![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 17%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDA%3C/text%3E%3C/svg%3E)
Community Center | Not monitored
Tag not monitored by Microsoft.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 6%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EY%3C/text%3E%3C/svg%3E)
Hello,
Yes your understanding is absolutely correct the machine either needs to be hybrid azure ad join or azure ad join in order to push updates from Intune console. The reason why you need this is that Intune is a SAAS service and in order to connect with Intune it needs a dependent for authentication that is azure AD.
If you don't have azure ad you can not enroll your machines into Intune. If you don't have azure ad and you can use any on prem solution for deploying the updates like system center config manager and through that channel the Feature updates will be deployed.