This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 50%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAI%3C/text%3E%3C/svg%3E)
Can Intune manage(or specifically saying, apply Intune policies) on Hybrid Azure AD Joined devices. I have not enabled Co-management.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Ask Intune Question , Based as I know, most policies can apply to Hybrid Azure AD join device which is enrolled into Intune. Which policy you want to configure? We can check the detail of the specific setting article to see if there's any limitation with the join type.
https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Crystal-MSFT thanks for your response. So by enrolled in Intune you meant to say that the MDM Authority for those devices should be Intune. Am I correct ?
@Ask Intune Question , Thanks for the reply. Yes, for the enrollment method like GPO and Autopilot Hybrid Azure AD, these devices will also be Hybrid Azure AD join in AAD. And the MDM will show as "Microsoft Intune"
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
@Crystal-MSFT I wanted to test App Blocker.
For example, I want to disable/block Notepad for Azure AD Join device.
Article : https://learn.microsoft.com/en-us/archive/blogs/matt_hinsons_manageability_blog/blocking-apps-with-intune-and-applocker-csp
@Ask Intune Question , To test Applocker, just as the article mentioned, we can create the Applocker policy on a test device. After it is working, we can export the xml and deploy it via Intune custom profile. For this CSP, I didn't find it has Hybrid Azure AD type limitation. So it's OK to deploy.
To block Notepad, based as my understanding, we can create policy to allow all apps and only block Notepad. If you have more questions about creating with the Applocker policy setting, you can contact our windows support to get more information.
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Also, I am testing this on Windows 11 device.
Please let me know how can it be done for Windows 11 device.
@Crystal-MSFT any update on this ?
If you are using ConfigMgr then you will need to enable co-management to allow management of end user devices using Intune without any limitations.
@Ask Intune Question , For windows 11, the steps is the same as windows 10. you can choose one windows 11 device and open local group policy editor via gpedit.msc.
For the detailed steps, you can refer to the steps under "Creating the Applocker Policy" which is an example to block notepad.
https://learn.microsoft.com/en-us/archive/blogs/matt_hinsons_manageability_blog/blocking-apps-with-intune-and-applocker-csp#creating-the-applocker-policy
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I am getting this error:
And
Hello I tried to create the policy for Windows 11.
The difference in Windows 11 is, the default windows apps like paint, notepad are present in Windows Apps folder unlike in Windows 10 where it was in system32. Hence while importing application as publisher we are getting a error. Hence I used path as an alternative option.
Getting this on Intune:
Also the policy is not working for me on the device.
How to verify whether the policy has reached to the device ?
@Ask Intune Question , Based on my check, it seems the policy I configure on the local GPO didn't block the notepad. Could you confirm if the applocker policy set in Local GPO on your device side break the notepad? If it is also not working, we need to firstly find the right xml which can break notepad on windows 11. Then we can consider to deploy it via Intune.
@Ask Intune Question , After doing more research, I find The Application Identity service determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies from being enforced.Here is a lonk for the reference:
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service
For the device which is not working, please check if the service is running. Hope it can help.
Service is running.
@Ask Intune Question , Thanks for the response. From your description, I know the service is running. But it seems still not working. Here, I would like to confirm if the setting can work when we configure it via local Group policy. if there's any update, feel free to let us know.
@Ask Intune Question , I have done more test and find on windows 11 device, I can block Notepad successfully with the following steps:
2. After the policy is deployed to windows 11, I find the policy has been deployed to the device under C:\Windows\Systematic2\AppLocker\MDM.
3. Also when I check the Advanced Diagnostic Report, I find the setting is applied:
4. And the notepad is also block when I open it.
We can see more details in the following link:
https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-using-applocker-to-create-custom-intune-policies-for/ba-p/364981
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Ask Intune Question , Hope things are going well. If there's any update, feel free to let us know.