๐Ÿ“‹

Group Policy Management Handbook

Windows Server & Azure: Create, Maintain, Deploy, Verify

By Richard Gamarra

An operational handbook for managing global policy across a hybrid estate; on-premises Active Directory Group Policy Objects (GPOs) and cloud-native Azure/Entra ID + Intune configuration and compliance policies. Covers the full lifecycle: architecture and precedence, authoring, workstation rollout rings, verification and auditing, change management, and a PowerShell/CMD quick-fix reference for when policy doesn't apply as expected.

54
Visible reference cards
๐Ÿ—‚๏ธ Active Directory GPO โ˜๏ธ Azure / Entra ID ๐Ÿ“ฑ Intune / MDM ๐Ÿ–ฅ๏ธ Workstations โœ… Verification ๐Ÿ” Change Management โšก PowerShell ๐Ÿงญ IT Operations

๐Ÿงญ Architecture & Policy Precedence

Before touching a single setting, know which engine is authoritative for a given device. Most enterprise estates today run hybrid: on-prem AD-joined or hybrid Azure AD-joined workstations pull Group Policy from Active Directory and configuration profiles from Intune. When both apply to the same setting, Windows has explicit tie-break rules; get this wrong and you'll spend hours debugging a "policy that won't apply."

LSDOU: how a single GPO wins on-premises

Group Policy processing order (last writer wins, unless Enforced)
LocalLocal Security Policy
โ†’
SiteAD Site GPOs
โ†’
DomainDomain-linked GPOs
โ†’
OUNested OU, closest wins

Processed in this order; each later scope overwrites conflicting settings from the previous one. Two exceptions break the "last wins" rule: Block Inheritance on an OU (ignored if a parent GPO is Enforced), and Enforced on a GPO link (always applies, cannot be blocked downstream).

MechanismSet whereEffectCommon use
Block InheritanceOn the OUIgnores GPOs linked at parent scopes (site/domain/parent OU)Isolate a lab or DMZ OU from corporate baseline
EnforcedOn the GPO linkCannot be blocked by child OUs, even with Block InheritanceSecurity baselines that must never be overridden
Link orderOn the OU (multiple links)Lowest link order number processed last = highest precedenceLayering department policy over baseline policy on the same OU
Security filteringOn the GPORestricts who the GPO applies to within the linked scope (by security group)Apply a GPO only to a pilot group inside a production OU
WMI filteringOn the GPORestricts application based on a WQL query against the target machineApply only to Windows 11, only to laptops, only to a specific OS build

Hybrid conflict resolution: GPO vs Intune (MDM)

On a hybrid Azure AD-joined device receiving both GPO and Intune CSP policy for the same setting, the outcome depends on the MDM Policy Processing setting (Computer Configuration > Administrative Templates > System > Group Policy > Configure Group Policy caching & MDM Policy processing / the PolicyConflictWinner CSP node). By default, GPO wins unless you explicitly configure MDM to win.

Conflict resolution decision path
Same setting configured in both GPO and Intune?
โ†“ yes
Is "MDM wins over GPO" enabled? (CSP: ./Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP)
โ†“
No (default) โ†’ GPO value applies. Yes โ†’ MDM/Intune value applies.
DimensionWindows Server GPOAzure / Intune
Management planeActive Directory Domain Services + GPMCMicrosoft Entra ID + Intune (Microsoft Endpoint Manager)
Target requiresDomain join, line of sight to a domain controller (or cached policy)Entra ID join, hybrid join, or Entra registration; internet reachable
Applies to unmanaged / remote devicesPoor; needs VPN/DirectAccess or infrequent syncNative; works over the internet, ideal for remote/BYOD
Refresh interval~90 min + 0โ€“30 min random offset (background); 5 min for DCs~8 hours default sync; can force manual sync
GranularityVery deep; thousands of ADMX-backed settings, full registry accessGrowing; Settings Catalog covers most CSPs; some legacy settings ADMX-only
Best fitDomain-bound infrastructure: servers, kiosks, on-prem-only endpointsModern/remote workforce, mobile, BYOD, cloud-first tenants

๐Ÿ—‚๏ธ Windows Server GPO Management

Day-to-day authoring and structural management of Group Policy Objects via GPMC and PowerShell's GroupPolicy module. Assumes GPMC is installed (Install-WindowsFeature GPMC on a management server, or the RSAT feature on a workstation).

Creating and linking a GPO

โž•
Create

New GPO, not linked yet

New-GPO -Name "WKS - Baseline - Security" -Comment "Corporate workstation security baseline v3"

Create unlinked first, configure and test, then link; never author directly against a live production link.

๐Ÿ”—
Link

Link a GPO to an OU

New-GPLink -Name "WKS - Baseline - Security" `
  -Target "OU=Pilot,OU=Workstations,DC=corp,DC=local" `
  -LinkEnabled Yes -Order 1

-Order 1 gives it top precedence on that OU (processed last = wins).

โœ๏ธ
Set values

Set a registry-backed policy value

Set-GPRegistryValue -Name "WKS - Baseline - Security" `
  -Key "HKLM\Software\Policies\Microsoft\Windows Defender" `
  -ValueName "DisableAntiSpyware" -Type DWord -Value 0

For anything not covered by a cmdlet, this is the general-purpose escape hatch into any ADMX-backed key.

๐Ÿšซ
Block Inheritance

Block inheritance on an OU

Set-GPInheritance -Target "OU=Lab,DC=corp,DC=local" -IsBlocked Yes
๐Ÿ”’
Enforce

Enforce a GPO link

Set-GPLink -Name "WKS - Baseline - Security" `
  -Target "DC=corp,DC=local" -Enforced Yes

Use sparingly; enforced baseline GPOs at the domain root are appropriate; enforcing dozens of GPOs makes troubleshooting precedence painful.

๐ŸŽฏ
Security Filtering

Restrict a GPO to a pilot group

Set-GPPermission -Name "WKS - Baseline - Security" `
  -TargetName "Authenticated Users" -TargetType Group -PermissionLevel None

Set-GPPermission -Name "WKS - Baseline - Security" `
  -TargetName "GPO-Pilot-Workstations" -TargetType Group `
  -PermissionLevel GpoApply

Remove Authenticated Users' Apply right, then grant Apply only to your pilot security group. This is how you pilot a GPO inside a production OU without moving computer objects.

WMI filters (scope by hardware/OS, not just AD structure)

GoalWQL query
Windows 11 onlySELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10.0.22%"
Laptops only (battery present)SELECT * FROM Win32_Battery WHERE BatteryStatus > 0
64-bit onlySELECT * FROM Win32_Processor WHERE AddressWidth = "64"
Specific modelSELECT * FROM Win32_ComputerSystem WHERE Model LIKE "%Latitude 5440%"

WMI filters have no native PowerShell cmdlet for creation; create via GPMC (Right-click "WMI Filters" > New), then attach with Set-GPWmiFilter -Name "GPO Name" -WmiFilterName "Filter Name" from the GPWmiFilter module, or set the gPCWQLFilter attribute directly via ADSI for scripted deployment.

Baseline GPO categories worth standardizing

CategoryKey settingsTypical scope
Password & Lockout PolicyMin length, complexity, history, lockout threshold/durationDomain root (must be domain-linked to affect domain accounts)
Windows Update (WUfB/WSUS)Deferral days, deadlines, active hours, target ring/groupPer rollout ring OU (see Workstation Deployment tab)
BitLockerEncryption method, recovery key AD/Entra escrow, startup authWorkstations OU, enforced
Microsoft DefenderReal-time protection, cloud-delivered protection, ASR rules, exclusionsWorkstations OU + servers (separate GPO; server exclusions differ)
Firewall ProfilesDomain/Private/Public profile rules, loggingDomain root, enforced
Screen Lock / Session TimeoutInactivity timeout, screensaver lock, interactive logon messageWorkstations OU
Software Restriction / AppLockerAllowed publishers, path rules, script execution policyPer department OU as needed

โ˜๏ธ Azure / Entra ID & Intune Policies

Cloud-native policy has three moving parts that are easy to conflate: Conditional Access (identity/sign-in gating in Entra ID), Configuration Profiles (device settings, the closest analog to GPO), and Compliance Policies (pass/fail device health checks that feed Conditional Access). Author and test in that order; compliance policies are meaningless until Conditional Access actually requires them.

Intune configuration profile types

Profile typeBackingWhen to use
Settings CatalogDirect CSP mapping, searchable single UIDefault choice for anything new; most complete, best supported going forward
Administrative TemplatesADMX-backed, mirrors classic GPO ADMX settingsMigrating a specific GPO setting 1:1, or a setting still missing from Settings Catalog
Templates (legacy)Curated wizards (Endpoint Protection, Device Restrictions, etc.)Legacy tenants; being phased out in favor of Settings Catalog
Custom (OMA-URI)Raw CSP path + valueBleeding-edge CSP not yet exposed anywhere in the UI
Endpoint security baselinesMicrosoft-curated security defaults (Attack Surface Reduction, Account Protection, Firewall)Fast-start hardening baseline before custom-tuning

Authoring via Microsoft Graph PowerShell

๐Ÿ”Œ
Connect

Connect to Graph with Intune scopes

Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All", `
  "DeviceManagementManagedDevices.ReadWrite.All", `
  "Group.Read.All"
๐Ÿ“„
List

List existing configuration profiles

Get-MgDeviceManagementConfigurationPolicy | Select-Object Name, Id, CreatedDateTime
๐ŸŽฏ
Assign

Assign a profile to a dynamic group

New-MgDeviceManagementConfigurationPolicyAssignment `
  -DeviceManagementConfigurationPolicyId $policyId `
  -Target @{ "@odata.type" = "#microsoft.graph.groupAssignmentTarget"; groupId = $groupId }
๐Ÿงฌ
Dynamic Groups

Dynamic device group rule example: Windows 11 laptops

(device.deviceOSType -eq "Windows") and
(device.deviceOSVersion -startsWith "10.0.22") and
(device.deviceModel -contains "Latitude")

Set in Entra ID > Groups > New Group > Membership type: Dynamic Device.

๐Ÿงท
Filters

Assignment filters (narrow an assignment further)

(device.manufacturer -eq "Dell") and (device.enrollmentProfileName -eq "Corp-Autopilot")

Filters apply on top of group assignment without needing a new group per hardware combination; the Intune equivalent of a WMI filter.

โœ…
Compliance

Minimal compliance policy checklist

  • Require BitLocker / device encryption
  • Require a minimum OS version
  • Require Defender / Endpoint Protection to be active
  • Mark non-compliant after grace period (typically 0โ€“3 days)

Conditional Access: the enforcement layer

A compliance policy alone does nothing to sign-in behavior. It must be referenced by a Conditional Access policy (Grant control > Require device to be marked as compliant) for non-compliance to actually block access. Always deploy new CA policies in Report-only mode first and review the sign-in logs impact for 3โ€“7 days before switching to On.

๐Ÿ–ฅ๏ธ Workstation Deployment & Rollout Rings

Never ship a new policy to 100% of the fleet on day one. Both GPO and Intune support staged rollout; the mechanism differs (OU + security filtering vs. dynamic/static groups) but the ring discipline is identical.

Standard rollout ring model
Ring 0IT pilot, ~5 devices
โ†’
Ring 1Volunteers, ~5โ€“10%
โ†’
Ring 2Broad pilot, ~25โ€“50%
โ†’
Ring 3Production, 100%

Hold each ring for a minimum soak period (48โ€“72h for low-risk settings, 1โ€“2 weeks for security baselines or anything touching authentication/network) before promoting.

On-premises OU structure that supports rollout rings

Recommended OU layout
Corp (domain root)
 โ””โ”€ Workstations
     โ”œโ”€ Pilot          (Ring 0 / Ring 1 test machines)
     โ”œโ”€ Production
     โ”‚   โ”œโ”€ Sales
     โ”‚   โ”œโ”€ Engineering
     โ”‚   โ””โ”€ Finance
     โ””โ”€ Kiosks / Shared Devices
 โ””โ”€ Servers
     โ”œโ”€ Domain Controllers  (never mix with member server policy)
     โ”œโ”€ Member Servers
     โ””โ”€ Application Tier

Keep security-filtered pilot groups inside the Production OUs for settings that must match the target department's other GPOs; don't rely solely on a separate Pilot OU, since real-world data (printers, mapped drives, department-specific policy) lives at the department level.

Pushing policy out to workstations

๐Ÿ”„
GPO: local

Force a GPO refresh on the local machine

gpupdate /force
gpupdate /target:computer /force
gpupdate /target:user /force
๐Ÿ“ก
GPO: remote fleet

Force refresh across many machines remotely

Invoke-GPUpdate -Computer "PC-0231" -Force -RandomDelayInMinutes 0

Get-ADComputer -Filter * -SearchBase "OU=Pilot,OU=Workstations,DC=corp,DC=local" |
  ForEach-Object { Invoke-GPUpdate -Computer $_.Name -Force -RandomDelayInMinutes 10 }

Add a random delay across a large batch to avoid hammering domain controllers simultaneously.

๐Ÿ“ฒ
Intune: device

Force an Intune device sync

Settings app > Accounts > Access work or school >
  Connected to [tenant] > Info > Sync

Or via Graph for a device you manage centrally:

Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $deviceId
๐Ÿงฐ
Intune Management Extension

Restart the Intune Management Extension service

Restart-Service -Name IntuneManagementExtension -Force

Use when Win32 app or script deployments are stuck "Pending"; this restarts the local sync agent without a full reboot.

๐Ÿ†”
Enrollment State

Check hybrid join / Entra registration state

dsregcmd /status

Look at AzureAdJoined, DomainJoined, and AzureAdPrt; a device that shows AzureAdJoined: NO will never receive Intune policy no matter how correctly the profile is assigned.

๐Ÿš€
Autopilot

New-device provisioning checklist

  • Hardware hash registered in Autopilot before first boot
  • Deployment profile assigned to the Autopilot device group
  • ESP (Enrollment Status Page) blocking on required apps/policies configured deliberately, not left default
  • Ring assignment confirmed before shipping to end user

โœ… Verification & Auditing

"I linked the GPO" is not verification. Confirm the setting actually landed on the target machine, confirm which policy source won if there was a conflict, and keep evidence for change records.

On-premises verification

๐Ÿ“‹
Quick check

Summary of applied GPOs

gpresult /r

Fast pass/fail view: which GPOs applied, which were filtered out, and why.

๐ŸŒ
Full report

Full HTML resultant set of policy report

gpresult /h C:\Temp\gpresult.html /f

Attach this to change tickets; shows every setting, its winning GPO, and precedence order.

๐Ÿ–ฅ๏ธ
GUI

Resultant Set of Policy console

rsop.msc

Interactive tree view of every applied setting; best for spot-checking a single machine during a live troubleshooting session.

๐Ÿง™
Remote

Group Policy Results Wizard (remote, no agent needed)

In GPMC: right-click Group Policy Results > run wizard > target remote computer/user. Requires WMI + RPC reachability to the target; same requirement as Invoke-GPUpdate.

๐Ÿ“œ
PowerShell object

Get RSoP as a queryable object

Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Temp\rsop.html
Get-GPOReport -All -ReportType Html -Path C:\Temp\all-gpos.html
๐Ÿฉบ
Health

SYSVOL / replication health check

dcdiag /test:sysvolcheck /test:advertising
repadmin /replsummary

A GPO that "isn't applying anywhere" is sometimes a SYSVOL replication failure, not a policy authoring problem; check this before re-editing settings.

Cloud verification (Intune)

๐Ÿ“Š
Per-profile status

Deployment status by device

Intune admin center > Devices > Configuration > select profile > Device status tab. Shows Succeeded / Error / Conflict / Not applicable per device with error codes.

โš ๏ธ
Conflict detection

Find setting conflicts across profiles

Devices > Configuration > select profile > Per-setting status; surfaces exactly which other profile is fighting for the same CSP path.

๐Ÿงพ
Graph query

Pull device configuration status via Graph

Get-MgDeviceManagementDeviceConfigurationDeviceStatus `
  -DeviceConfigurationId $configId | `
  Select-Object DeviceDisplayName, Status, LastReportedDateTime
๐Ÿ”
Local diagnostic

MDM Diagnostic Report on the endpoint

Settings > Accounts > Access work or school >
  Connected to [tenant] > Info >
  Create report

Generates a local HTML/XML report of every applied CSP and its value; the Intune equivalent of gpresult /h.

๐Ÿ” Maintenance & Change Management

Policy that no one versions or backs up becomes policy no one trusts. Treat GPOs and Intune profiles as code: back them up on a schedule, gate changes through a pilot, and keep a change log.

Change management flow
DraftUnlinked GPO / disabled profile
โ†’
Test OU / GroupLab devices only
โ†’
Ring 0โ€“1 PilotSee rollout rings
โ†’
ProductionSigned off, documented

Backup, version, and restore

๐Ÿ’พ
Backup: all

Scheduled full backup of every GPO

Backup-GPO -All -Path "\\fileserver\GPO-Backups\$(Get-Date -Format yyyy-MM-dd)"

Run as a daily scheduled task on a management server; cheap insurance, keep 30โ€“90 days of history.

โช
Restore

Restore a GPO from backup

Restore-GPO -Name "WKS - Baseline - Security" `
  -Path "\\fileserver\GPO-Backups\2026-07-01"
๐Ÿ“‹
Copy / Migrate

Copy a GPO between domains (with migration table)

Copy-GPO -SourceName "WKS - Baseline - Security" `
  -SourceDomain "corp.local" -TargetDomain "contoso.local" `
  -MigrationTable "C:\GPO\domain-migration.migtable"

Migration tables remap domain-specific SIDs/UNC paths so security filtering and drive maps translate correctly to the target domain.

๐Ÿ“ฅ
Import

Import settings into an existing (unlinked) GPO

Import-GPO -BackupId $backupGuid -TargetName "WKS - Baseline - Security" `
  -Path "\\fileserver\GPO-Backups\2026-07-01"
๐Ÿท๏ธ
Naming convention

Recommended GPO naming pattern

[Scope] - [Category] - [Purpose] - [vN]
Example: WKS - Security - BitLocker Baseline - v3
Example: SRV - Network - Firewall Rules - v1

Consistent prefixes make Get-GPOReport -All output sortable and searchable at a glance.

๐Ÿงน
Cleanup

Find unlinked, orphaned GPOs

Get-GPO -All | Where-Object { ($_ | Get-GPOReport -ReportType Xml) -notmatch "<LinksTo>" }

Unlinked GPOs accumulate silently; audit quarterly and remove or archive anything with no active link and no owner.

Health-check cadence

FrequencyTask
DailyAutomated Backup-GPO -All; monitor SYSVOL replication health
WeeklyReview Intune per-profile deployment status for new errors/conflicts
MonthlyAudit unlinked/orphaned GPOs; review Conditional Access sign-in impact reports
QuarterlyFull Get-GPOReport -All export reviewed against documented baseline; re-validate WMI filters and dynamic group rules still match hardware in the field
AnnuallyFull OU structure and rollout-ring review; retire deprecated GPOs/profiles

โšก PowerShell / CMD Quick Fixes

Fast, copy-pasteable commands for the moment policy isn't behaving as expected.

๐Ÿ”„
Force reapply

Full clean re-apply of Group Policy

gpupdate /force /boot

Forces both computer and user policy and schedules a reboot if a policy requires it (e.g. some security settings).

๐Ÿ—‘๏ธ
Reset cache

Clear the local Group Policy cache (last resort)

Stop-Service gpsvc -Force
Remove-Item "C:\Windows\System32\GroupPolicy" -Recurse -Force
Remove-Item "C:\Windows\System32\GroupPolicyUsers" -Recurse -Force
Start-Service gpsvc
gpupdate /force
Destructive; only use when local policy cache is confirmed corrupted (e.g. Event ID 1096/1030).
๐Ÿงฌ
WMI repository

Repair a corrupted WMI repository (blocks WMI-filtered GPOs)

winmgmt /verifyrepository
winmgmt /salvagerepository
๐Ÿ•ฐ๏ธ
Time skew

Check time sync (Kerberos fails >5 min skew, silently breaks GPO pull)

w32tm /query /status
w32tm /resync /force
๐Ÿ”Œ
Connectivity

Confirm domain controller reachability

nltest /dsgetdc:corp.local
Test-NetConnection -ComputerName dc01.corp.local -Port 389
๐Ÿ“ฒ
Intune sync

Force MDM enrollment re-sync from PowerShell

Get-ScheduledTask | Where-Object {$_.TaskName -like "*EnterpriseMgmt*Schedule*"} | Start-ScheduledTask

Triggers the same sync scheduled task the Settings app "Sync" button calls; useful for scripting bulk syncs via RMM/SCCM.

๐Ÿฉน
Re-enroll

Full MDM re-enrollment (device stuck / policy frozen)

dsregcmd /leave
Restart-Computer
# Then sign back in to trigger auto-enrollment, or:
deviceenroller.exe /c /AutoEnrollMDM
Removes the device's current MDM/hybrid-join state; schedule a maintenance window.
๐Ÿ“
SYSVOL

Check SYSVOL replication (DFSR) health across DCs

dfsrdiag replicationstate
Get-DfsrBacklog -GroupName "Domain System Volume" -FolderName "SYSVOL Share" -SourceComputerName DC01 -DestinationComputerName DC02

๐Ÿงฏ Troubleshooting: Symptom, Cause, Fix

The event IDs and symptoms you'll actually see in the field, mapped to root cause and the fastest verified fix.

Symptom / Event IDLikely causeFix
GPO shows "Denied (Empty)" in gpresultNo settings configured under that GPO node, or a WMI filter excluded the machineConfirm the GPO actually has settings under that CSE; check WMI filter with Get-GPWmiFilter
Event ID 1085; Group Policy processing errorCorrupted GPT.ini, SYSVOL access issue, or a client-side extension failureCheck SYSVOL reachability (\\domain\SYSVOL); re-run gpupdate /force; check the specific CSE's own event log
Event ID 1125; Slow link detectedClient measured network as "slow" (below the slow-link threshold) and skipped some policy categoriesCheck Configure Group Policy Slow Link Detection; on VPN clients this often needs a higher threshold or disabling detection
Event ID 1030 / 1096; Failed to read GPO / userenv errorCorrupted local GP cache or DNS resolution failure to the DCClear the local GP cache (Quick Fixes tab); verify DNS with nslookup corp.local
Setting applies to some machines in an OU but not othersSecurity filtering group membership is stale (token not refreshed since last group change)Have the user/computer log off-on or reboot to refresh their Kerberos token; or force with klist purge + reboot
Intune profile shows "Conflict"Two profiles (or a profile + Endpoint security baseline) target the same CSP with different valuesUse the per-setting status view (Verification tab) to find the other profile; consolidate or exclude one from the group assignment
Device never receives Intune policy at allDevice isn't actually enrolled/joined, or MDM auto-enrollment scope isn't configured for the userdsregcmd /status to confirm join state; check Entra ID > Mobility (MDM/MAM) > scope set to "Some"/"All" correctly
GPO changes take effect on some machines instantly, others take hoursBackground refresh interval + random offset (up to 30 min) is normal; hours usually means SYSVOL replication lag between sitesrepadmin /replsummary to check replication latency between the site's DC and the DC that holds the edit
"Access is denied" editing a GPOYour account lacks Edit Settings rights on that specific GPO (delegation), not just generic Domain AdminCheck GPMC > GPO > Delegation tab; grant via Set-GPPermission -PermissionLevel GpoEdit