Group Assignment to Bitlocker Compliance Policy

Anonymous
2022-07-19T08:11:48.707+00:00

New to Azure environment, however set up compliance policy for Bitlocker compliance on all Win10 Pro machines. Simple question do I set up a dynamic Device Group or assign the policy to ALL users or does it make a difference?

I’ve set up All Users minus my Admin PC which is a personal device, but it is throwing compliance failure on that particular device.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,056 questions
0 comments No comments
{count} votes

Accepted answer
  1. Lu Dai-MSFT 28,236 Reputation points
    2022-07-20T02:44:20.45+00:00

    @Anonymous Thanks for posting in our Q&A.

    When you assign a policy to a dynamic device group, it means that the devices matching the rule in the dynamic device group will apply this policy. It is focused on devices. If there is no user signing in the device, the target device still apply this policy.

    When you assign a policy to all users, it means that all users in this tenant will apply this policy. It is focused on users. If there is no user signing in the device, this policy isn't applied.

    From your description, did you mean that you assign a compliance policy to all users and add your Admin PC in Excluded groups? If yes, it is not supported. Please don't mix user group and device group in assignment.
    https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-assign#support-matrix

    If you want to deploy this policy to all users, but don't want to deploy it to your Admin PC, it is suggested to create a filter for your Admin PC and use this filter under this policy's assignment.
    https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters

    Hope it will clarify something.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. Anonymous
    2022-07-22T09:21:59.137+00:00

    @Lu Dai-MSFT
    Many thanks for that. I like the idea of using filters and will modify my assignment route accordingly.

    I also enclose a really good article which I found really useful
    https://www.itpromentor.com/devices-or-users-when-to-target-which-policy-type-in-microsoft-endpoint-manager-intune/