BUG: Win10 MDM Device Restriction Policy, when Assigned Static "Device only" Group applies 2 users

Iron Contributor

Tenant Situation:

  • Intune Silverlight tenant migrated.
  • Originally Intune stand-alone, then EMS, now M365-e5
  • Azure AD only, no federation, no sync
  • Windows 10 Computers were originally Intune/AzureAD joined using a "Device Enrollment Manager"
  • End users are NOT local admin of computers

Intune Problem/Behavior:On Portal.Azure.com  navigate to "Microsoft Intune"->Groups

Create a test group

  • Group Type = Security
    • Group Name = x-testDeviceGroup
    • Membership type = Assigned
    • Members ->
      Place a test Windows 10 1709 non-VM device that is already MDM enrolled
    • save group

Now navigate to "Microsoft Intune"->"Device Configuration"->Profiles
Create a new profile

  • Name:           x-TestDeviceAssignment
  • Platform:       "Windows 10 and later"
  • Profile Type:  "Device Restriction"
  • Configure ->General -> "Automatic Redeployment" Set to [Allow]

Now Assign it to the just created test group that only has the single test computer


  1. Wait 1-2 hours
  2. Have a M365-E5 licensed user log onto the computer that is assigned to the test device group
  3. Wait 24 hours
  4. Now go back and look at how the policy is applied...
  5. Navigate to "Microsoft Intune"->"Device configuration" ->"Profiles"
  • Select the just created "x-TestDeviceAssignment" profile
  • Drill into "Device Status"


BUG Result -- Although only assigned to the device, the setting is also applied per user:

  • 1 entry for the device, which shows as "device = hardware name, use name = blank, Deployment status = XXXXXX"
  • 1 entry for each user that logged on in the last 12/24 hour period "showing:
    "Device = hardware name      User Name = email@address      Deployment Status = Pending/Conflict/Error"


Possible "bug" like issue-

  • Depending on what device restriction setting was "set" you will get erroneous "Conflict" and "Error" results in the portal on some of the settings, which seem to  because the setting was applied BOTH.
  • Most of the time this clears up after 48-72 hours, BUT NOT ALWAYS.


Suggested Resolution:

  • We can create dynamic device groups or dynamic user groups, but not assigned - is that the root cause that "Assigned = both"?
  • The Evaluate button in the Policy Assignment section ONLY evaluates users (if group type = static).
    What this button SHOULD also do is flag as a problem if we are setting a value that should be NOT be assigned to users or should NOT be assigned to devices
0 Replies