Forum Discussion
Configuration Profiles not applying to users.
Hello,
I need help understadning Intune and how it works applying configuration profiles to users and devices. I am trying to deploy an Always on VPN for our VPN users. I created a custom configuration profile for the VPN settings and applied it to the group VPN_Users. I have everything working but the configuration profile will only apply to the device if the user is logged in who enrolled in the MDM. For example, if User A logs in the Windows 10 computer 21H2 and enrolls into MDM only that user will get the configuration profile and VPN, but if User B logs in to the same device after User A enrolled into the MDM then User B will not get the configuration profile even though both users are in the VPN_Users group. What am I missing here? Does every user have to enroll into the MDM?
- Do I need to change the Scope tag to anything or do I leave that default?
11 Replies
From Intune point of view, it doesn't matter if you assign a policy to user or device (by Intune I’m referring to CSP – Not PowerShell scripts assignment).
The thing is the that some CSP’s are design to run on user scope and some on device scope (but still you can assign either of them to user OR device group – it doesn’t matter).
So there are 2 things to consider:
- Group assignment (devices or users) – this determine who will be the trigger for the policy to be applied, if it is device assignment then the policy will be applied before user sign-in, if it is user assignment then the policy will be applied only after user sign-in
- Scope level – this determine at which level the policy is configured (and when will be triggered - as same as with assignment)– device scope means the policy is configured on device level and no user must sign-in, user scope means the policy is configured in the user context and user must sign-in before the policy can be applied and configured.
Example 1 – You configured a user scope CSP and assigned it to device group - the policy applied to any signed in user (dure to device assignment) only after they sign-in (due to user scope).
Example 2 – You configured a device scope CSP and assigned it to user group – the policy applied on device level and most likely affect all users (due to device scope) only after the first sign-in of one of users group members (due to user assignment).
In your case I suspect that your SCP run on the wrong scope level – can you share the exact CSP you are using (custom policy) – btw: for VPN you can use buit in VPN profile, you don’t have to use custm (at least in most case 😊)
For general info on CSP scope level check this link – https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider
I have to use a custom policy because the VPN template doesn't have the option to set IKEv2 security settings which I need set to as seen in the example below.
<CryptographySuite><AuthenticationTransformConstants>SHA256128</AuthenticationTransformConstants><CipherTransformConstants>AES128</CipherTransformConstants><EncryptionMethod>AES128</EncryptionMethod><IntegrityCheckMethod>SHA256</IntegrityCheckMethod><DHGroup>Group14</DHGroup><PfsGroup>PFS2048</PfsGroup></CryptographySuite>Here is a screen shot of the profile settings. (./User/Vendor/MSFT/VPNv2)- try change it to /Device/ and assign it to device group
