SOLVED

Question regarding Hybrid Azure AD join and policy

%3CLINGO-SUB%20id%3D%22lingo-sub-2938989%22%20slang%3D%22en-US%22%3EQuestion%20regarding%20Hybrid%20Azure%20AD%20join%20and%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2938989%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20got%20a%20question%20regarding%20Hybrid%20Azure%20AD%20Joined%20and%20policies%20assigned%20to%20UPNs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20read%20that%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fdevice-management-azure-portal%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%22%3CSPAN%3EHybrid%20Azure%20AD%20joined%20Windows%2010%20devices%20don't%20have%20an%20owner.%22%26nbsp%3B%3C%2FSPAN%3E%3C%2FA%3E%26nbsp%3Bfrom%20Microsoft%20Docs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20several%20compliance%20and%20profiles%20configured%20which%20are%20assigned%20to%20a%20group.%20I%20always%20add%20the%20UPNs%20as%20members%20of%20these%20groups%2C%20to%20receive%20the%20policies%20to%20have%20full%20control%20of%20every%20policy.%20and%20what%20each%20user%20is%20receiving.%3C%2FP%3E%3CP%3EThis%20works%20perfect%20with%20all%20my%20azure%20ad%20joined%20devices.%20Haven't%20tried%20the%20Hybrid%20Azure%20AD%20joined%20computers%20yet%20since%20I%20haven't%20enabled%20the%20UPNs%20which%20are%20cloud%20only%20at%20the%20%2Cyet%20to%20be%20AD%20synced.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Freppy_0-1636377621389.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F325195i52318E5CCD816C35%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Freppy_0-1636377621389.png%22%20alt%3D%22Freppy_0-1636377621389.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%2C%20since%20Hybrid%20Azure%20AD%20joined%20devices%20won't%20have%20a%20owner.%20Will%20the%20Hybrid%20Azure%20AD%20joined%20device%20still%20receive%20the%20policies%20and%20apps%20if%20I%20add%20the%20user%20to%20the%20group%20the%20policies%20are%20assigned%20to%2C%20once%20the%20computers%20are%20hybrid%20joined%20and%20users%20are%20AD%20synced%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Freppy_1-1636378223434.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F325203i97104C8D5C4FFBC5%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Freppy_1-1636378223434.png%22%20alt%3D%22Freppy_1-1636378223434.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20is%20the%20only%20option%20to%20assign%20it%20to%20%22all%20devices%22%3F%20%3A%5C%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20help%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2938989%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2939288%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20regarding%20Hybrid%20Azure%20AD%20join%20and%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2939288%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3ELooking%20at%20the%20screenshot%20you%20have%20hybrid%20enrolled%20devices%20into%20azure%20ad%2C%20but%20the%20Intune%20MDM%20is%20missing...%20no%20mdm%20--%26gt%3B%20no%20compliance%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20read%20these%202%20blogs%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fcall4cloud.nl%2F2021%2F08%2Fthe-battle-between-aadj-and-aadr%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcall4cloud.nl%2F2021%2F08%2Fthe-battle-between-aadj-and-aadr%2F%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fcall4cloud.nl%2F2021%2F08%2Fthe-death-of-compliance%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcall4cloud.nl%2F2021%2F08%2Fthe-death-of-compliance%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20did%20you%20configured%20this%20gpo%20like%20mentioned%20in%20this%20ms%20docs%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fenroll-a-windows-10-device-automatically-using-group-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fenroll-a-windows-10-device-automatically-using-group-policy%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2939390%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20regarding%20Hybrid%20Azure%20AD%20join%20and%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2939390%22%20slang%3D%22en-US%22%3EThanks%20for%20you%20answer.%3CBR%20%2F%3EIt%20was%20actually%20only%20a%20example%20screenshot%20I%20got%20from%20google.%20Not%20the%20tenant%20which%20I%20am%20setting%20up.%3CBR%20%2F%3E%3CBR%20%2F%3ETo%20answer%20your%20question%20regarding%20the%20GPO.%20I%20got%20brand%20new%20machines%20only%2C%20which%20are%20not%20domain%20joined%20at%20the%20moment%2C%20which%20I%20will%20do%20manually.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

I got a question regarding Hybrid Azure AD Joined and policies assigned to UPNs.

 

I read that "Hybrid Azure AD joined Windows 10 devices don't have an owner."  from Microsoft Docs.

 

I have several compliance and profiles configured which are assigned to a group. I always add the UPNs as members of these groups, to receive the policies to have full control of every policy. and what each user is receiving.

This works perfect with all my azure ad joined devices. Haven't tried the Hybrid Azure AD joined computers yet since I haven't enabled the UPNs which are cloud only at the ,yet to be AD synced.

Freppy_0-1636377621389.png

 

My question is, since Hybrid Azure AD joined devices won't have a owner. Will the Hybrid Azure AD joined device still receive the policies and apps if I add the user to the group the policies are assigned to, once the computers are hybrid joined and users are AD synced? 

Freppy_1-1636378223434.png

 

Or is the only option to assign it to "all devices"? :\

 

Thanks for your help

5 Replies
Hi,

Looking at the screenshot you have hybrid enrolled devices into azure ad, but the Intune MDM is missing... no mdm --> no compliance

Please read these 2 blogs

https://call4cloud.nl/2021/08/the-battle-between-aadj-and-aadr/
https://call4cloud.nl/2021/08/the-death-of-compliance/

And did you configured this gpo like mentioned in this ms docs?

https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatica...
Thanks for you answer.
It was actually only a example screenshot I got from google. Not the tenant which I am setting up.

To answer your question regarding the GPO. I got brand new machines only, which are not domain joined at the moment, which I will do manually.
Hi,

Ahhh okay.. :) Normally with hybrid and you configured intune, you will receive the apps and policies you configured in intune.. But maybe a stupid question... why do you want to go hybrid?
Hehe I don't want to, but the customer wants to. Tried to explain but in the end, you do what the customer wants ^^
Yeah, but not sure if it works to assign the policies to groups with members in it, since the hybrid azure ad joined machines is not "owned" by anyone.

I will see if anyone else answers as well if they have ran into any issues or done this setup :)
Meanwhile, I will configure a test tenant.
Thanks for your replies Rudy, appreciate it :)
best response confirmed by Freppy (Occasional Contributor)
Solution
Hi,

Owner is something else than the (primary) user of the device :) . Should otherwise be weird that azure hybrid devices couldn't be managed with Intune :)