Applying Policies in a Workgroup Environment with Intune

Brass Contributor

Hello Everyone,

I have a question regarding policy enforcement in a workgroup environment where devices are enrolled into Intune (e.g., via package provisioning). In this scenario, users continue to log in with their local accounts/profiles on Windows rather than using Azure AD accounts.

 

Do we need to configure all policies to target devices only, given that the users aren't logging in with Azure AD accounts?

If policies are assigned to AAD users, will they be applied, or will they be ignored because users are logging in with their local accounts?

 

Your guidance and insights on the best approach for managing policies in this setup would be greatly appreciated.

Thank you

5 Replies
I think only MAM-Polices are applied, because your devices are not company-owned without hybrid- or Entra-join. The Policies are applied device- and user-based, because your devices are entra-registered with the m365-user
@chrisslroth
The devices will be enrolled as Entra-joined (via package provisioning).
You need to assign policies to entra joined Devices.
If you dont use the Entra Users to login then the entra user Policies wont be applied.
Using local admins to login is far from best practice and dangerous
@LukeSkypewalker
Thank you for your response.
As we move forward with assigning all policies to devices, I’d appreciate it if you could highlight any potential challenges we might face. Specifically, are there certain policies or settings that may only be applicable when assigned to users rather than devices? Understanding these nuances would help ensure a smoother implementation.
Thanks again for your support.

@drivesafely  If your AD is syncing to Entra ID (Azure AD) through AAD sync and the workstation is managed in Intune then policies will be pushed to the system when a user logs into it. I've been deploying policies this way in conjunction with GSA and GSA client successfully.