Azure Hybrid AD Join

Iron Contributor

Hello all,


My organization used EMS for MDM with our mobile devices (iPhone, Android, etc).  In addition, we have a small subset of users that have Windows 10 devices that are Azure AD joined so we can manage them through intune.  This is for our mobile workforce.


I've now been tasked with rotating our corporate wireless network keys - and I know Intune can push these out to my 150+ laptops.   Most, if not all of my laptop users have a company issued phone, and therefore, are licensed for EMS.


My question is - for the subset of users that have both a mobile (Azure AD Joined) Surface, and a AD joined laptop - how can I differentiate between the 2 in Intune? 


For example, I've got a laptop that is AD Joined and a Surface that is Azure AD joined.  My surface gets certain apps pushed to it, e.g. Chrome, Office 365, wifi profiles, browser home page, etc.  However, for my laptop - I ONLY want to manage wifi networks.  Is there a way to ID a device as on-prem AD joined, therefore only apply these certain policies?





2 Replies

@Stephen Bell 


Intune includes settings and features you can enable or disable on different devices within your organization, including scenario for two devices with same OS for the same user.

The profile can be for compliance, configuration and deploying apps.
More information for

Hi Steve,

I have similar environment, I would sync onprem computers to the cloud and also have them under synced group and then target that group to the WiFi policy.

For Example:

Moe_Workstation (synced PC to Cloud)
IT Workstations (Synced Security Group to the cloud include Moe_Workstation).