Windows 10 Policies: Apply to user or device?

Iron Contributor

We are slowly working from moving from the PC Agent to MDM. There are still a few issues with MDM for Windows 10 and shared computers, but nevertheless, MDM is going to be where the future is headed.


I know there really isn't a hard and fast rule on whether you should apply a policy to a device or a user, but am wondering how other people out in the field are applying their policies. Has anyone come up with a best practices on which policies should be applied per user/per device? I know that every company has different requirements, but just curious if there is a little better guidance on this.

5 Replies
One of the factors that should be considered how you apply policies is whether or not this will be a shared PC.

@Steve BucciShared devices are my single biggest concern, but also trying to get non shared devices enrolled in MDM also.


We have about 300 Win 10 devices that are shared and hybrid joined. Deciding how we are going to manage those devices with Intune has been an ongoing discussion for the last few years. DEM? Bulk? Unfortunately there isn't an easy answer for that question. Each deployment method has different capabilities when it comes to Intune management, especially when talking about non-admin users and application deployment, configuration and other types of profiles needing to be targeted to those users.


That's why we've stuck with the PC agent for this long, it's simple, doesn't require a ton of management and while doesn't do everything we want, it gives us some fairly important functionality.

@Lynn Towle there is definitely a plethora of variables and methods for enrolling.  There is a matrix on this 3rd-party blog article that illustrates the options and capabilities (updated towards the end for Intune and enrollment) 

This is a scenario where I recommend talking to a Microsoft Partner or Microsoft Consulting Services to go over your companies current scenario and goals so you can go forward with the appropriate solution.

@Steve Bucci I'm about to talk your ear off, but I'm not expecting a reply. I'm just passionate about this, and knowing how different companies environments are setup would seem useful :)


We are a smaller mid-sized business, in the real estate sector, and have about 600 devices that we manage. Almost half of those devices are shared Win 10 desktops. We have a hybrid environment and will have one until certain things are changed on the Azure Active Directory Services side.


We've spoken to a few partners, but unfortunately, there isn't a "single" deployment method that would work in our environment. We will most likely use DEM, but we are still working out all the particulars on that model, but DEM will get us to about 85% of where we need to be.


85% of the users in our environment are what many businesses would call "first line" workers, but their jobs are a bit more complex than that, technologically speaking. Our leasing offices are an open floor plan, and users bounce from one desktop to another depending on the day, who is working, and other various factors.


DEM deployment for those users is a no brainer, they will never need to be an admin on the desktop and their application, configuration, and permission sets are standardized throughout the company. The other 15% of users is where we run into our headaches.


Those users are what would have historically been called our "Power Users", and they require slightly different application, configuration, and permission sets than the standard users. These users try to use the same computer every day, but in cases such as a break/fix situation, or office to office movements for coverage, they may sign into a totally different computer in order to work. SCCM handles that situation fairly well; Intune, especially in a DEM deployment, does not.


The computers the "Power Users" log into are also available for the "Standard Users" to log into, again, break/fix, or movement for coverage, are the biggest contributing factors to this.


I've considered setting up an SCCM server, but for our environment, SCCM is fairly complex and requires a significant portion of resources to manage and maintain properly. We are also trying very hard to decommission our on-prem environment, but can't at this moment for various reasons. I've admin'd SCCM environments before, it is an awesome tool, but a bit too much for our current environment, and am trying not to install another on-prem service to manage our fleet.


So, Yay! Complexity!


We'll get there, it's just taking some extra time to fully realize our dreams of being able to be fully managed by Intune. :)

@Lynn Towle be aware of the move away from Hybrid


Yes, yay for complexity!

It sounds like you are aware of limitations of DEM, but linking just in case. In general, for the DEM situation, apply the device restriction profiles to the device.  For Apps, assign those to the users. I would assign apps as required that you know certain groups needs. For additional UWP (store) apps, you can have a Private Store in the Store app, that also syncs with Intune


The Power Users, sounds like you can just do the straight shot of enrolling them directly either with auto-enrollment set up in Azure AD for OOBE or going into settings and Add Work or School Account.


SCCM if you don't already have it in your environment, you're just adding another level of administrative complexity over Intune Standalone.


Please don't take my responses as a "do it this way" advice.  I'm break-fix support, not the setup and architecture that a Partner or MCS would provide. And as you have seen, there is more than one way to do it.