Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Device and User Group Considerations in Windows Intune

Updated: November 1, 2013

Applies To: Windows Intune

Windows Intune provides you with a great deal of flexibility for managing your devices and users by organizing them into groups. You can organize groups in the way that best suits your organizational needs (for example, by geographic location, department, or hardware characteristics). A device or a user can belong to more than one group.

Windows Intune provides four built-in groups that cannot be deleted:

  • All Users

  • Ungrouped Users

  • All Devices

  • Ungrouped Devices

Considerations for Creating Groups

It is important to plan carefully before you organize computers, mobile devices, and users into groups in Windows Intune. Following are key considerations to keep in mind when you plan for creating user or device groups in Windows Intune:

  • A group can contain either users or devices, but not both.

  • A group can have direct members (static membership), dynamic query-based members, or both. When you create a dynamic membership query, you define the criteria that determines the query that Windows Intune runs to retrieve the list of group members. The group is automatically updated with members that meet the criteria whenever changes occur. You can also create groups that have static membership lists. These are groups that you manually define by explicitly adding members.

  • You can create a group that does not contain any members or query criteria.

  • You can edit the name, description and membership of a group.

  • Deploying software may take longer than expected. It can take up to an hour before newly deployed software is available to groups.

noteNote
Active Directory Domain Services (AD DS) is not required to create user groups or device groups that include users or computers, but for device groups to include mobile devices, your environment must be configured to support mobile devices, and the devices must be discovered and added to the Windows Intune inventory. If your environment is not configured to support mobile devices, they will not appear in the Windows Intune inventory and be available to add to device groups.

If AD DS is not configured in your environment, you can manually add users and security groups in the Windows Intune account portal.

The following are key considerations for understanding Windows Intune group parent-child relationships:

  • You cannot change a group’s parent.

  • The membership of a parent group defines the possible membership of the child group. Members must belong to a parent group in order for them to be added to a child group.

    This enhancement from previous releases of Windows Intune simplifies the process of identifying group membership and identifying areas of possible conflicting policy settings.

  • Group membership is recursive. That is, when you specify criteria for a user or device group based on a dynamic membership query (such as membership in a specific AD DS security group or a specific manager in AD DS), all direct and indirect users will be members of that group. For example:

    • If user A is a member of security group X in AD DS

    • And security group X is a member of security group Y in AD DS

    If you create a group based on a membership query in Windows Intune that includes all members of security group Y, user A will be a member of the group.

  • The status of all child groups rolls up to the status of the parent group.

  • When you delete a parent group, all child groups are deleted.

  • You can deploy software applications, updates, and policies to multiple groups, a mix of device and user groups, and you can include a parent group while excluding child groups.

  • You can add or exclude specific group members.

    noteNote
    If you create a group that includes all of the parent group members, you cannot then exclude specific members from the group. As a workaround, do not select anything on the inclusion page and then just specify the objects that you want to exclude.

  • You can add a specific user or device to a child group that is not a member of the parent group. If you do so, the new group member will be added to all parent groups, to preserve group consistency.

    However, if you try to add a member to a child group that is specifically excluded from the parent group, the attempt to add that member will not succeed.

  • As in previous releases of Windows Intune, one member can belong to multiple groups. This provides you with the flexibility to create group hierarchies that support your specific needs for deploying software applications, updates, and policies.

The following table lists the membership criteria that you can define for dynamic queries or static lists. You can use the same dynamic membership query and static membership list criteria as an exclusion for target groups:

 

Group type Dynamic membership query criteria Static members list

User group

  • Security group: If AD DS is deployed in your environment, you can specify synchronized security groups as membership criteria. This information is retrieved from Active Directory synchronization with the Microsoft Online directory.

    If you manually added security groups to the Windows Intune account portal, you can specify those security groups as membership criteria. This information is retrieved directly from the Microsoft Online directory.

  • Manager: If AD DS is deployed in your environment, you can specify the manager as membership criteria; that is, users must report to that manager to be a member of the group. This information is retrieved from Active Directory synchronization with the Microsoft Online directory.

    noteNote
    Note that for the manager to be displayed in Windows Intune, the manager must also be a synchronized user. If a synchronized user has a manager who is not synchronized, the manager name will not be displayed in Windows Intune and available as selection criteria.

You can specify users as membership criteria. Users are listed by first name, last name, and alias. This information is retrieved directly from the Microsoft Online directory.

Device group

  • Organizational unit (OU): You can specify the OU for computers as membership criteria. OUs cannot be retrieved for mobile devices. The OUs are retrieved directly from the Windows Intune inventory.

  • Domain: You can specify the domain for a computer as membership criteria. This information is retrieved from the Windows Intune inventory. Domain names cannot be retrieved for mobile devices.

  • Device type: You can specify computers as membership criteria, and if your environment is configured to support mobile devices, mobile devices. Device type information for computers is retrieved from the Windows Intune inventory. Device type information for mobile devices is retrieved from Exchange.

Devices: You can specify computer names as membership criteria, and if your environment is configured to support mobile devices, you can specify mobile device names as well. Computer names are retrieved from the Windows Intune inventory. Mobile device names are retrieved from Exchange.

See Also

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.