I'm looking for advice on configuring Endpoint Central in a Windows environment, specifically on how to handle the association between computers and users. My organization uses Active Directory (AD) groups for users, and we need to create configurations that can install software based on these user groups (like HR, Finance, Operations, etc.). I've noticed that Endpoint Central mainly targets software installations at the computer level, but it can apply software based on user groups at logon, which doesn't seem ideal to me. I'm also trying to find a way to dynamically retrieve the association between computer names and their corresponding users or user groups for other purposes. Being a Linux admin, I have my own ideas, but I'd like to hear how Windows administrators typically manage this.
2 Answers
This is pretty standard practice! You should create clear naming conventions for your groups, like 'GG-HR-Users' for HR-related users, and connect these to SCCM or Intune. If you're using hybrid AAD, dynamic groups can automate this by pulling data from your ERP and matching it with your on-premises AD.
Yes, Intune deployments trigger when the user logs in, which could be a hassle if you want to control everything based on computer assignments from the start.
I'm not entirely familiar with Endpoint Central, but does it integrate with AD groups, or does it manage its own groups?
You can sync AD groups to Endpoint Central and use them as groups. There are two types of targets: users and computers. You can set up computer groups from AD or user groups. I prefer to deploy software via computer groups, but I lack a single AD group that includes all computers for a specific department like HR—only the user group has that info.
Your naming scheme sounds effective, but it hasn't been implemented here yet. We are hybrid and can push information into AAD to help with the department field. The issue remains in linking the user and computer department fields to set up dynamic groups for HR computers. It seems like while Intune can work with user groups, I find deploying through Endpoint Central to be smoother using computer groups. Just to clarify, the Intune deployments happen when a user logs into a computer, right?