The way around device and user assignments (mixing)

I am sure we are all aware that for Intune assignments we can’t use user and device groups for the include or exclude intent of the same profile, at the same time. This “mix” is an unsupported scenario and leads to unexpected behaviors, errors, generally a conflict. There is an information displayed when you try to make any assignment in Intune:

Mixing information from the assignments tab

Learn more about user groups vs. device groups

Depending on your goal, you should decide if you make an assignment on the device level or for the user. Most often the question for this is: Which can you identify and subsequently target more easily?

Dynamic targets (AAD dynamic groups)

Assigned targets (AAD assigned groups)

Workaround: exclude devices from a user group assignment

During some tests I have found a workaround, if you are in a very specific scenario where you need to exclude devices from an assigned user group.

This is not a perfect solution, but only a workaround.

Your scenario might look something like this:

You have: A profile or any content in Intune is currently assigned to a group that has only users as members.

You need: Exclude specific devices from that assignment.


The solution includes to leverage Filters. To create a filter, go to Tenant administration>filters and create a new filter for Windows 10 and later.

Now create a specific filter syntax, you have multiple properties of a device to choose from. Maybe you already think of a property, otherwise you can go for a manual approach with the property deviceCategory.

Intune filters

Create Device categories

You can create Device categories (read more about this feature) in Intune. These are more or less just organizational categories/groups where you can add devices to. For this, navigate to Devices>Device categories and create a new category. In my case I want to create a category named “Shared”, which all of my shared devices will be member of.

The users can add this category from their first launch of the Company Portal, or the IT admin can add this category from the Intune device object:

Device category for an Intune device

The filter evaluation in this case would look like:

Filter evaluation for device category

Last, you just exclude the filtered devices in that user assignment:

Exclude filtered devices in assignment

Here you go! The devices that are filtered will not be applicable to this user assignment and you can create another profile that only targets these specific devices.


-- | #EnterpriseMobility #Security #MEM #ModernWorkplace

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store