You can help support this website by buying me a coffee!
2 minutes reading time
(474 words)
Create an Azure AD dynamic group for Windows 11 devices
How to create an Azure AD dynamic device group for specific laptop model running Windows 11
What is an Azure AD dynamic group and why would you use one?
Azure AD dynamic groups use a rule set to automatically assign members based on attributes.
You can create dynamic groups for devices or for users, but you can't create dynamic rules that contain both user and device properties.
In other words, you can't combine users and devices in dynamic groups.
In other words, you can't combine users and devices in dynamic groups.
In this example, we are creating a dynamic group for Windows 11 Surface devices that we can use to target policy and configuration settings to Surface Pros and Surface laptops running Windows 11.
This will allow us to rollout Windows 11 configuration policies and have them only apply to these specific devices and not the rest of our Windows 10 computers.
Windows 10 and Windows 11 versions
Windows 10 and 11 OS version numbers
Windows 10 version numbers start with 10.0.1
Windows 11 version numbers start with 10.0.2
Find Windows OS version using command line
systeminfo | findstr /B /C:"OS"
Example: Windows 11 OS version number
Create Azure AD dynamic device group
Logon to the Azure Portal
Azure AD - Groups - New Group
Group type: Security
Group name: Windows 11 - Surface Devices
Membership type: Dynamic Device
Add dynamic query
Dynamic membership rules - device properties
Here is a quick list of device properties you might find useful when creating dynamic group membership rules
| Property | Operator | Example Value | Notes |
| deviceModel | Contains | Surface | |
| deviceOSType | Contains | Windows | |
| deviceOSVersion | Starts With | 10.0.2 | Windows 11 |
| deviceOSVersion | Starts With | 10.0.1 | Windows 10 |
| deviceOwnership | Equals | Company | Corporate owned |
Example: Dynamic membership rules for Windows 11, Surface devices
Click add expression to configure the following rules, then save and create the dynamic group
deviceModel
Contains: Surface
deviceOSType
contains: Windows
deviceOSVersion
Starts With: 10.0.2
# Rule syntax (device.deviceModel -contains "Surface") and (device.deviceOSType -contains "Windows") and (device.deviceOSVersion -startsWith "10.0.2")
Example: Dynamic membership rules for Windows 10, corporate devices
# Rule syntax (device.deviceOSType -contains "Windows") and (device.deviceOSVersion -startsWith "10.0.1") and (device.deviceOwnership -eq "Company")
Identify devices as corporate-owned
https://learn.microsoft.com/en-us/mem/intune/enrollment/corporate-identifiers-add
Intune automatically assigns corporate-owned status to devices that are:
* Joined to Azure Active Directory with work or school credentials. Devices that are Azure Active Directory registered will be marked as personal.
* Set as corporate in the device's properties list
* After enrollment, you can change the ownership setting between Personal and Corporate.
https://learn.microsoft.com/en-us/mem/intune/enrollment/corporate-identifiers-add
Intune automatically assigns corporate-owned status to devices that are:
* Joined to Azure Active Directory with work or school credentials. Devices that are Azure Active Directory registered will be marked as personal.
* Set as corporate in the device's properties list
* After enrollment, you can change the ownership setting between Personal and Corporate.
Check dynamic group membership
Select the dynamic device group - members to see the laptops that have been automatically added to the group.
Reference:
by Author
Dynamic membership rules for groups in Azure Active Directory
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
Comments