Event details
You say, don't use "All Devices" or "All Users" - what are the issues with exclusions if we do use them? More importantly, what do you suggest instead if we wish to target all the devices, do you recommend a Dynamic Device Group that includes all Windows Devices excluding personal devices?
This is one recommendation I do not agree with. I use All Devices and All Users with filters for clients with 100k+ devices without any issues as it acts as a "catch all" ensuring nothing is missed.
Also dynamic groups are not as fast to update compared to the All Devices and All Users groups with filters.Thanks, I can see the case for both. As you say we use "All Devices" as it ensures nothing gets missed.
But if you have a few dozen intune policies in place, and you want to create exceptions for all policies for a particular set of devices, does that not mean adding filters/exclusions to multiple policies?
Or is this the perfect time to dig into Policy Sets?
Possibly, it depends on the client.
I have clients with hundreds of policies split by region, countries and even granular. For this we use All Devices/Users with filters e.g. exclusion of Cloud PC's, AVD, etc But also use exclusion groups as well, where needed.
For other clients who are less complicated we may not need exclusion groups.
Usually I create the configuration with a base security setting (CIS, NIST, etc.) based on the clients specific security/regulatory requirements and target to All, exclusion groups are used if some settings are needed to be excluded from specific users devices.
I agree with you NickCowley ....we target all devices across all of our customers for most things and never ran into an issue.
