This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
I am working on Compliance Policy, there is mixed discussion whether to deploy on user or device group
If you assign these policies to devices, you will find that there are two compliance results for every device (well, actually three if you include the built-in policy).
The “system account” will receive a compliance status
The user who signs into the device will also receive a compliance status
What is the best practice?
@Sonam Kandoi Thanks for posting in our Q&A.
For this issue, if there is an Azure AD user signing in the device, it is suggested to deploy the compliance policy to a user group.
If there is no user signing in the device, it is suggested to deploy the compliance policy to a device group.
For more details, please refer the the "Tip" and "Note" in the following article:
https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor#drill-down-for-more-details
Hope it will help.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you this provides clarity :)
It depends on your requirement, in case you only need compliance result per user and that is sufficient, then deploy on users. However, in case you need more comprehensive report deploy it on device. When you deploy for device, you will see possible conflicting policy caused by users too. Deploy on user is easier but deploy on device is more comprehensive but it depends on your requirements.
any example to help me understand more better
@Sonam Kandoi You're welcome. If you have any problem in the future, welcome to post in our Q&A.
Thanks and have a nice day. : )