A device is Hybrid AD joined + Intune Comanaged. I will use INTUNE only for Patch management (rest all things will be managed by SCCM) Questions – When device is out of the On-premise Network and not even connected over VPN,,, And Its just connected through INTERNET. Will this device get intune policy to install Windows update for Business? If yes, its all good. If it wont get any policy then does it need CMG configured to get Intune policies over internet to install Patches?