Intune grouping, targeting, and filtering: recommendations for best performance

Hey Scott Duffey, great article! It's a great addition to your book!

I'm trying to spin up Intune and we have the new devices going forward that I will be AAD joined and have more strict policies, but then I have existing devices that I don't want to wipe, but still want in Intune. So I'm rolling out Intune enrollment via Group Policy. It's working well for most things, up until now I've had a dynamic group that targets any autopilot enrolled device and a static group I've added the list of existing hybrid joined devices to. 
I'm running into problems for corporate devices that were not on the on-prem domain before, but I don't want to wipe to enroll in autopilot. So I had them do the "join to azure ad" option in settings where I have automatic enrollment setup, but that does not add them to the dynamic group of autopilot devices, and this article says the virtual groups are best. So I went to switch from using that dynamic group to all devices with the hybrid group excluded, but it seems some things can't be assigned to all devices, like Compliance Policies. I thought about assigning all users, but I can't exclude just the hybrid devices from the new rules. I'm probably just thinking about this wrong, but this is all new to me, as we are coming from manually setting up each new machine.

Thanks in advance!