Share via

Can Intune MDM only workgroup enrolled clients receive Windows updates and applications?

Steve 406 Reputation points
2023-01-26T22:15:04.3366667+00:00

What are the infrastructure and client requirements (e.g. Intune connector for AD) to allow Intune MDM only enrolled workgroup clients to receive quality/feature updates and application deployments?

What about clients that were previously joined to an AD domain and rarely connect to the Internet and have lost their domain trust?

Can these clients still be supported with quality/feature updates and application deployments via Intune the same way workgroup clients could?

The Microsoft online documentation mentions that MDM only enrollment isn't recommended and can affect email and some Azure AD features, but it doesn't go into details about what can still be done (e.g. quality/feature update, software deployments, Intune configuration profiles.)

What are all the limitations for MDM only enrollment?

The other concern with MDM only enrolled workgroup and clients who lost domain trust is that end user profiles should ideally remain the same once enrolled into Intune to prevent profile support issues.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Intune | Other
0 comments
Accepted answer
  1. Crystal-MSFT 53,991 Reputation points Microsoft External Staff
    2023-01-27T02:23:58.2466667+00:00

    @Steve, Thanks for posting in Q&A. For MDM only enrollment device, this enrollment method isn't recommended because: It doesn't register the device into Azure Active Directory (AD). Users might not get access to organization resources, And Azure AD features will be prevented to use.

    Based as i know, Expedite Windows quality updates, Feature update policy and some new windows update policy needs Azure AD join or Hybrid Azure AD join. And it will not support on the devices with MDM only enrollment.

    https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates

    https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-expedite-updates

    For application, win32 needs the device in Azure AD as well: So it is not supported on this enrollmetn method either

    https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-app-management

    I also find some other feature like Powershell script is also not supported

    https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension

    For configuration policy, most can apply. And we will assign it to the device group.

    https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create

    For compliance policy, it can be used.

    https://learn.microsoft.com/en-us/mem/intune/protect/create-compliance-policy

    When the AD connection is lost, but the Internet connection is OK, the device can still contact Intune, the device will still check in to receive policy, I think. This is not related with the AD user profile on the device.

    Hope it can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.