question

SMF9211 avatar image
0 Votes"
SMF9211 asked Crystal-MSFT edited

Windows 10 enrollment in Intune

Hi,

Question is not about the steps but conceptional. When someone has onprem AD and doing Hybrid Azure AD Join and want to Intune enroll(No SCCM). What kind of policies need to be used we know group policies are coming from AD Already, so what will be best practice we can use from Intune enrollment for Windows 10 apart from Auto-pilot.


thanks

SM

mem-intune-device-configurationsmem-intune-enrollment
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@syedfasial-7607, Hope things are going well. I am writing to see if the information provided is helpful. If it is helpful, would you mind to click "Accept Answer" to let others find the helpful information quickly.

Thanks and have a nice day!

0 Votes 0 ·
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SMF9211 avatar image
0 Votes"
SMF9211 answered Jason-MSFT commented

Thanks Jason, may be my question wasn't clear. I know how to do hybrid azure ad join and steps involved in it.
Question is.
1- When device is enrolled in Intune and hybrid azuread join, best practice is still to use GPO for normal computer policies?
2- If yes, then in this situation, what kind of policies/configuration profiles are recommended from Intune itself

Thanks

SM

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

  1. You shouldn't ever ask for "best practices" as what's best for someone else has little to no relation to what's best for you. You can use any policy engine you want to deliver policies, just make sure they don't conflict with each other. Our "happy" place is for orgs to move their policies to Intune though as that's how you manage cloud-native devices. The sooner you can move your policies, the sooner you can start embracing cloud native.

  2. There are no generic, one size fits all recommendations necessarily, however you can certainly start with the baselines built into Intune (https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-intune-introduces-mdm-security-baselines-to-secure-the/ba-p/313442) and our cloud configuration (https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-10-in-cloud-configuration/ba-p/2111313).

0 Votes 0 ·
Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered

@syedfasial-7607, For your questions, here are my answers for the reference:
Q1- When device is enrolled in Intune and hybrid azured join, best practice is still to use GPO for normal computer policies?
A1: Autopilot Hybrid Hybrid Azure AD join is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. This is done during the OOBE (out-of-box-experience) in Windows 10. Meaning its meant for new devices or existing devices that you either re-image, re-install or reset the device. For Autopilot, we can also configure whether users are administrators or standard users on the device. we can see more details in the following link:
https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot

For GPO enrollment, this is usually for existing devices. When the GPO is applied, a task scheduler will be created to do the enrollment for current logging user. There's no need to reset.

If we don't want to reset the device, we can choose GPO enrollment. For new devices, we can choose Autopilot to set and pre-configure the new devices.

Q2- If yes, then in this situation, what kind of policies/configuration profiles are recommended from Intune itself
A2: For configuration policy, we can configure it according to our requirement. They are some settings we can enable or configure on devices in a batch via Intune. We can see the different types of profiles we can create in the following link:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profiles

Meanwhile, in Intune, we can also manage apps, set app protection policy, configure compliance policy which help protect organizational data by requiring users and devices to meet some requirements. Here are the docs about Intune we can read for the reference:
https://docs.microsoft.com/en-us/mem/intune/

Hope it can help.


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.