Exaplain assignment of policies or profiles

Andreas 1,301 Reputation points
2020-08-27T11:25:14.783+00:00

Hi,

I need someone to explain to me how policies/profiles are assigned, when I am supposed to assign it to users and when I am supposed to assign it to devices. I have read a lot, but still not quite get a hang of it so if someone could give me a hand 😊

Example 1
I have groups in Azure AD called Intune-Devices and Intune-Users that are populated.
I create a Compliance policy with the following settings
20809-jau1.png

My question then is, how should this policy be assigned
Intune-Devices and Intune-Users
Or
Intune-Devices
Or
Intune-Users

The reason for asking is, say for example “Require Bitlocker” and “Require code integrity” I guess this is a Device setting. But then again, “Password expiration 180days” I guess is User setting. So If I don’t apply this compliance policy to both users and devices it will “fail”.?

Example 2
I have groups in Azure AD called Intune-Devices and Intune-Users that are populated.
I create a Configuration profile with the following settings

20895-jau2.jpg

My question then is same as above, how this profile should be assigned
Intune-Devices and Intune-Users
Or
Intune-Devices
Or
Intune-Users
The reason for asking is, say for example “Turn of Autoplay” I guess this is a Device setting. But then again, “Use OneDrive Files On-Demand” I guess is User setting. So, If I don’t apply this configuration profile to both users and devices it will “fail”.?

Thanks for any reply.

/Regards
Andreas

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,783 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,657 questions
0 comments
Accepted answer
  1. Jason Sandys 31,186 Reputation points Microsoft Employee
    2020-08-27T21:50:29.577+00:00

    Whether the settings themselves are user or device is irrelevant. Profiles and policies are only delivered based on the assignment. Once delivered, all settings are applied regardless of assignment. IOW, there is no correlation between the setting type and the assignment type.

    In general, user targeting is the preferred method as it allows the policy to be applied in a more dynamic, real-time fashion. Thus, also in general, start with user targeting and only use device targeting when it makes more sense or obviously only applies to devices, e.g., Windows Update rings are clearly device centric and specific.

    Don't use both for a single profile/policy as this could cause conflicts on the device itself that would be difficult to troubleshoot.

    1 person found this answer helpful.
    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 45,571 Reputation points Microsoft Vendor
    2020-08-28T02:14:07.827+00:00

    Hi Andreas,

    For device compliance policies, we can deploy to users in user groups or devices in device groups. When a compliance policy is deployed to a user, all the user's devices are checked for compliance. Using device groups in this scenario helps with compliance reporting.
    https://video2.skills-academy.com/en-us/mem/intune/protect/device-compliance-get-started#device-compliance-policies

    For Configuration policy, If you want to apply settings on a device, regardless of who's signed in, then assign your profiles to a devices group. Settings applied to device groups always go with the device, not the user. And use user groups when you want your settings and rules to always go with the user, whatever device they use.
    https://video2.skills-academy.com/en-us/mem/intune/configuration/device-profile-assign#user-groups-vs-device-groups

    To assign to user group or device group for compliance policy and configuration profile, it depends on your requirement.

    But there are some specific policy, we need to only assign to user group or device group. One I remember is app protection policy, we need to assign to user group. Here is an article for the reference:
    https://video2.skills-academy.com/en-us/mem/intune/apps/app-protection-policy#end-user-requirements-to-use-app-protection-policies

    Hope it can help.

    1 person found this answer helpful.
    0 comments
  2. Jason Sandys 31,186 Reputation points Microsoft Employee
    2020-08-27T20:41:29.927+00:00
    0 comments
  3. Andreas 1,301 Reputation points
    2020-08-27T21:39:54.803+00:00

    Hi,

    Thanks for reply Jason, I have read that link already, but still not quite sure about this.
    For example they say "Many users ask when to use user groups and when to use device groups. The answer depends on your goal"... so its a blur.

    Is there a page where it defines if its a policy for a user or if its for a device ?

    Sorry, but I am struggeling on this one to get the right picture of this.
    As of now I am assigned the policy and profiles to both users and machines to be sure.... since many of my profiles I belive have both device and user settings within them.

    Regards
    Andreas

    0 comments
  4. Andreas 1,301 Reputation points
    2020-08-27T22:00:55.25+00:00

    Hi,

    Ok thanks for that, I will focus on assigning profiles to users instead of devices. And like you say, only use device in special cases where its obviously a device policy.

    I thought for example "require code integrity" would be a device policy ? but i guess I can use users…
    and also "Windows Encryption - Encrypt device" and "Warning for other disk encryption - Block" ….. hehe…

    Comments ?

    /Regards
    Andreas

    0 comments