Compliance Policy

Sonam Kandoi 61 Reputation points
2022-08-23T15:37:53.41+00:00

Hi,

I am working on Compliance Policy, there is mixed discussion whether to deploy on user or device group

If you assign these policies to devices, you will find that there are two compliance results for every device (well, actually three if you include the built-in policy).
The “system account” will receive a compliance status
The user who signs into the device will also receive a compliance status

What is the best practice?

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,751 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,488 questions
0 comments No comments
{count} votes

Accepted answer
  1. Lu Dai-MSFT 28,356 Reputation points
    2022-08-24T02:32:17.867+00:00

    @Sonam Kandoi Thanks for posting in our Q&A.

    For this issue, if there is an Azure AD user signing in the device, it is suggested to deploy the compliance policy to a user group.

    If there is no user signing in the device, it is suggested to deploy the compliance policy to a device group.

    For more details, please refer the the "Tip" and "Note" in the following article:
    https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor#drill-down-for-more-details

    Hope it will help.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. Reza-Ameri 16,836 Reputation points
    2022-08-23T15:42:00.843+00:00

    It depends on your requirement, in case you only need compliance result per user and that is sufficient, then deploy on users. However, in case you need more comprehensive report deploy it on device. When you deploy for device, you will see possible conflicting policy caused by users too. Deploy on user is easier but deploy on device is more comprehensive but it depends on your requirements.