Resolving the 'Enable Network Protection' Policy Conflict
Ensuring Compliance with Intune Policies by Overcoming GPO Conflicts
Introduction
In the ongoing effort to improve our organization's cybersecurity posture, I recently set up an Antivirus policies baseline on Intune to address 17 Microsoft Defender recommendations. One of the policies included in this baseline was enabling 'Network Protection' in block mode. This policy is designed to prevent employees from accessing dangerous domains that could host phishing scams, exploit-hosting sites, and other malicious content.
However, after deploying the baseline, I discovered that many client devices were still flagged in Microsoft Defender as exposed for that recommendation, even though Intune reported the policy as successfully applied. This article outlines the steps I took to diagnose and resolve this issue, ensuring that our devices adhered to the intended security configurations.
Identifying the Issue
After deploying the Intune baseline, I performed compliance checks using the following PowerShell command on affected devices:
Get-MpPreference | Select-Object -Property EnableNetworkProtection
The output showed that the EnableNetworkProtection setting was still in Audit mode, contrary to the policy configuration in Intune, which was set to Block mode.
Understanding the Conflict
During my research, I came across information indicating that Group Policy Objects (GPOs) could override Intune policies. This led me to suspect that a GPO might be conflicting with the Intune policy. To confirm this, I examined the GPO settings on an affected device.
Using the Group Policy Management Console (GPMC), I checked the relevant policy paths and discovered that a local GPO was indeed setting the Network Protection policy to Audit mode. This was causing the conflict with the Intune policy.
Implementing the Solution
To resolve this conflict and ensure the Intune policy takes precedence, I utilized the 'MDM Wins Over GP' setting on Intune. This setting allows Mobile Device Management (MDM) policies, such as those configured in Intune, to override conflicting Group Policy settings. Here’s how I implemented the solution:
Navigate to Microsoft Intune admin center.
Go to Devices > Configuration.
Click Create > New Policy.
Select Windows 10 and later as the platform.
Choose Settings catalog for the profile type.
Give the policy a name and click Next.
Click on Add settings and on the Settings picker screen search for ‘control policy conflict’.
Select the Control Policy Conflict category.
Select the MDM Wins Over GP setting and close the Settings picker screen.
On the MDM Wins Over GP drop-down menu select The MDM policy is used and the GP policy is blocked and click Next.
Define the Scope tags.
Define the Assignments.
Click on Create.
Verifying the Solution
After deploying the new configuration policy, I monitored the affected devices to ensure the changes took effect. I reran the Get-MpPreference command again and confirmed that the EnableNetworkProtection setting was now correctly configured to Block mode.
Furthermore, Microsoft Defender no longer flagged these devices as exposed on the 'Enable Network Protection' recommendation. This indicated that the conflict had been resolved and the Intune policy was being correctly enforced.