New GPO, not linked yet
New-GPO -Name "WKS - Baseline - Security" -Comment "Corporate workstation security baseline v3"
Create unlinked first, configure and test, then link; never author directly against a live production link.
Windows Server & Azure: Create, Maintain, Deploy, Verify
An operational handbook for managing global policy across a hybrid estate; on-premises Active Directory Group Policy Objects (GPOs) and cloud-native Azure/Entra ID + Intune configuration and compliance policies. Covers the full lifecycle: architecture and precedence, authoring, workstation rollout rings, verification and auditing, change management, and a PowerShell/CMD quick-fix reference for when policy doesn't apply as expected.
Before touching a single setting, know which engine is authoritative for a given device. Most enterprise estates today run hybrid: on-prem AD-joined or hybrid Azure AD-joined workstations pull Group Policy from Active Directory and configuration profiles from Intune. When both apply to the same setting, Windows has explicit tie-break rules; get this wrong and you'll spend hours debugging a "policy that won't apply."
Processed in this order; each later scope overwrites conflicting settings from the previous one. Two exceptions break the "last wins" rule: Block Inheritance on an OU (ignored if a parent GPO is Enforced), and Enforced on a GPO link (always applies, cannot be blocked downstream).
| Mechanism | Set where | Effect | Common use |
|---|---|---|---|
| Block Inheritance | On the OU | Ignores GPOs linked at parent scopes (site/domain/parent OU) | Isolate a lab or DMZ OU from corporate baseline |
| Enforced | On the GPO link | Cannot be blocked by child OUs, even with Block Inheritance | Security baselines that must never be overridden |
| Link order | On the OU (multiple links) | Lowest link order number processed last = highest precedence | Layering department policy over baseline policy on the same OU |
| Security filtering | On the GPO | Restricts who the GPO applies to within the linked scope (by security group) | Apply a GPO only to a pilot group inside a production OU |
| WMI filtering | On the GPO | Restricts application based on a WQL query against the target machine | Apply only to Windows 11, only to laptops, only to a specific OS build |
On a hybrid Azure AD-joined device receiving both GPO and Intune CSP policy for the same
setting, the outcome depends on the MDM Policy Processing setting
(Computer Configuration > Administrative Templates > System > Group Policy > Configure
Group Policy caching & MDM Policy processing / the PolicyConflictWinner CSP node).
By default, GPO wins unless you explicitly configure MDM to win.
| Dimension | Windows Server GPO | Azure / Intune |
|---|---|---|
| Management plane | Active Directory Domain Services + GPMC | Microsoft Entra ID + Intune (Microsoft Endpoint Manager) |
| Target requires | Domain join, line of sight to a domain controller (or cached policy) | Entra ID join, hybrid join, or Entra registration; internet reachable |
| Applies to unmanaged / remote devices | Poor; needs VPN/DirectAccess or infrequent sync | Native; works over the internet, ideal for remote/BYOD |
| Refresh interval | ~90 min + 0โ30 min random offset (background); 5 min for DCs | ~8 hours default sync; can force manual sync |
| Granularity | Very deep; thousands of ADMX-backed settings, full registry access | Growing; Settings Catalog covers most CSPs; some legacy settings ADMX-only |
| Best fit | Domain-bound infrastructure: servers, kiosks, on-prem-only endpoints | Modern/remote workforce, mobile, BYOD, cloud-first tenants |
Day-to-day authoring and structural management of Group Policy Objects via GPMC and PowerShell's
GroupPolicy module. Assumes GPMC is installed (Install-WindowsFeature GPMC
on a management server, or the RSAT feature on a workstation).
New-GPO -Name "WKS - Baseline - Security" -Comment "Corporate workstation security baseline v3"
Create unlinked first, configure and test, then link; never author directly against a live production link.
New-GPLink -Name "WKS - Baseline - Security" ` -Target "OU=Pilot,OU=Workstations,DC=corp,DC=local" ` -LinkEnabled Yes -Order 1
-Order 1 gives it top precedence on that OU (processed last = wins).
Set-GPRegistryValue -Name "WKS - Baseline - Security" ` -Key "HKLM\Software\Policies\Microsoft\Windows Defender" ` -ValueName "DisableAntiSpyware" -Type DWord -Value 0
For anything not covered by a cmdlet, this is the general-purpose escape hatch into any ADMX-backed key.
Set-GPInheritance -Target "OU=Lab,DC=corp,DC=local" -IsBlocked Yes
Set-GPLink -Name "WKS - Baseline - Security" ` -Target "DC=corp,DC=local" -Enforced Yes
Use sparingly; enforced baseline GPOs at the domain root are appropriate; enforcing dozens of GPOs makes troubleshooting precedence painful.
Set-GPPermission -Name "WKS - Baseline - Security" ` -TargetName "Authenticated Users" -TargetType Group -PermissionLevel None Set-GPPermission -Name "WKS - Baseline - Security" ` -TargetName "GPO-Pilot-Workstations" -TargetType Group ` -PermissionLevel GpoApply
Remove Authenticated Users' Apply right, then grant Apply only to your pilot security group. This is how you pilot a GPO inside a production OU without moving computer objects.
| Goal | WQL query |
|---|---|
| Windows 11 only | SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10.0.22%" |
| Laptops only (battery present) | SELECT * FROM Win32_Battery WHERE BatteryStatus > 0 |
| 64-bit only | SELECT * FROM Win32_Processor WHERE AddressWidth = "64" |
| Specific model | SELECT * FROM Win32_ComputerSystem WHERE Model LIKE "%Latitude 5440%" |
WMI filters have no native PowerShell cmdlet for creation; create via GPMC (Right-click "WMI Filters" > New), then attach with Set-GPWmiFilter -Name "GPO Name" -WmiFilterName "Filter Name" from the GPWmiFilter module, or set the gPCWQLFilter attribute directly via ADSI for scripted deployment.
| Category | Key settings | Typical scope |
|---|---|---|
| Password & Lockout Policy | Min length, complexity, history, lockout threshold/duration | Domain root (must be domain-linked to affect domain accounts) |
| Windows Update (WUfB/WSUS) | Deferral days, deadlines, active hours, target ring/group | Per rollout ring OU (see Workstation Deployment tab) |
| BitLocker | Encryption method, recovery key AD/Entra escrow, startup auth | Workstations OU, enforced |
| Microsoft Defender | Real-time protection, cloud-delivered protection, ASR rules, exclusions | Workstations OU + servers (separate GPO; server exclusions differ) |
| Firewall Profiles | Domain/Private/Public profile rules, logging | Domain root, enforced |
| Screen Lock / Session Timeout | Inactivity timeout, screensaver lock, interactive logon message | Workstations OU |
| Software Restriction / AppLocker | Allowed publishers, path rules, script execution policy | Per department OU as needed |
Cloud-native policy has three moving parts that are easy to conflate: Conditional Access (identity/sign-in gating in Entra ID), Configuration Profiles (device settings, the closest analog to GPO), and Compliance Policies (pass/fail device health checks that feed Conditional Access). Author and test in that order; compliance policies are meaningless until Conditional Access actually requires them.
| Profile type | Backing | When to use |
|---|---|---|
| Settings Catalog | Direct CSP mapping, searchable single UI | Default choice for anything new; most complete, best supported going forward |
| Administrative Templates | ADMX-backed, mirrors classic GPO ADMX settings | Migrating a specific GPO setting 1:1, or a setting still missing from Settings Catalog |
| Templates (legacy) | Curated wizards (Endpoint Protection, Device Restrictions, etc.) | Legacy tenants; being phased out in favor of Settings Catalog |
| Custom (OMA-URI) | Raw CSP path + value | Bleeding-edge CSP not yet exposed anywhere in the UI |
| Endpoint security baselines | Microsoft-curated security defaults (Attack Surface Reduction, Account Protection, Firewall) | Fast-start hardening baseline before custom-tuning |
Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All", ` "DeviceManagementManagedDevices.ReadWrite.All", ` "Group.Read.All"
Get-MgDeviceManagementConfigurationPolicy | Select-Object Name, Id, CreatedDateTime
New-MgDeviceManagementConfigurationPolicyAssignment `
-DeviceManagementConfigurationPolicyId $policyId `
-Target @{ "@odata.type" = "#microsoft.graph.groupAssignmentTarget"; groupId = $groupId }
(device.deviceOSType -eq "Windows") and (device.deviceOSVersion -startsWith "10.0.22") and (device.deviceModel -contains "Latitude")
Set in Entra ID > Groups > New Group > Membership type: Dynamic Device.
(device.manufacturer -eq "Dell") and (device.enrollmentProfileName -eq "Corp-Autopilot")
Filters apply on top of group assignment without needing a new group per hardware combination; the Intune equivalent of a WMI filter.
A compliance policy alone does nothing to sign-in behavior. It must be referenced by a Conditional
Access policy (Grant control > Require device to be marked as compliant) for non-compliance
to actually block access. Always deploy new CA policies in Report-only mode first and
review the sign-in logs impact for 3โ7 days before switching to On.
Never ship a new policy to 100% of the fleet on day one. Both GPO and Intune support staged rollout; the mechanism differs (OU + security filtering vs. dynamic/static groups) but the ring discipline is identical.
Hold each ring for a minimum soak period (48โ72h for low-risk settings, 1โ2 weeks for security baselines or anything touching authentication/network) before promoting.
Corp (domain root)
โโ Workstations
โโ Pilot (Ring 0 / Ring 1 test machines)
โโ Production
โ โโ Sales
โ โโ Engineering
โ โโ Finance
โโ Kiosks / Shared Devices
โโ Servers
โโ Domain Controllers (never mix with member server policy)
โโ Member Servers
โโ Application Tier
Keep security-filtered pilot groups inside the Production OUs for settings that must match the target department's other GPOs; don't rely solely on a separate Pilot OU, since real-world data (printers, mapped drives, department-specific policy) lives at the department level.
gpupdate /force gpupdate /target:computer /force gpupdate /target:user /force
Invoke-GPUpdate -Computer "PC-0231" -Force -RandomDelayInMinutes 0
Get-ADComputer -Filter * -SearchBase "OU=Pilot,OU=Workstations,DC=corp,DC=local" |
ForEach-Object { Invoke-GPUpdate -Computer $_.Name -Force -RandomDelayInMinutes 10 }
Add a random delay across a large batch to avoid hammering domain controllers simultaneously.
Settings app > Accounts > Access work or school > Connected to [tenant] > Info > Sync
Or via Graph for a device you manage centrally:
Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $deviceId
Restart-Service -Name IntuneManagementExtension -Force
Use when Win32 app or script deployments are stuck "Pending"; this restarts the local sync agent without a full reboot.
dsregcmd /status
Look at AzureAdJoined, DomainJoined, and AzureAdPrt; a device that shows AzureAdJoined: NO will never receive Intune policy no matter how correctly the profile is assigned.
"I linked the GPO" is not verification. Confirm the setting actually landed on the target machine, confirm which policy source won if there was a conflict, and keep evidence for change records.
gpresult /r
Fast pass/fail view: which GPOs applied, which were filtered out, and why.
gpresult /h C:\Temp\gpresult.html /f
Attach this to change tickets; shows every setting, its winning GPO, and precedence order.
rsop.msc
Interactive tree view of every applied setting; best for spot-checking a single machine during a live troubleshooting session.
In GPMC: right-click Group Policy Results > run wizard > target remote computer/user. Requires WMI + RPC reachability to the target; same requirement as Invoke-GPUpdate.
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Temp\rsop.html Get-GPOReport -All -ReportType Html -Path C:\Temp\all-gpos.html
dcdiag /test:sysvolcheck /test:advertising repadmin /replsummary
A GPO that "isn't applying anywhere" is sometimes a SYSVOL replication failure, not a policy authoring problem; check this before re-editing settings.
Intune admin center > Devices > Configuration > select profile > Device status tab. Shows Succeeded / Error / Conflict / Not applicable per device with error codes.
Devices > Configuration > select profile > Per-setting status; surfaces exactly which other profile is fighting for the same CSP path.
Get-MgDeviceManagementDeviceConfigurationDeviceStatus ` -DeviceConfigurationId $configId | ` Select-Object DeviceDisplayName, Status, LastReportedDateTime
Settings > Accounts > Access work or school > Connected to [tenant] > Info > Create report
Generates a local HTML/XML report of every applied CSP and its value; the Intune equivalent of gpresult /h.
Policy that no one versions or backs up becomes policy no one trusts. Treat GPOs and Intune profiles as code: back them up on a schedule, gate changes through a pilot, and keep a change log.
Backup-GPO -All -Path "\\fileserver\GPO-Backups\$(Get-Date -Format yyyy-MM-dd)"
Run as a daily scheduled task on a management server; cheap insurance, keep 30โ90 days of history.
Restore-GPO -Name "WKS - Baseline - Security" ` -Path "\\fileserver\GPO-Backups\2026-07-01"
Copy-GPO -SourceName "WKS - Baseline - Security" ` -SourceDomain "corp.local" -TargetDomain "contoso.local" ` -MigrationTable "C:\GPO\domain-migration.migtable"
Migration tables remap domain-specific SIDs/UNC paths so security filtering and drive maps translate correctly to the target domain.
Import-GPO -BackupId $backupGuid -TargetName "WKS - Baseline - Security" ` -Path "\\fileserver\GPO-Backups\2026-07-01"
[Scope] - [Category] - [Purpose] - [vN] Example: WKS - Security - BitLocker Baseline - v3 Example: SRV - Network - Firewall Rules - v1
Consistent prefixes make Get-GPOReport -All output sortable and searchable at a glance.
Get-GPO -All | Where-Object { ($_ | Get-GPOReport -ReportType Xml) -notmatch "<LinksTo>" }
Unlinked GPOs accumulate silently; audit quarterly and remove or archive anything with no active link and no owner.
| Frequency | Task |
|---|---|
| Daily | Automated Backup-GPO -All; monitor SYSVOL replication health |
| Weekly | Review Intune per-profile deployment status for new errors/conflicts |
| Monthly | Audit unlinked/orphaned GPOs; review Conditional Access sign-in impact reports |
| Quarterly | Full Get-GPOReport -All export reviewed against documented baseline; re-validate WMI filters and dynamic group rules still match hardware in the field |
| Annually | Full OU structure and rollout-ring review; retire deprecated GPOs/profiles |
Fast, copy-pasteable commands for the moment policy isn't behaving as expected.
gpupdate /force /boot
Forces both computer and user policy and schedules a reboot if a policy requires it (e.g. some security settings).
Stop-Service gpsvc -Force Remove-Item "C:\Windows\System32\GroupPolicy" -Recurse -Force Remove-Item "C:\Windows\System32\GroupPolicyUsers" -Recurse -Force Start-Service gpsvc gpupdate /forceDestructive; only use when local policy cache is confirmed corrupted (e.g. Event ID 1096/1030).
winmgmt /verifyrepository winmgmt /salvagerepository
w32tm /query /status w32tm /resync /force
nltest /dsgetdc:corp.local Test-NetConnection -ComputerName dc01.corp.local -Port 389
Get-ScheduledTask | Where-Object {$_.TaskName -like "*EnterpriseMgmt*Schedule*"} | Start-ScheduledTask
Triggers the same sync scheduled task the Settings app "Sync" button calls; useful for scripting bulk syncs via RMM/SCCM.
dsregcmd /leave Restart-Computer # Then sign back in to trigger auto-enrollment, or: deviceenroller.exe /c /AutoEnrollMDMRemoves the device's current MDM/hybrid-join state; schedule a maintenance window.
dfsrdiag replicationstate Get-DfsrBacklog -GroupName "Domain System Volume" -FolderName "SYSVOL Share" -SourceComputerName DC01 -DestinationComputerName DC02
The event IDs and symptoms you'll actually see in the field, mapped to root cause and the fastest verified fix.
| Symptom / Event ID | Likely cause | Fix |
|---|---|---|
| GPO shows "Denied (Empty)" in gpresult | No settings configured under that GPO node, or a WMI filter excluded the machine | Confirm the GPO actually has settings under that CSE; check WMI filter with Get-GPWmiFilter |
| Event ID 1085; Group Policy processing error | Corrupted GPT.ini, SYSVOL access issue, or a client-side extension failure | Check SYSVOL reachability (\\domain\SYSVOL); re-run gpupdate /force; check the specific CSE's own event log |
| Event ID 1125; Slow link detected | Client measured network as "slow" (below the slow-link threshold) and skipped some policy categories | Check Configure Group Policy Slow Link Detection; on VPN clients this often needs a higher threshold or disabling detection |
| Event ID 1030 / 1096; Failed to read GPO / userenv error | Corrupted local GP cache or DNS resolution failure to the DC | Clear the local GP cache (Quick Fixes tab); verify DNS with nslookup corp.local |
| Setting applies to some machines in an OU but not others | Security filtering group membership is stale (token not refreshed since last group change) | Have the user/computer log off-on or reboot to refresh their Kerberos token; or force with klist purge + reboot |
| Intune profile shows "Conflict" | Two profiles (or a profile + Endpoint security baseline) target the same CSP with different values | Use the per-setting status view (Verification tab) to find the other profile; consolidate or exclude one from the group assignment |
| Device never receives Intune policy at all | Device isn't actually enrolled/joined, or MDM auto-enrollment scope isn't configured for the user | dsregcmd /status to confirm join state; check Entra ID > Mobility (MDM/MAM) > scope set to "Some"/"All" correctly |
| GPO changes take effect on some machines instantly, others take hours | Background refresh interval + random offset (up to 30 min) is normal; hours usually means SYSVOL replication lag between sites | repadmin /replsummary to check replication latency between the site's DC and the DC that holds the edit |
| "Access is denied" editing a GPO | Your account lacks Edit Settings rights on that specific GPO (delegation), not just generic Domain Admin | Check GPMC > GPO > Delegation tab; grant via Set-GPPermission -PermissionLevel GpoEdit |