question

tarouchabi-7271 avatar image
0 Votes"
tarouchabi-7271 asked Crystal-MSFT commented

About Intune,Azure AD Registered,GPO, SCCM

Now, The configuration of my environment is as follows.
VDI (Windows10 After 1809)
 SCCM
* AADC <Synchronize with alternate ID, Pass-through authentication> Azure AD

And Now, All devices are registered as Azure AD Registered.

Please teach me.
I don't know which configuration is the best. Is there any difference in any configuration with "Intune, Conditional access etc." ?
And what are the precautions for vdi device management? Are they just the same computer name?
Is it okay to not worry about security threats because the user ID and device are linked?

  1. Azure AD joined <<< I can't take this configuration because I need to change the configuration of all devices from domain join to workgroup.

  2. Azure AD registered + Intune <<< Does the duplicate policy of "GPO, Intune" apply? Is this configuration possible?

  3. Azure AD registered + Intune + SCCM

  4. Hybrid Azure AD Join + Intune + GPO?

  5. Hybrid Azure AD Join + Intune + SCCM + GPO?





mem-intune-device-configurationsazure-ad-device-management
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

Crystal-MSFT avatar image
1 Vote"
Crystal-MSFT answered

@tarouchabi-7271, In General, SCCM and Intune are both used to manage device and apps. For the internet devices, we can do Azure AD-joined and enroll into Intune to mange. For the devices in on-premise domain, if we want to use both tools to manage, we can consider co-management.

From Intune side, the OS supported by Intune are as below. It didn't have too much different on a Physical machine or virtual machine.
https://docs.microsoft.com/en-us/mem/intune/fundamentals/supported-devices-browsers

Conditional Access is the tool used by Azure Active Directory to control access. This feature needs Azure AD Premium P1 license.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access

For Azure AD registered device, when it enrolls into Intune. There will be some limitation. For example, Win32 app is not supported for Azure AD registered device.
https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-app-management#prerequisites

For a device, we can only choose one enrollment type for it. For co-management and GPO enrollment, the prerequisites is that the device needs to be Hybrid Azure AD joined. We can choose one refer to your requiement. Here is an article for the reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment#windows-enrollment-methods

For the security threats, I am not familiar with it. Did you means we have set it on Azure via the following modules? if yes, it can protect.
https://docs.microsoft.com/en-us/learn/modules/protect-against-security-threats-azure/

Hope it can help.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaD-7009 avatar image
1 Vote"
PaD-7009 answered Jason-MSFT commented

1) Azure AD registered + Intune <<< Does the duplicate policy of "GPO, Intune" apply? Is this configuration possible?

  • If your PCs are still domain joined. You have to use Hybrid Domain join + Intune.

  • From what i have seen & heard, most of the important GPOs are now available in Intune, via admin templates, ADMX ingestion, custom CSP or Intune/MDM policy.



2) Azure AD registered + Intune + SCCM

  • This option is best if you have already invested in SCCM.

  • One of the pre-requisite is Hybrid domain join.

  • Here you can still continue to use GPOs, because your PCs are Hybrid domain join.

3) Hybrid Azure AD Join + Intune + GPO?

  • Best option, if your PCs are still domain joined.

  • You dont have SCCM or any other management tool.

4) Hybrid Azure AD Join + Intune + SCCM + GPO?

  • This same as option 2.


· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

tarouchabi-7271 avatar image tarouchabi-7271 ·

Thanks alot.

>If your PCs are still domain joined. You have to use Hybrid Domain join + Intune.


Then all corporate PCs are still domain joined, is the configuration of Hybrid Domain join mandatory?
Why can't I use Azure AD registered(BYOD) + Intune? Is the applicable GPO different?

Hybrid Domain join doesn't seem to support alternative IDs.
And I can't immediately change all corporate PCs to workgroups.

Is my workaround only device management with SCCM?
Is SCCM MDM controllable for azure ad as well?

0 Votes 0 ·
Jason-MSFT avatar image Jason-MSFT tarouchabi-7271 ·

is the configuration of Hybrid Domain join mandatory?

Not strictly speaking, no.

Why can't I use Azure AD registered(BYOD) + Intune?

You can, however AAD registration is a user-centric operation that can only be completed by the user to my knowledge. The GPO for registering devices is a device centric operation that is part of hybrid AAD joining that device (because HAADJ = device-centric AAD registration + on-prem domain join).

Is my workaround only device management with SCCM?

No. As long as the device has an AAD identity, then it can be managed by Intune.

Is SCCM MDM controllable for azure ad as well?

Not sure what this means.









0 Votes 0 ·
PaD-7009 avatar image PaD-7009 tarouchabi-7271 ·

Clarifying couple of your points,

And I can't immediately change all corporate PCs to workgroups.

  • Just so you know, you are not disconnecting from onprem AD. Here you are just registering the PC in parallel. So users will not see any difference. HDJ is a backend silent activity, that users will not notice.

Is my workaround only device management with SCCM?

  • Use SCCM Co-management (still requires HDJ)

  • SCCM Cloud management gateway.


0 Votes 0 ·
Jason-MSFT avatar image Jason-MSFT PaD-7009 ·

Co-management does not require HAADJ. It requires HAADJ or AADJ.

0 Votes 0 ·
tarouchabi-7271 avatar image
0 Votes"
tarouchabi-7271 answered Crystal-MSFT commented

Sorry for the late reply.
Now, I'm looking for two ideas.

  1. Considering the DUAL STATE of the device, I build "hybrid ad join + Intune".
    https://docs.microsoft.com/ja-jp/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state

  2. I build "Azure AD Registered + Intune". "Azure AD Registered PC" is domain joined to on-premises AD.


Well..... Functionally, can No. 2 be realized?
Is there a way to register win10(Azure AD Registered) that is already registered in Azure ad to intune?
Is it possible to check the state of GPO or SCCM Update state with Intune and quarantine it to comply with Intune?




· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image Crystal-MSFT ·

@tarouchabi-7271, For your questions, here are my suggestions:
Q1. Is there a way to register win10(Azure AD Registered) that is already registered in Azure ad to intune?
A1: It seems that we want to enroll an Azure AD registered device into Intune. To do this, we can click Connect under Settings->Accounts->Access work or school to enroll into Intune.

Q2: Is it possible to check the state of GPO or SCCM Update state with Intune and quarantine it to comply with Intune?
A2: Could you confirm if we want to know whether Intune can monitor SCCM update state or GPO apply state? I would like to say no, they are separate. Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM)
https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune

It can only support the device with the OS in the following link:
https://docs.microsoft.com/en-us/mem/intune/fundamentals/supported-devices-browsers

0 Votes 0 ·
tarouchabi-7271 avatar image tarouchabi-7271 Crystal-MSFT ·

Thanks a lot. Now, I knew. Already domain-joined and Azure AD Registered Devices couldn't manage intune.

0 Votes 0 ·
Crystal-MSFT avatar image Crystal-MSFT tarouchabi-7271 ·

@tarouchabi-7271,For Azure AD registered device, when it is enrolled into Intune. It can also be managed by Intune. But not all Intune features can be used. Like win32 app, it is not support
https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-app-management

0 Votes 0 ·