The way around device and user assignments (mixing)
I am sure we are all aware that for Intune assignments we can’t use user and device groups for the include or exclude intent of the same profile, at the same time. This “mix” is an unsupported scenario and leads to unexpected behaviors, errors, generally a conflict. There is an information displayed when you try to make any assignment in Intune:
Learn more about user groups vs. device groups
Depending on your goal, you should decide if you make an assignment on the device level or for the user. Most often the question for this is: Which can you identify and subsequently target more easily?
Dynamic targets (AAD dynamic groups)
- Attributes from the device or user — For devices this would be any attribute, usually the GroupTag or ZTDID (read more).
Assigned targets (AAD assigned groups)
- Manually add users or devices as members to a group.
Workaround: exclude devices from a user group assignment
During some tests I have found a workaround, if you are in a very specific scenario where you need to exclude devices from an assigned user group.
This is not a perfect solution, but only a workaround.
Your scenario might look something like this:
You have: A profile or any content in Intune is currently assigned to a group that has only users as members.
You need: Exclude specific devices from that assignment.
The solution includes to leverage Filters. To create a filter, go to Tenant administration>filters and create a new filter for Windows 10 and later.
Now create a specific filter syntax, you have multiple properties of a device to choose from. Maybe you already think of a property, otherwise you can go for a manual approach with the property deviceCategory.
Create Device categories
You can create Device categories (read more about this feature) in Intune. These are more or less just organizational categories/groups where you can add devices to. For this, navigate to Devices>Device categories and create a new category. In my case I want to create a category named “Shared”, which all of my shared devices will be member of.
The users can add this category from their first launch of the Company Portal, or the IT admin can add this category from the Intune device object:
The filter evaluation in this case would look like:
Last, you just exclude the filtered devices in that user assignment:
Here you go! The devices that are filtered will not be applicable to this user assignment and you can create another profile that only targets these specific devices.