Users Group vs Devices Group use cases

Iron Contributor



It is a bit basic but I've been always confused a bit about when is the best to use users group or devices group when dealing with Intune.. 


I use intune in our company for:

  • Apps deployment
  • Security policy 
  • Configuration profiles
  • Endpoint Security
  • Widows Updates


I always use "users" when assigning policies/profiles.... but not sure whether it would be better to use DEVICES?  


Each user has its own device.... Rarely, some user needs to use colleague's laptop so uses his own credentials for that laptop as well... I am wondering - when I point all the above to users, lets say Apps - will it push MSI apps, Microsoft Store apps, etc to his profile even if there are already apps installed under the colleagues profile?


Also, lets say that I will push bitlocker enablement via Intune - will it have any impact if a user will log in to a colleague's laptop with bitlocker already enabled?

2 Replies

@sumo83 simply, depends on your use case scenario. for example, if your users have multiple devices and you want to apply your setting on those users despite what devices they are using, you apply your policy on group of users. if each user has only a single device, then you apply policies on group of devices. 


if you apply BitLocker on device groups, devices will be encrypted despite which user is using this device. 

As a rule i use Device Groups for any device related policies and broad sweeping applications like Office installations which i want on every PC. User Groups i use for all of the 'one off' policies. I do quite a few 'exceptions' as well when doing these deployments which gets a little more complex. Using the Dynamic Device groups you can hit 90+ % of what you need. Then tighten the last 10% with User Groups and Exception to the broad sweeping Device groups.