Question about the scope of Intune configuration profiles

有角 太志 0 Reputation points
2023-03-06T08:23:26.1233333+00:00

I have a question about the scope of Intune configuration profiles. The target devices are Windows PCs (Win10), and there are two types of users: AAD users (already joined to AAD) and local administrators (Administrator). Could you please advise me on how to apply the configuration profile only to AAD users? I assigned the configuration profile to only AAD users, but it was also applied to local administrators.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,453 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 44,151 Reputation points Microsoft Vendor
    2023-03-06T09:07:42.8366667+00:00

    @有角 太志, Thanks for posting in Q&A.

    In General, we will assign policy to device groups when you don't care who's signed in on the device, or if anyone signs in. You want your settings to always be on the device. Use user groups when you want your settings and rules to always go with the user, whatever device they use.

    From your description, I know the policy is assigned to user group. But the local user can still apply the policy. I think this is because policy setting is applied to device scope. In General, the Intune policy settings for Windows devices are based on the configuration service providers (CSPs). These settings map to registry keys or files on the devices.

    https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-assign#windows-csps-and-their-behavior

    Windows CSPs settings can apply to the user scope or the device scope. If a device scoped policy is assigned to a user, once that user signs in and an Intune sync occurs, then the device scope settings apply to all users on the device. For your situation, it seems the policy setting is device scoped policy and it will apply to all users on the devices by default. Here is a link with more details:

    https://learn.microsoft.com/en-us/mem/intune/configuration/settings-catalog#device-scope-vs-user-scope-settings

    Hope it can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.