Can Intune manage(or specifically saying, apply Intune policies) on Hybrid Azure AD Joined devices. I have not enabled Co-management.
@32122405 , Based as I know, most policies can apply to Hybrid Azure AD join device which is enrolled into Intune. Which policy you want to configure? We can check the detail of the specific setting article to see if there's any limitation with the join type.
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Crystal-MSFT thanks for your response. So by enrolled in Intune you meant to say that the MDM Authority for those devices should be Intune. Am I correct ?
@32122405, Thanks for the reply. Yes, for the enrollment method like GPO and Autopilot Hybrid Azure AD, these devices will also be Hybrid Azure AD join in AAD. And the MDM will show as "Microsoft Intune"
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
@Crystal-MSFT I wanted to test App Blocker.
For example, I want to disable/block Notepad for Azure AD Join device.
Article : https://docs.microsoft.com/en-us/archive/blogs/matt_hinsons_manageability_blog/blocking-apps-with-intune-and-applocker-csp
If you are using ConfigMgr then you will need to enable co-management to allow management of end user devices using Intune without any limitations.
@32122405, For windows 11, the steps is the same as windows 10. you can choose one windows 11 device and open local group policy editor via gpedit.msc.
1. Create default rules.
2. Create Executable Rule to disable notepad via Publisher.
For the detailed steps, you can refer to the steps under "Creating the Applocker Policy" which is an example to block notepad.
https://docs.microsoft.com/en-us/archive/blogs/matt_hinsons_manageability_blog/blocking-apps-with-intune-and-applocker-csp#creating-the-applocker-policy
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello I tried to create the policy for Windows 11.
The difference in Windows 11 is, the default windows apps like paint, notepad are present in Windows Apps folder unlike in Windows 10 where it was in system32. Hence while importing application as publisher we are getting a error. Hence I used path as an alternative option.
Getting this on Intune:
Also the policy is not working for me on the device.
How to verify whether the policy has reached to the device ?
@32122405, Based on my check, it seems the policy I configure on the local GPO didn't block the notepad. Could you confirm if the applocker policy set in Local GPO on your device side break the notepad? If it is also not working, we need to firstly find the right xml which can break notepad on windows 11. Then we can consider to deploy it via Intune.
@32122405, After doing more research, I find The Application Identity service determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies from being enforced.Here is a lonk for the reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service
For the device which is not working, please check if the service is running. Hope it can help.
@32122405, I have done more test and find on windows 11 device, I can block Notepad successfully with the following steps:
1. Create a custom profile in Intune and configure the settings as below:
OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/StoreApps/Policy
Data Type: String
Value:
<RuleCollection Type="Appx" EnforcementMode="Enabled">
<FilePublisherRule Id="4c7be880-5791-4e1a-9012-ecdf24b96a82" Name="Microsoft.WindowsNotepad, version 10.2103.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsNotepad" BinaryName="">
<BinaryVersionRange LowSection="10.2103.0.0" HighSection=""/>
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="" ProductName="" BinaryName="">
<BinaryVersionRange LowSection="0.0.0.0" HighSection=""/>
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
2. After the policy is deployed to windows 11, I find the policy has been deployed to the device under C:\Windows\Systematic2\AppLocker\MDM. 
3. Also when I check the Advanced Diagnostic Report, I find the setting is applied:
4. And the notepad is also block when I open it. 
We can see more details in the following link:
https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-using-applocker-to-create-custom-intune-policies-for/ba-p/364981
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@32122405, Hope things are going well. If there's any update, feel free to let us know.
12 people are following this question.
