Forum Discussion

drivesafely's avatar
drivesafely
Brass Contributor
Sep 18, 2024

Applying Policies in a Workgroup Environment with Intune

Hello Everyone,

I have a question regarding policy enforcement in a workgroup environment where devices are enrolled into Intune (e.g., via package provisioning). In this scenario, users continue to log in with their local accounts/profiles on Windows rather than using Azure AD accounts.

 

Do we need to configure all policies to target devices only, given that the users aren't logging in with Azure AD accounts?

If policies are assigned to AAD users, will they be applied, or will they be ignored because users are logging in with their local accounts?

 

Your guidance and insights on the best approach for managing policies in this setup would be greatly appreciated.

Thank you

  • chrisslroth's avatar
    chrisslroth
    Brass Contributor
    I think only MAM-Polices are applied, because your devices are not company-owned without hybrid- or Entra-join. The Policies are applied device- and user-based, because your devices are entra-registered with the m365-user
  • LukeSkypewalker's avatar
    LukeSkypewalker
    Copper Contributor
    You need to assign policies to entra joined Devices.
    If you dont use the Entra Users to login then the entra user Policies wont be applied.
    Using local admins to login is far from best practice and dangerous
    • drivesafely's avatar
      drivesafely
      Brass Contributor
      LukeSkypewalker
      Thank you for your response.
      As we move forward with assigning all policies to devices, I’d appreciate it if you could highlight any potential challenges we might face. Specifically, are there certain policies or settings that may only be applicable when assigned to users rather than devices? Understanding these nuances would help ensure a smoother implementation.
      Thanks again for your support.
  • ishift_chuck's avatar
    ishift_chuck
    Copper Contributor

    drivesafely  If your AD is syncing to Entra ID (Azure AD) through AAD sync and the workstation is managed in Intune then policies will be pushed to the system when a user logs into it. I've been deploying policies this way in conjunction with GSA and GSA client successfully. 

Resources