itself
Not at all. This is perfectly valid.
Which one is overtaking over the other?
This is undefined and non-deterministic to my knowledge. The best path is to choose one or the other although keep in mind that the policy in Intune is for local device accounts only and does not impact domain accounts so they may not actually have a conflict here.