You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/intune/configuration/settings-catalog.md
+24Lines changed: 24 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -191,6 +191,30 @@ The **Templates** include a logical group of settings, such as device restrictio
191
191
192
192
The **Settings catalog** lists all the available settings. If you want to see all the available Firewall settings, or all the available BitLocker settings, then use this option. Also, use this option if you're looking for specific settings.
193
193
194
+
## Device scope vs. user scope settings
195
+
196
+
When selecting settings, some settings have a `(User)` tag or `(Device)` tag in the setting name, such as `Allow EAP Cert SSO (User)` or `Grouping (Device)`. When you see these tags, the policy only affects the user scope or the device scope.
197
+
198
+
For more information on user scope and device scope, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
199
+
200
+
Device and user groups are used when you assign your policies. Device and user scopes describe how a policy is enforced.
201
+
202
+
When deploying policy from Intune, you can assign user scope or device scope to any type of target group. Behavior of the policy per user depends on the scope of the setting:
203
+
204
+
- User scoped policy writes to `HKEY_CURRENT_USER (HKCU)`.
205
+
- Device scoped policy writes to `HKEY_LOCAL_MACHINE (HKLM)`.
206
+
207
+
When a device checks-in to Intune, the device always presents a `deviceID`. The device may or may not present a `userID`, depending on the check-in timing and if a user is signed in.
208
+
209
+
These are some possible combinations of scope, assignment, and the expected behavior:
210
+
211
+
- If a device scope policy is assigned to a device, then all users on that device have that setting applied.
212
+
- If a user scope policy is assigned to a device, then all users on that device have that setting applied. This behavior is like a [loopback set to merge](/troubleshoot/windows-server/group-policy/loopback-processing-of-group-policy).
213
+
- If a user scoped policy is assigned to a user, then only that user has that setting applied.
214
+
- If a device scoped policy is assigned to a user, once that user signs in and an Intune sync occurs, then the device scope settings apply to all users on the device.
215
+
216
+
If there is no [user hive](/windows/win32/sysinfo/registry-hives) during initial check-ins, then you may see some user scope settings marked as not applicable. This behavior happens in the early moments of a device before a user is present.
217
+
194
218
## Next steps
195
219
196
220
- Be sure to [assign the profile](device-profile-assign.md), and [monitor its status](device-profile-monitor.md).
0 commit comments