User or device assignment

Regular Contributor

Hi folks,


i would like to discuss your experiences with user or device profile assignment.

What specific policies are you targeting to devices? What policies are you targeting to devices?

Of course I've read through the corresponding docs.

After my experiences in the last months i prefer assigning the profiles to devices.


- I'm able to exclude devices. (e.g. IT-Staff has one corporate device and one for testing purposes)

- The workflow when using white glove seems much more logic. (The very most config is applied while white glove process.)


So i would like to hear your experiences. What are advantages / disadvantages?

Thank you in advance. :)

What Assignments do you use for App configuration policies?



6 Replies
I use devices all day long for all policies in Windows 10, because it works and applies faster than targeting the users so you’re not alone.
It really depends on your environment and your use cases in my opinion.

For Windows 10 apps, I mostly assign them to users (if the client doesn't have any kiosks). This is because a lot of apps are user/department specific.

For configs I assign to dynamic device groups. But if there are some settings that need to be different for some users (for example, the finance department needs tighter security settings), assigning to users might be easier.

I always advise to assess your environment and check what makes the most sense for you.



so there is not definite answer to this, but there are some situations where it really makes sense to use device based assignments instead of user based assignments. In general user based assignments are faster applied as they can be evaluated instantly from the system. The user is always there and can have the relationship with policies/apps. Devices pop up dynamically and device groups need first to be evaluated and then after identifying a membership the Intune service backend is able to push out the configs or apps. This is normally not a problem as we often do wait long enough to allow this to happen. Example: ESP waits for device context app installs and so on. So, enough time to evaluate and send down policies, apps etc.


So, especially for configs when dealing with exceptions like shared devices it is helpful to use device assignments as you are able then to exclude the "special" cases like shared device from regular baseline policies. e.g. you like to have different device lock timeout for them. 

If you go for device assignments you should be aware of some behavior, like sudden logouts or restarts, my buddy Jörgen Nilsson has documented this very well here: Autopilot, ESP and extra login/reboots (


Apps is a different story, here we are dealing with company portal and available or required assignments. Here I do prefer user assignments if possible, but that's not a golden rule. Also for required deployments it can make sense to use device assignments. I've written a blog post about it here: Intune application targeting for Windows 10 Win32 apps explained (






@Thank you guys for your ideas regarding this topic.

I already thought there is not the one and only answer. :)


Any others feel free to answer later and discuss this with us.

1. What about org-wide app and config policies (such as tamper protection for config and company Portal for app).
Do you see any pro / cons when assigning to “all users” , “all devices“ or “all user and all devices”?
2. What about org-wide windows 10 compliance policy, in the GUI they only have the “all users” option (no “all devices), but I know I can assign compliance policy to devices group as well, any suggestions on that one (I’m referring to user driven only, no kiosk or self-deployed devices)?


These are exactly the questions i'm facing, too.