User vs device targeting is one of those choices that looks simple but quietly shapes everything from troubleshooting to policy reliability.
My general rule is simple: in most enterprise environments, device targeting should be the default unless you have a clear reason not to use it.
That said, there are still cases where user targeting is the better option.
The real difference
- User targeting follows the identity
- Device targeting follows the endpoint
That’s it conceptually. The complexity comes from how policies behave when users and devices don’t align cleanly, which happens often in modern work setups.
When device targeting is the better choice
In practice, device targeting tends to be more stable and predictable. It is also easier to reason about during troubleshooting because the policy is tied to something physical and consistent.
Use device targeting when:
- You are configuring security settings (BitLocker, Defender, firewall)
- You are enforcing compliance requirements
- You are managing shared or multi-user devices
- You are configuring system level settings like updates or restrictions
- You want consistent state regardless of who signs in
This is where Intune is strongest. Device state should usually be enforced at the device level.
It also reduces ambiguity in environments where multiple users sign into the same machine or where hybrid identity is still present.
When user targeting still makes sense
User targeting is useful when the configuration is genuinely about the person and not the machine.
Use user targeting when:
- You configure Microsoft 365 apps (Outlook, Teams, OneDrive)
- You deploy user-centric app settings or preferences
- You support roaming users across multiple devices
- You rely on identity-driven access or experience configuration
The key idea here is mobility. If the user should carry the configuration with them, user targeting is appropriate.
Where things go wrong in real environments
Most targeting issues come from mixing intent rather than misunderstanding features.
1. Security policies assigned to users
This creates inconsistency because the security state is not anchored to the device.
Example: BitLocker or Defender settings applied at user level
Result: compliance and configuration drift across devices.
2. Productivity apps assigned to devices
This often leads to gaps when users move between endpoints or use multiple devices.
Example: Microsoft 365 Apps assigned only to device groups
Result: incomplete app availability or inconsistent provisioning.
3. Hybrid targeting models without a clear standard
When user groups, device groups, and filters are mixed without a rule, troubleshooting becomes guesswork.
This is where most “Intune is inconsistent” complaints actually come from.
A practical decision rule
If you want something simple that works in most environments:
- Default to device targeting for anything security or configuration related
- Use user targeting only when the experience must follow the person
That single rule removes most ambiguity.
Why device targeting is often the better default
From a real-world administration perspective, device targeting tends to win because:
- It is easier to troubleshoot
- It aligns better with compliance reporting
- It reduces unexpected cross-user side effects
- It behaves more predictably in shared environments
User targeting still has its place, but it introduces more variability by design.
Final thought
The question is not really “device or user”.
It is:
What am I trying to control, the person or the machine?
If the answer is unclear, device targeting is usually the safer choice in Intune.