@Ryan_Fischer
From Intune point of view, it doesn't matter if you assign a policy to user or device (by Intune I’m referring to CSP – Not PowerShell scripts assignment).
The thing is the that some CSP’s are design to run on user scope and some on device scope (but still you can assign either of them to user OR device group – it doesn’t matter).
So there are 2 things to consider:
- Group assignment (devices or users) – this determine who will be the trigger for the policy to be applied, if it is device assignment then the policy will be applied before user sign-in, if it is user assignment then the policy will be applied only after user sign-in
- Scope level – this determine at which level the policy is configured (and when will be triggered - as same as with assignment)– device scope means the policy is configured on device level and no user must sign-in, user scope means the policy is configured in the user context and user must sign-in before the policy can be applied and configured.
Example 1 – You configured a user scope CSP and assigned it to device group - the policy applied to any signed in user (dure to device assignment) only after they sign-in (due to user scope).
Example 2 – You configured a device scope CSP and assigned it to user group – the policy applied on device level and most likely affect all users (due to device scope) only after the first sign-in of one of users group members (due to user assignment).
In your case I suspect that your SCP run on the wrong scope level – can you share the exact CSP you are using (custom policy) – btw: for VPN you can use buit in VPN profile, you don’t have to use custm (at least in most case :smiling_face_with_smiling_eyes:)
For general info on CSP scope level check this link – https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider
