This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 88%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Do you need GPO for hybrid deployment of current on prem devices or will the user scope for mdm suffice? Seeing conflicting articles. Whats the point of user scope for the mdm vs the GPO?
@Justin Lee Thanks for posting in our Q&A.
For this issue, to avoid any misunderstanding, could you please clarify what the conflicts did you mean?
If there is anything update, feel free to let us know. And we will continue to discuss this issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 69%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
If you are referring to MDM enrollment GPO policy then you need both. If the enrollment in Intune is through Co-management using ConfigMgr then the GPO is not needed.
You can use GPO, MDM user or MDM device. By default, in conflict, MDM wins over GPO. Best way is to minimize GPO and maximize MDM ( Intune's Settings Catalog by default)
And if you mean the GPO setting for MDM enrollment, use always User sub-selection there. Device selection is for co-mgnt or AVD multisession.