This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello Expertise,
Please advise if the path we're proceeding is correct or any changes required?
Current Infrastructure:
Laptops and AVD Devices (Hybrid Joined)
All workloads are with SCCM.
Endpoints are already enrolled in Intune/AD.
Future Infrastructure:
Devices provisioned through Intune/Autopilot (AAD Joined)
Windows Hello for Business for password less authentication using Cloud Trust
Windows Update for Business to manage MSFT & Driver updates.
Sorry, is there a question here?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Ranjithkumar Duraisamy, Thanks for posting in Q&A.
From your description, I know we are using co-management. And now the workloads are with SCCM. If you want to migrate to cloud in the future days, you can switch the workloads from SCCM to Intune.
Meanwhile, for any new devices that only need to join into Azure AD, Autopilot is a good option to pre-configure new devices:
https://learn.microsoft.com/en-us/mem/autopilot/windows-autopilot
For windows Hello for business and windows update, here are links list what we can manage in Intune:
https://learn.microsoft.com/en-us/mem/intune/protect/identity-protection-windows-settings
https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-update-rings
https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates
https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-expedite-updates
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you. That helps.
@Ranjithkumar Duraisamy. Thanks for the reply. I am glad the information can help. Meanwhile, for your questions, here are my thoughts from Intune side for your sharing:
For windows update ring policy, it only define an update strategy (e.g. allow driver installation, set deferral period, set maintenance time, etc.), they don’t actually provide the update infrastructure itself. This means that you still need to use your existing update solution such as Windows Update or WSUS to obtain the actual updates. Here is a link with more details:
For feature update policies, you can select the Windows feature update version that you want devices to remain at, like Windows 10 version 1909 or a version of Windows 11. This policy has some prerequisites like Intune license, windows update for business license and be enrolled in Intune MDM and be Hybrid AD joined or Azure AD joined and etc. And managed devices that receive feature update policy are automatically enrolled with the Windows Update for Business deployment service. The deployment service manages the updates a device receives. The service is utilized by Microsoft Endpoint Manager and works with your Intune policies for Windows updates to deploy feature updates to devices.
Hope it can help.
@Ranjithkumar Duraisamy, Hope things are going well. I am writing to see if any other thing we can help. If yes, feel free to let us know.
@Rahul Jindal [MVP] @Crystal-MSFT
It's more of a strategy/path check to ensure we're approaching on right path but here's the actual question.
If my understanding is correct, all the cloud joined devices are applied with #WHFB policy by default i.e., during enrollment/tenant wide.
Do we still need to apply dedicated policy for #WFHB?
do we have any recommendations from MSFT to follow?
If yes, which one is the appropriate one? I.e., Configuration policy or Baseline etc.
Any idea how #WFHB enrollment policy and #WHFB configuration policy would work together?
sorry about more questions but hope this should help lot of people in #WHFB.
@Ranjithkumar Duraisamy, Thanks for the reply.
When we configure the Windows Hello for Business under "Enroll devices > Windows enrollment > Windows Hello for Business", devices will apply Windows Hello For Business at the time those devices enroll with Intune. If you not to configure a tenant-wide policy for Windows Hello for Business, you can use a device configuration Identity protection profile to configure groups of devices for Windows Hello. Here is a link iwth more details for your reference:
There are different methods to configure WHfB and each serve a different purpose. I personally like to have control over the configuration and do so by leveraging device identity protection profile. I disable everywhere else.
Thanks for your response @Rahul Jindal [MVP] . Btw, do you think the same would be an right option in my scenarios too?. I.e., Use configuration profile/identity protection for 1. Hybrid Joined pcs and 2. Cloud Native Pcs. thinking of adopting to cloud Kerberos trust deployment model. Thank you for your appropriate guidance in advance.