Event details
Security and compliance aren’t standing still—and neither is Intune. With new features, enforcement changes, SDK requirements, and evolving security expectations arriving at a rapid pace, IT teams ar...
Heather_Poulsen
Updated Jun 19, 2026
dfuell
Jun 23, 2026Copper Contributor
For shared-use Windows devices (kiosks, conference rooms, manufacturing workstations), is device-based or user-based compliance the recommendation?
- Andre Della MonicaJun 23, 2026
Microsoft
Another great question, dfuell
Great question, and the short answer is: device-based compliance is the recommendation for shared-use Windows devices. A couple of points:
- There’s no persistent user affinity: Kiosks, conference rooms, and manufacturing workstations don't have a dedicated owner. User-based compliance ties the compliance state to a specific user context, and when that user doesn't log back in, the compliance context becomes stale, leading to devices being flagged as non-compliant and affecting Conditional Access and reporting.
- There are a few Device-level settings are what matter on shared devices, for instance, you're checking things like BitLocker encryption, Secure Boot, OS version, firewall status, and antivirus, all of which are device properties, not user properties. These persist regardless of whom signs in. Not to mention Windows updates.
- Don't mix user and device targeting for the same policy, we’d recommend you to pick one. For shared devices, always go with device group.
- Say you assign a compliance policy to your user group but exclude your Shared-Kiosks (device group). You'd expect kiosks to be excluded, but Intune evaluates group membership asynchronously. The user group inclusion processes first, and by the time the device group exclusion catches up, the policy has already applied. The kiosk gets the policy anyway, potentially marking it non-compliant and blocking access via Conditional Access.
- Instead, you can assign to your user group but add an Intune assignment filter in Exclude mode (e.g., (device.model -contains "Kiosk”). Intune Filters evaluate in real time at check-in.
- Or better yet, create a separate compliance policy assigned directly to your shared devices device group with rules tailored to those devices
- Bottom line: user group + device group exclusion = race condition. Use Intune Filters or separate policies instead.
My Intune friends can add some colors into this.
Hope this helps.