Originally Intune stand-alone, then EMS, now M365-e5
Azure AD only, no federation, no sync
Windows 10 Computers were originally Intune/AzureAD joined using a "Device Enrollment Manager"
End users are NOT local admin of computers
Intune Problem/Behavior:On Portal.Azure.com navigate to "Microsoft Intune"->Groups
Create a test group
Group Type = Security
Group Name = x-testDeviceGroup
Membership type = Assigned
Members -> Place a test Windows 10 1709 non-VM device that is already MDM enrolled
Now navigate to "Microsoft Intune"->"Device Configuration"->Profiles Create a new profile
Platform: "Windows 10 and later"
Profile Type: "Device Restriction"
Configure ->General -> "Automatic Redeployment" Set to [Allow]
Now Assign it to the just created test group that only has the single test computer
Wait 1-2 hours
Have a M365-E5 licensed user log onto the computer that is assigned to the test device group
Wait 24 hours
Now go back and look at how the policy is applied...
Navigate to "Microsoft Intune"->"Device configuration" ->"Profiles"
Select the just created "x-TestDeviceAssignment" profile
Drill into "Device Status"
BUG Result -- Although only assigned to the device, the setting is also applied per user:
1 entry for the device, which shows as "device = hardware name, use name = blank, Deployment status = XXXXXX"
1 entry for each user that logged on in the last 12/24 hour period "showing: "Device = hardware name User Name = email@address Deployment Status = Pending/Conflict/Error"
Possible "bug" like issue-
Depending on what device restriction setting was "set" you will get erroneous "Conflict" and "Error" results in the portal on some of the settings, which seem to because the setting was applied BOTH.
Most of the time this clears up after 48-72 hours, BUT NOT ALWAYS.
We can create dynamic device groups or dynamic user groups, but not assigned - is that the root cause that "Assigned = both"?
The Evaluate button in the Policy Assignment section ONLY evaluates users (if group type = static). What this button SHOULD also do is flag as a problem if we are setting a value that should be NOT be assigned to users or should NOT be assigned to devices