assignment via policy sets

• Interview Training
• On Job Support
• Become an Trainer

Login/Sign Up

Intune training: exploring policy sets in microsoft intune.

• December 29, 2023
• Posted by: Lara Administrator
• Category: End User Computing

Introduction

Let’s dive deep into the topic of policy sets in Microsoft Intune. Policy sets are a powerful feature that allows you to group and assign different components such as applications, configurations, and deployment processes to specific security groups. By leveraging policy sets, you can simplify your management and ensure that the right policies are applied to the right users or devices. Let’s get started!

Understanding Policy Sets

Policy sets can be thought of as collections of policies that you can assign to specific groups. It’s a convenient way to organize and manage your policies based on different scenarios. For example, you can create policy sets for your front office, back office, contact centre, and executive staff, each with different applications and configurations required.

Accessing Policy Sets in Microsoft Intune

To access policy sets in Microsoft Intune, navigate to the In Tune button in your web browser. Scroll down to find the “Policy Sets” section. If you don’t see it immediately, don’t worry. It may take a moment to load, especially if you’re using the preview version. Once loaded, you can start exploring policy sets and planning your deployments.

Creating a Policy Set

To create a policy set, simply click on the “Create” button at the top of the page. Give your policy set a name that reflects its purpose. For example, you can name it “Windows Scenario” to indicate that it is specific to Windows devices. One of the advantages of policy sets is that they are cross-platform, meaning you can apply them to different types of devices, such as iOS, Mac OS, Windows 10, and Android.

Adding Applications and Configurations to a Policy Set

Once you have created a policy set, you can start adding applications and configurations to it. Using the familiar user interface, you can select the apps and configurations that you want to include in the policy set. You can also specify whether an app or configuration is required, uninstalled, or available. This allows you to fine-tune the policies based on your specific needs.

Managing Device Compliance and Configuration

In addition to applications and configurations, policy sets also allow you to manage device compliance and configuration. You can select the device configuration and compliance policies that you want to include in a policy set. For example, you can include BitLocker, Defender, and other required configurations. By bundling all these policies together, you can easily manage and track their assignments.

Assigning Policy Sets to Groups

One important thing to remember when working with policy sets is to always assign them to specific groups. Avoid assigning policies to all users or devices, as this can lead to unintended consequences. Instead, target your policies at the user or device object level. This allows you to have more control and ensures that the policies are applied where they are needed.

Visibility and Monitoring

Policy sets provide a single pane of view where you can see all the settings assigned to a device or user. This makes it easy to track and monitor the policies that are applied. You can also pop out specific policies for quick access and configuration. It’s a great way to have visibility without having to navigate through each application or configuration individually.

Policy sets in Microsoft Intune are a valuable tool for managing and organizing your policies. With policy sets, you can simplify your management, ensure compliance, and streamline your deployments. By bundling policies together and assigning them to specific groups, you can have more control and visibility over your Intune environment. Start exploring policy sets today and take your Intune training to the next level!

Intune Training Demo

Leave a Reply Cancel reply

Secure Infrastructure Blog

by the Secure Infrastructure team at Microsoft

Microsoft Endpoint Manager – Intune – Policy Sets & Guided Scenarios

Howdy all! When working through Intune to setup configurations to be deployed to managed devices administrators may need to decide which configurations should be prioritized and applied as a standard across various device types. Historically this is achieved by uniquely assigning each item to respecitive groups and letting Intune deploy the assignments accordingly. In some cases, though, it makes sense to group configurations together and apply them as a unit to help arrive at that minimal required configuration set in a more planned and rational way. Policy Sets help you achieve exactly that. The video linked below walks through Policy Sets and demonstrates their use. The video also introduces Guided Scenarios which are different from Policy Sets but complimentary to Policy Sets.

Share this:

Leave a reply cancel reply, discover more from secure infrastructure blog.

Subscribe now to keep reading and get access to the full archive.

Type your email…

Continue reading

Intune Policy Sets Collection of Workflows Admin Friendly MEM

Intune policy sets give a user-friendly experience to Intune admins . The screenshots are taken from the Ignite session slides and demos by Paul Mayfield, Terrell Cox, and Micro-Scott.

More details about the session details and recording are in the below section of the post.

Ignite 2019 Coverage

• Microsoft Endpoint Management SCCM Intune Windows Updates
• Microsoft Endpoint Manager is the future of SCCM Intune MEMMI MEMCM
• iOS Android macOS Mobile Enrollment Options with Intune
• Basics of Windows Dynamic Update Explained Update Management
• WVD End User Experience Availability Updates
• MSIX Updates from Ignite Reliability Network Disk-space
• Microsoft Learning Certification Exams Updates
• On-Prem WVD Options Azure Quantum Qualys Scan Integration
• Intune Reporting Strategies Advanced Reporting
• Intune Endpoint Security Policies Enhancements
• Intune Policy Sets Collection of Workflows

Intune Policy Sets

Intune policy sets and guided scenarios are helpful for new admins. They don’t have to search for each function within Microsoft Endpoint Manager/Intune portals, and the guided scenarios provide the best admin experience.

Sign up to get the best of How To Manage Devices straight to your inbox!

You can use policy sets to:

• Create Standard configurations
• Get up and running quickly (less learning curve for non-Intune admins)
• Group objects that need to be assigned together
• Assign your organization’s minimum configuration requirements on all managed devices
• Assign commonly used or relevant apps to all users
• Collection or group of workflows from Intune
• Assign to an Azure AD group and report aggregate

Intune Policy Set Configurations

Device Management portal (Microsoft Endpoint Manager)

https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_Workflows/PolicySetMenuBlade/overview

Select the following groups of workflows

• Apps – Select one or more apps from the list of available apps
• App configuration policies – Select one or more Intune App configuration Policies
• App protection policies – Select one or more Intune APP

• Device configuration profiles – Select device configuration profiles
• Device compliance policies – Select the compliance policies you want to be part of the policy set
• Device type restrictions – Select the device type conditions to be part of the policy set

Select Device Enrollment workflows

• Windows autopilot deployment profiles
• Enrollment status page

Select Azure AD Device or User Groups and complete the Intune policy set assignment.

• Microsoft Endpoint Manager, including Microsoft Intune and Configuration Manager – https://myignite.techcommunity.microsoft.com/sessions/83532
• Use policy sets to group collections of management objects
• Policy Sets Known Issues

We are on WhatsApp . To get the latest step-by-step guides and news updates, Join our Channel.  Click here  – HTMD WhatsApp .

Anoop C Nair  is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Leave a Comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Assign policies in Microsoft Intune

• 10 contributors

When you create an Intune policy, it includes all the settings you added and configured within the policy. When the policy is ready to be deployed, the next step is to "assign" the policy to your user or device groups. When you assign the policy, the users and devices receive your policy, and the settings you entered are applied.

In Intune, you can create and assign the following policies:

• App protection policies
• App configuration policies
• Compliance policies
• Conditional access policies
• Device configuration profiles
• Enrollment policies

This article shows you how to assign a policy, includes some information on using scope tags, describes when to assign policies to user groups or device groups, and more.

This feature applies to:

Before you begin

Be sure you have the correct role that can assign policies and profiles. For more information, go to Role-based access control (RBAC) with Microsoft Intune .

Consider using Microsoft Copilot in Intune. Some benefits include:

• When you create a policy and configure settings, Copilot provides more information on each setting, can recommend a value, and find potential conflicts.
• When you assign a policy, Copilot can tell you the groups the policy is assigned to and help you understand the effect of the policy.

For more information, go to Microsoft Copilot in Intune .

Assign a policy to users or groups

Sign in to the Microsoft Intune admin center .

Select Devices > Manage devices > Configuration . All the profiles are listed.

Select the profile you want to assign > Properties > Assignments > Edit :

For example, to assign a device configuration profile:

Go to Devices > Manage devices > Configuration . All the profiles are listed.

Select the policy you want to assign > Properties > Assignments > Edit :

Under Included groups or Excluded groups , choose Add groups to select one or more Microsoft Entra groups. If you intend to deploy the policy broadly to all applicable devices, select Add all users or Add all devices .

If you select "All Devices" and "All Users", the option to add additional Microsoft Entra groups disables.

Select Review + Save . This step doesn't assign your policy.

Select Save . When you save, your policy is assigned. Your groups will receive your policy settings when the devices check in with the Intune service.

Assignment features you should know and use

Use Filters to assign a policy based on rules you create. You can create filters for:

• App assignments

For more information, go to:

• Use filters when assigning your apps, policies, and profiles in Microsoft Intune
• Platforms, policies, and app types supported by filters in Microsoft Intune

Policy sets create a group or collection of existing apps and policies. When the policy set is created, you can assign the policy set from a single place in the Microsoft Intune admin center.

For more information, go to Use policy sets to group collections of management objects in Microsoft Intune .

Scope tags are a great way to filter policies to specific groups, such as US-NC IT Team or JohnGlenn_ITDepartment . For more information, go to Use RBAC and scope tags for distributed IT .

On Windows devices, you can add applicability rules so the policy only applies to a specific OS version or a specific Windows edition. For more information, go to Applicability rules .

User groups vs. device groups

Many users ask when to use user groups and when to use device groups. The answer depends on your goal. Here's some guidance to get you started.

Device groups

If you want to apply settings on a device, regardless of who's signed in, then assign your policies to a devices group. Settings applied to device groups always go with the device, not the user.

For example:

Device groups are useful for managing devices that don't have a dedicated user. For example, you have devices that print tickets, scan inventory, are shared by shift workers, are assigned to a specific warehouse, and so on. Put these devices in a devices group, and assign your policies to this devices group.

You create a Device Firmware Configuration Interface (DFCI) Intune profile that updates settings in the BIOS. For example, you configure this policy to disable the device camera, or lock down the boot options to prevent users from booting up another OS. This policy is a good scenario to assign to a devices group.

On some specific Windows devices, you always want to control some Microsoft Edge settings, regardless of who's using the device. For example, you want to block all downloads, limit all cookies to the current browsing session, and delete the browsing history. For this scenario, put these specific Windows devices in a devices group. Then, create an Administrative Template in Intune , add these device settings, and then assign this policy to the devices group.

To summarize, use device groups when you don't care who's signed in on the device, or if anyone signs in. You want your settings to always be on the device.

User groups

Policy settings applied to user groups always go with the user, and go with the user when signed in to their many devices. It's normal for users to have many devices, such as a Surface Pro for work, and a personal iOS/iPadOS device. And, it's normal for a person to access email and other organization resources from these devices.

If a user has multiple devices on the same platform, then you can use filters on the group assignment. For example, a user has a personal iOS/iPadOS device, and an organization-owned iOS/iPadOS. When you assign a policy for that user, you can use filters to target only the organization-owned device.

Follow this general rule: If a feature belongs to a user, such as email or user certificates, then assign to user groups.

You want to put a Help Desk icon for all users on all their devices. In this scenario, put these users in a users group, and assign your Help Desk icon policy to this users group.

A user receives a new organization-owned device. The user signs in to the device with their domain account. The device is automatically registered in Microsoft Entra ID, and automatically managed by Intune. This policy is a good scenario to assign to a users group.

Whenever a user signs in to a device, you want to control features in apps, such as OneDrive or Office. In this scenario, assign your OneDrive or Office policy settings to a users group.

For example, you want to block untrusted ActiveX controls in your Office apps. You can create an Administrative Template in Intune , configure this setting, and then assign this policy to a users group.

To summarize, use user groups when you want your settings and rules to always go with the user, whatever device they use.

Azure Virtual Desktop multi-session

You can use Intune to manage Windows multi-session remote desktops created with Azure Virtual Desktop, just like you manage any other shared Windows client device. When you assign policies to user groups or devices, Azure Virtual Desktop multi-session is a special scenario. With virtual machines, device CSPs must target device groups. User CSPs must target user groups.

For more information, go to Use Azure Virtual Desktop multi-session with Microsoft Intune .

Windows CSPs and their behavior

The policy settings for Windows devices are based on the configuration service providers (CSPs) . These settings map to registry keys or files on the devices.

Here's what you need to know about Windows CSPs:

Intune exposes these CSPs so you can configure these settings and assign them to your Windows devices. These settings are configurable using the built-in templates and using the settings catalog . In the settings catalog, you see that some settings apply to the user scope and some settings apply to the device scope.

For information on how user scoped and device scoped settings are applied to Windows devices, go to Settings catalog: Device scope vs. user scope settings .

When a policy is removed or no longer assigned to a device, different things can happen, depending on the settings in the policy. Each CSP can handle the policy removal differently.

For example, a setting might keep the existing value, and not revert back to a default value. Each CSP controls the behavior. For a list of Windows CSPs, see configuration service provider (CSP) reference .

To change a setting to a different value, create a new policy, configure the setting to Not configured , and assign the policy. When the policy applies to the device, users should have control to change the setting to their preferred value.

When configuring these settings, we suggest deploying to a pilot group. For more Intune rollout advice, see create a rollout plan .

Exclude groups from a policy assignment

Intune device configuration policies let you include and exclude groups from policy assignment.

As a best practice:

• Create and assign policies specifically for your user groups. Use filters to include or exclude devices of those users.
• Create and assign different policies specifically for your device groups.

For more information on groups, see Add groups to organize users and devices .

Principles of including and excluding groups

When you assign your policies and policies, apply the following general principles:

Think of Included groups or Excluded groups as a starting point for the users and devices that will receive your policies. The Microsoft Entra group is the limiting group, so use the smallest group scope possible. Use filters to limit or refine your policy assignment.

Assigned Microsoft Entra groups, also known as static groups, can be added to Included groups or Excluded groups.

Typically, you statically assign devices into a Microsoft Entra group if they're pre-registered in Microsoft Entra ID, like with Windows Autopilot. Or, if you want to combine devices for a one-off, ad-hoc deployment. Otherwise, it might not be practical to statically assign devices into a Microsoft Entra group.

Dynamic Microsoft Entra user groups can be added to Included groups or Excluded groups.

Excluded groups can be groups with users or groups with devices.

Dynamic Microsoft Entra device groups can be added to Included groups. But, there can be latency when populating the dynamic group membership. In latency-sensitive scenarios, use filters to target specific devices, and assign your policies to user groups.

For example, you want policies assigned to devices as soon as they enroll. In this latency-sensitive situation, create a filter to target the devices you want, and assign the policy with this filter to user groups. Don't assign to device groups.

In a userless scenario, create a filter to target the devices you want, and assign the policy with the filter to the "All devices" group.

Avoid adding dynamic Microsoft Entra device groups to Excluded groups. Latency in dynamic device group calculation at enrollment can cause undesirable results. For example, unwanted apps and policies might be deployed before the excluded group membership is populated.

Support matrix

Use the following matrix to understand support for excluding groups:

• ✅: Supported
• ❌: Not supported
• ❕ : Partially supported

Related articles

See monitor device profiles for guidance on monitoring your policies, and the devices running your policies.

Was this page helpful?

Additional resources

Modern Device Management

Jannik reinhard.

Policy sets – a cool feature

Many companies have not only a standard service, where not all PCs have the same configuration profiles, standard apps,… have. Specialized services are often needed to meet the needs of different business areas. You can copy the configuration profiles and give them the name of the service so you know which policy belongs to which service or you can use the policy sets to build own services.

What are policy sets?

Policy sets are a collection of different management objects and apps that can be grouped and assigned together. The policy set is a reference to different objects you added. This feautre was introduced at the end of 2019. More information can be found here .

What can be included in a Polcy set collection?

These following objects can be added to policy sets:

• App configuration policies
• App protection policies
• Device configuration profiles
• Device compliance policies
• Device type restrictions
• Windows autopilot deployment profiles
• Enrollment status page

Where can I find the policy sets

How can I create a policy set

• Click on Policy sets -> Policy sets
• Click Create
• Enter a name

A wizard guides you through the next steps. For this you have the following selection:

Application Management

 Device Management

Device enrollment

• Enrollment status pages
• After that you can still assign the policy set. Unfortunately no assignment filters work here.
• Click Next: Review + create

By creating the policy set, a new section “ Assignment via policy sets ” appears in the configuration profile.

Policy sets is a cool feature to get more order in the assignments. This helps e.g. to create new device classes or to group the services of different departments e.g. Security, Office, OS…

Stay healthy, Cheers Jannik

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on LinkedIn (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to email a link to a friend (Opens in new window)
• Click to share on WhatsApp (Opens in new window)

2 thoughts on “ Policy sets – a cool feature ”

[…] In the following blog post I explain policy sets in detail. […]

Comments are closed.

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

DEV Community

Posted on Oct 31, 2022

Bicep and Azure Policy: Manage Policy and Initiative Assignment

This is the third post about Azure Policy. This time, the post will focus on policy assignments with Azure Bicep and PowerShell. Policy assignment enforces a policy and a policy set at a given scope, management group, or subscription. This is where policies are applied to target resources.

A policy Assignment object has several properties:

• A name (limited to 24 characters at the management group scope, 64 characters for other scopes)
• A location, the Azure to store the operation metadata
• A display name, limited to 128 characters
• An identity object
• A description
• The enforcement mode, either default (enforced) or DonotEnforce
• A non-compliance object. The message will be displayed when resources are not compliant with the policy.
• A not scope array, to not apply the assignment at some management group or subscriptions
• A parameters object, to apply parameters for the policy for the assignment
• The Policy definition ID, resource ID of the policy definition, or the policy set

In Bicep language

The deployment of this bicep file could be done by the New-AzManagementGroupDeployment cmdlet. But like custom policy definitions and policy sets, you will certainly be asked to not assign only one policy. How can you manage several policy assignments in one place? This is the same problem we had with deploying policies. But even if a policy assignment can be seen as a JSON document, the amount of information needed to assign a policy is limited. Instead of using one JSON file per assignment, we can create a single JSON document with all assignments, but we need to take care of the scope.

the bicep file:

This Bicep file will deploy a policy assignment. As the deployment will be made via PowerShell, we need to convert the value of the parameters and the nonComplianceMessage properties from string to JSON with the JSON function in Bicep.

All the parameters needed for the deployment are stored in a JSON document.

There is one policy to assign but two assignments in the JSON document. It’s to illustrate the power of parameters in the assignment process. You can assign the same policy, multiple times, even at the same scope, as long as the name changes and the parameters are different.

Each object in the JSON document will serve to deploy the assignment via a PowerShell script.

The script read the content of the JSON document and for each object, it extracts the variable needed to deploy the bicep file. But there is a difficulty, the bicep nonComplianceMessages require a JSON array, but most of the time there will be only one message or no message at all (multiple messages are only used for policy set). And if there is only one message (or none) you will not end up with a JSON array, but a simple JSON object, so a modification is needed.

To deploy, simply run the deployAssignment.ps1 from its folder. You can add the "location" parameter to adjust the azure region for your needs.

You can find the related PwSh/Bicep code here

Top comments (0)

Templates let you quickly answer FAQs or store snippets for re-use.

Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink .

Hide child comments as well

For further actions, you may consider blocking this person and/or reporting abuse

Creating and Configuring an Azure Storage Account

Afeez Adeyemo - Sep 14

Automating SharePoint Embedded: Using PowerShell to Call Graph API Endpoints

Jaime López - Oct 1

Quick Tip: Secret Scopes For Azure Key Vaults

Tim - Sep 9

Achieving IT/OT Convergence with Azure Cloud

Sedat SALMAN - Sep 12

We're a place where coders share, stay up-to-date and grow their careers.

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications You must be signed in to change notification settings