This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 57.00000000000001%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi,
Question is not about the steps but conceptional. When someone has onprem AD and doing Hybrid Azure AD Join and want to Intune enroll(No SCCM). What kind of policies need to be used we know group policies are coming from AD Already, so what will be best practice we can use from Intune enrollment for Windows 10 apart from Auto-pilot.
thanks
SM
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@syedfasial-7607, Hope things are going well. I am writing to see if the information provided is helpful. If it is helpful, would you mind to click "Accept Answer" to let others find the helpful information quickly.
Thanks and have a nice day!
This is fully covered in the official docs: https://learn.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.
Thanks Jason, may be my question wasn't clear. I know how to do hybrid azure ad join and steps involved in it.
Question is.
1- When device is enrolled in Intune and hybrid azuread join, best practice is still to use GPO for normal computer policies?
2- If yes, then in this situation, what kind of policies/configuration profiles are recommended from Intune itself
Thanks
SM
@syedfasial-7607, For your questions, here are my answers for the reference:
Q1- When device is enrolled in Intune and hybrid azured join, best practice is still to use GPO for normal computer policies?
A1: Autopilot Hybrid Hybrid Azure AD join is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. This is done during the OOBE (out-of-box-experience) in Windows 10. Meaning its meant for new devices or existing devices that you either re-image, re-install or reset the device. For Autopilot, we can also configure whether users are administrators or standard users on the device. we can see more details in the following link:
https://learn.microsoft.com/en-us/mem/autopilot/windows-autopilot
For GPO enrollment, this is usually for existing devices. When the GPO is applied, a task scheduler will be created to do the enrollment for current logging user. There's no need to reset.
If we don't want to reset the device, we can choose GPO enrollment. For new devices, we can choose Autopilot to set and pre-configure the new devices.
Q2- If yes, then in this situation, what kind of policies/configuration profiles are recommended from Intune itself
A2: For configuration policy, we can configure it according to our requirement. They are some settings we can enable or configure on devices in a batch via Intune. We can see the different types of profiles we can create in the following link:
https://learn.microsoft.com/en-us/mem/intune/configuration/device-profiles
Meanwhile, in Intune, we can also manage apps, set app protection policy, configure compliance policy which help protect organizational data by requiring users and devices to meet some requirements. Here are the docs about Intune we can read for the reference:
https://learn.microsoft.com/en-us/mem/intune/
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.