Microsoft Intune is a cloud-based endpoint management solution that manages mobile devices and applications.
Once you enroll the device with Intune, and when the remote device is connected to the Qualys platform, Qualys Scanner/Agent checks the status of the enrollment status and type from the register keys to verify if the device is enrolled with MS Intune. Refer to the Enrollment guide to enroll Windows devices in Microsoft Intune.
In Microsoft Intune, settings are applied to devices via device profiles, which are then added to configuration profiles.
Note: We provide a single complex control that considers the different method of configuration in remediation and their respective registry keys detection logic in the control.
Example:We check MDMWinsOverGP value, and based on that, the decision is made on precedence between the Group Policy Objects (GPO) and Intune settings. For policy CSPs, MDMWinsOverGP is checked for precedence, and for other CSPs, GPO takes precedence by default if the setting is set via GPO, Intune, or both. For more information, refer to Microsoft Docs.
Group Policy Objects (GPO) have the highest priority in conflicts over policies from other sources. However, starting with Windows 10 and subsequent builds, Microsoft have introduced a custom policy in Intune. This policy enables us to designate that Mobile Device Management (MDM) policies take precedence over GPO in conflict scenarios. The impact of MDMWinsOverGP is specific to policies within the Policy CSP, ensuring that MDM policies are prioritized over Group Policies where relevant.
As we provide Intune's functionality within the current Windows controls, we assess the priority by examining MDMWinsOverGP. Subsequently, we report the configured setting (whether Intune or GPO) as the actual value and provide comprehensive details of both Intune and GPO settings in the Extended evidence.
The Control Evidence in the PC report displays the Source, which indicates whether the current setting is from Intune or GPO. If you have configured the setting via Intune, it is labelled as MDM - Policy CSP or MDM - Policy CSP (As ProviderSet is found). For settings configured through GPO, it is shown as "Group Policy."