question

32122405 avatar image
0 Votes"
32122405 asked Crystal-MSFT commented

Intune policies on Hybrid Azure AD joined device

Can Intune manage(or specifically saying, apply Intune policies) on Hybrid Azure AD Joined devices. I have not enabled Co-management.

mem-intune-generalmem-intune-device-configurationsmem-intune-enrollment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered 32122405 commented

@32122405 , Based as I know, most policies can apply to Hybrid Azure AD join device which is enrolled into Intune. Which policy you want to configure? We can check the detail of the specific setting article to see if there's any limitation with the join type.
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create

Hope it can help.


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Crystal-MSFT thanks for your response. So by enrolled in Intune you meant to say that the MDM Authority for those devices should be Intune. Am I correct ?

0 Votes 0 ·

@32122405, Thanks for the reply. Yes, for the enrollment method like GPO and Autopilot Hybrid Azure AD, these devices will also be Hybrid Azure AD join in AAD. And the MDM will show as "Microsoft Intune"


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

0 Votes 0 ·

@Crystal-MSFT I wanted to test App Blocker.
For example, I want to disable/block Notepad for Azure AD Join device.
Article : https://docs.microsoft.com/en-us/archive/blogs/matt_hinsons_manageability_blog/blocking-apps-with-intune-and-applocker-csp

0 Votes 0 ·
Show more comments
RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered

If you are using ConfigMgr then you will need to enable co-management to allow management of end user devices using Intune without any limitations.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered 32122405 commented

@32122405, For windows 11, the steps is the same as windows 10. you can choose one windows 11 device and open local group policy editor via gpedit.msc.
1. Create default rules.
196015-image.png
2. Create Executable Rule to disable notepad via Publisher.
196073-image.png
196005-image.png

For the detailed steps, you can refer to the steps under "Creating the Applocker Policy" which is an example to block notepad.
https://docs.microsoft.com/en-us/archive/blogs/matt_hinsons_manageability_blog/blocking-apps-with-intune-and-applocker-csp#creating-the-applocker-policy


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (69.0 KiB)
image.png (18.9 KiB)
image.png (34.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am getting this error:
196094-image.png

And

196132-image.png


0 Votes 0 ·
image.png (21.1 KiB)
image.png (31.3 KiB)
32122405 avatar image
0 Votes"
32122405 answered Crystal-MSFT commented

Hello I tried to create the policy for Windows 11.

The difference in Windows 11 is, the default windows apps like paint, notepad are present in Windows Apps folder unlike in Windows 10 where it was in system32. Hence while importing application as publisher we are getting a error. Hence I used path as an alternative option.

Getting this on Intune:

196225-image.png

Also the policy is not working for me on the device.

How to verify whether the policy has reached to the device ?


image.png (45.8 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@32122405, Based on my check, it seems the policy I configure on the local GPO didn't block the notepad. Could you confirm if the applocker policy set in Local GPO on your device side break the notepad? If it is also not working, we need to firstly find the right xml which can break notepad on windows 11. Then we can consider to deploy it via Intune.

0 Votes 0 ·

@32122405, After doing more research, I find The Application Identity service determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies from being enforced.Here is a lonk for the reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service

For the device which is not working, please check if the service is running. Hope it can help.

0 Votes 0 ·

Service is running.

0 Votes 0 ·
Show more comments
Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT commented

@32122405, I have done more test and find on windows 11 device, I can block Notepad successfully with the following steps:
1. Create a custom profile in Intune and configure the settings as below:
OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/StoreApps/Policy
Data Type: String
Value:
<RuleCollection Type="Appx" EnforcementMode="Enabled">
<FilePublisherRule Id="4c7be880-5791-4e1a-9012-ecdf24b96a82" Name="Microsoft.WindowsNotepad, version 10.2103.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsNotepad" BinaryName="">
<BinaryVersionRange LowSection="10.2103.0.0" HighSection="
"/>
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="" ProductName="" BinaryName="">
<BinaryVersionRange LowSection="0.0.0.0" HighSection="
"/>
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>

197216-image.png
2. After the policy is deployed to windows 11, I find the policy has been deployed to the device under C:\Windows\Systematic2\AppLocker\MDM.
197218-image.png
3. Also when I check the Advanced Diagnostic Report, I find the setting is applied:
197160-image.png
197235-image.png
4. And the notepad is also block when I open it.
197255-image.png
We can see more details in the following link:
https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-using-applocker-to-create-custom-intune-policies-for/ba-p/364981

Hope it can help.


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (25.6 KiB)
image.png (18.2 KiB)
image.png (46.9 KiB)
image.png (77.4 KiB)
image.png (12.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@32122405, Hope things are going well. If there's any update, feel free to let us know.

0 Votes 0 ·