Feature Request: Use Azure/Intune Group Membership for "Netwrix Endpoint Policy Manager" Targeting Criteria

What is a one sentence summary of your feature request?

Feature Request: Use Azure/Intune Group Membership for “Netwrix Endpoint Policy Manager” Targeting Criteria.

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

Feature Request: Use Azure/Intune Group Membership for “Netwrix Endpoint Policy Manager” Targeting Criteria

We need Policy Pack to support Azure/Intune Group membership as a targeting condition. This would allow us to say “apply this Policy Pack “Netwrix Endpoint Policy Manager” setting only to devices that are members of [specific Azure/Intune Group].”

Why this matters:
We already organize devices into Azure/Intune Groups for Intune targeting
Policy Pack “Netwrix Endpoint Policy Manager” should leverage our existing group structure instead of requiring duplicate targeting logic via WMI queries or registry keys.

This would align Policy Pack “Netwrix Endpoint Policy Manager” settings with our Intune deployment methodology and organizational structure.

Technical approach:
Query Microsoft Graph API for device group memberships
Support both direct and nested group membership
Cache locally with configurable refresh intervals
Required Graph API permissions: Device.Read.All, Group.Read.All
(If the local Machine account and certificate doesn’t have the appropriate permissions to perform the Graph Query, a service account can be created and used to perform the lookup)

Use case example:“Apply these Registry Keys only to devices in the ‘AZR-S-APP-WKS-Administrative Workstations’ Azure/Intune Group” - without needing to create custom WMI queries or registry markers to identify those devices.

This would be a significant differentiator for Policy Pack in Intune-managed environments.

How do you currently solve the challenges you have by not having this feature?

Deploy a PowerShell Script to set a specific registry key for a given Policy Pack “Netwrix Endpoint Policy Manager” setting , deploy that PowerShell script via Intune, (Win32 app, Remediation Script or Platform Script) assigned to an Intune Group. Use the resultant registry key as the targeting criteria for the Policy Pack “Netwrix Endpoint Policy Manager” setting.

So we already let you do it by COMPUTER group, but not by USER group.

There’s some reason we cannot grab user membership.

The doc page with the video WOULD be here: Use Endpoint Policy Manager cloud + Azure AAD Group Membership for User or Computers | Netwrix Product Documentation
But the video is .. um.. missing.

While I get it fixed the direct link is: https://youtu.be/fSiycQbAx6o

Check that out and see if it helps.

Also: If the steps DONT work, I think I saw there’s an active bug around this; which we know about.

So all in all: DO see if the video “would get you there” and let me know here. And then we can keep in touch around the known bug getting the sync started.

-Jeremy

1 Like

Hi Jeremy,

We recently had a support call where we demonstrated that Intune computer groups do not function as targeting criteria. Since we are Intune only (not Hybrid AD), the Netwrix Policy Pack Support staff verified that that functionality does not yet exist in Policy Pack “Netwrix Endpoint Policy Manager”. The Support Engineers recommended that I submit this feature request.

I have been able to successfully perform Graph Lookups using a service account for an in house binary project and that is likely a viable method by which the Policy Pack “Netwrix Endpoint Policy Manager” product could keep a local (endpoint located) record of local group memberships.

Thanks for your attention.