One of the things that we have to do as administrators is forget the past. It’s necessary because our options for applying different types of policies have vastly expanded. Instead of simply computer or user group policies, we have now have policies and profiles of both device and user types and we can assign the user policies to devices and device policies to users. Sound confusing and it is. The choice is now yours to make but how to you make that decision?
How to decide whether to apply settings to a user or to a device
It’s been difficult to find official guidance on this. I honestly don’t think that Microsoft has an opinion. It’s more of a rule of thumb and a personal preference. What we really need to do is to simplify our options.
First, pay no attention to the name of a policy being labelled as device or user. Since we can assign them to either regardless of what they claim to be, this isn’t the important part. In fact, it can be misleading.
Apply policies, profiles and configurations to devices when…
the setting should be set on that device whether anyone is logged into it or not.
This will be used mainly for policies that apply before anyone logs onto the device. Like an update. Or Autopilot configuration.
For most environments, you will apply policies to devices very sparingly or not at all.
Apply policies, profiles and configurations to users when…
it should be applied to any device that the user logs onto. And also when you want to policy to apply every time that device is used.
When in doubt apply to a group of users
For example, when creating a compliance policy that verifies whether a device meets your minimum criteria for being a device on your network, one might think that this should be applied to the device. But, no. Compliance policies should be applied to users. Here’s why…
We want to know if a user logs into a non-compliant device and then be able to block their ability to access protected corporate data. A user policy will do that for us. A device policy would get applied once to the device and we’d never hear from it again. We want constant checking for compliance, therefore this is a user policy.
Learn to ignore this error
When you apply certain policies to users, you will find that it is unable to apply that policy to the system account user. This will cause a red flag in your policy application. It’s very annoying but it is safe to ignore. The system user account is a highly secure account and even EndPoint Manager has limited ability to configure it. I wish that Microsoft wouldn’t show us those errors but they do. Ignore them.
If you like this content please join our Endpoint Manager, Lighthouse & Defender group. https://www.facebook.com/groups/endpointmanager
All we do is support IT professionals. Help for IT Pros, Super Secret News, Security community, MSP Legislation community, Peer groups, Kits, papers, MSP training and more. https://www.thirdtier.net