RELATED IDEAS
Support Intune Virtual Groups "All Devices" and "All Users" in Application Manager
Microsoft performance guidance recommends using the built in Intune groups "All devices" and "All users" and not creating separate dynamic groups to achieve the same thing. The benefit of this would increase performance of application assignments to end users and devices, specifically during autopilot/onboarding as then there is no lag time for dynamic group updates. There is typically an "All Users" group that gets created in Entra, but some organizations remove it or restrict access to it causing confusion.
| Product | Application Manager |
-
- +2
We've had some overshoot using those. It's kind of the opposite of best practice under MCM, where you avoid using "All Systems" so you narrow your targets by using Exclusions or query rules.
Example. Deployed our security client to fleet a couple months ago, and a few weeks later, find myself walking it back because it was deploying to personal computers when people logged in to Office on their home computers. Lots of ways orgs can deal with that (you could even accept it - our security team pay for the licenses, they didn't accept it), but it's something to consider when planning deployments.