We’re currently rolling out a new Intune-based setup across our school, and I’d really appreciate hearing how others are tackling this because we’re hitting some pretty frustrating roadblocks.
We’ve just started deploying to production — student devices are Autopilot-enrolled, cloud-native (Entra joined), and receiving policies via Intune. Devices are not 1:1 — students move between classrooms, so multiple logins happen per day across many shared machines. Staff and student devices are separated physically and logically.
We’re applying things like lockdown restrictions, mapped drives, and shell customization using user-assigned configuration profiles.
We’re seeing a significant delay in user policies applying at first login — sometimes they kick in after 5–10 minutes, sometimes after a logout/login, and occasionally not at all.
Some examples:
A student logged in and initially had full access to PowerShell, Regedit, CMD, etc. After a logout/login, the restrictions finally applied.
Mapped drives are inconsistent — sometimes there, sometimes not.
OneDrive redirection and policy enforcement can take minutes or longer to kick in.
Even after updating a policy, it sometimes doesn’t apply for hours unless a manual sync is forced.
What We’ve Tried:
Devices are syncing and compliant in Entra/Intune.
We know the policies do apply, but it’s inconsistent and too slow.
We’ve explored device-level assignment, but avoided it due to concern about mixed users on the same device — however, in our case, staff and student devices are already separate, so this might actually be a better route.
We cannot have staff or students logging in and being left with open access while Intune "gets around" to applying policies. In a school environment, that delay is a serious risk and undermines the entire management strategy. None of this delay or risk was mentioned to us during planning and design workshops.
Is this kind of user policy delay just expected behavior with Intune?
Is it best practice to apply restriction policies at device level where devices are user-dedicated (e.g., staff vs student machines)?
Has anyone successfully used tools to force or accelerate policy sync at login?
Any insights from people managing large shared environments — how are you handling this?
We've got a follow-up session booked with our MSP, but I’d really like to hear how others are managing this in the real world — especially in education.
We’ve just started deploying to production — student devices are Autopilot-enrolled, cloud-native (Entra joined), and receiving policies via Intune. Devices are not 1:1 — students move between classrooms, so multiple logins happen per day across many shared machines. Staff and student devices are separated physically and logically.
We’re applying things like lockdown restrictions, mapped drives, and shell customization using user-assigned configuration profiles.
We’re seeing a significant delay in user policies applying at first login — sometimes they kick in after 5–10 minutes, sometimes after a logout/login, and occasionally not at all.
Some examples:
A student logged in and initially had full access to PowerShell, Regedit, CMD, etc. After a logout/login, the restrictions finally applied.
Mapped drives are inconsistent — sometimes there, sometimes not.
OneDrive redirection and policy enforcement can take minutes or longer to kick in.
Even after updating a policy, it sometimes doesn’t apply for hours unless a manual sync is forced.
What We’ve Tried:
Devices are syncing and compliant in Entra/Intune.
We know the policies do apply, but it’s inconsistent and too slow.
We’ve explored device-level assignment, but avoided it due to concern about mixed users on the same device — however, in our case, staff and student devices are already separate, so this might actually be a better route.
We cannot have staff or students logging in and being left with open access while Intune "gets around" to applying policies. In a school environment, that delay is a serious risk and undermines the entire management strategy. None of this delay or risk was mentioned to us during planning and design workshops.
Is this kind of user policy delay just expected behavior with Intune?
Is it best practice to apply restriction policies at device level where devices are user-dedicated (e.g., staff vs student machines)?
Has anyone successfully used tools to force or accelerate policy sync at login?
Any insights from people managing large shared environments — how are you handling this?
We've got a follow-up session booked with our MSP, but I’d really like to hear how others are managing this in the real world — especially in education.