User-driven Microsoft Entra hybrid join: Create a device group
Autopilot user-driven Microsoft Entra hybrid join steps:
- Step 1: Set up Windows automatic Intune enrollment
- Step 2: Install the Intune Connector
- Step 3: Increase the computer account limit in the Organizational Unit (OU)
- Step 4: Register devices as Autopilot devices
- Step 5: Create a device group
- Step 6: Configure and assign Autopilot Enrollment Status Page (ESP)
- Step 7: Create and assign Microsoft Entra hybrid join Autopilot profile
- Step 8: Configure and assign domain join profile
- Step 9: Assign Autopilot device to a user (optional)
- Step 10: Deploy the device
For an overview of the Windows Autopilot user-driven Microsoft Entra hybrid join workflow, see Windows Autopilot user-driven Microsoft Entra hybrid join overview.
Note
If device groups from are already created, skip this step and move on to Step 6: Configure and assign Autopilot Enrollment Status Page (ESP). However, if deploying multiple and/or different Autopilot scenarios to different devices, separate device groups are required for each Windows Autopilot scenario.
Create a device group
Device groups are a collection of devices organized into a Microsoft Entra group. Device groups are used in Autopilot to target devices for specific configurations such as what policies to apply to a device and what applications to install on the device. They're also used by Autopilot to target Enrollment Status Page (ESP) configurations, Autopilot profile configurations, and domain join profiles to devices.
Device groups can be either dynamic or assigned:
- Dynamic groups - Devices are automatically added to the group based on rules
- Assigned groups - Devices are manually added to the group and are static
When an admin configures Autopilot in an enterprise environment, dynamic groups are primarily used since a large number of devices are normally involved. Adding the devices in automatically using rules makes management of the group a lot easier. Adding a large amount of device in manually via an assigned group would be impractical. However, if there's only a few devices, for example for testing purposes, an assigned group can be used instead.
To create a dynamic device group for use with Autopilot, follow these steps:
Sign into the Microsoft Intune admin center.
In the Home screen, select Groups in the left hand pane.
In the Groups | All groups screen, make sure All groups is selected, and then select New group.
In the New Group screen that opens:
For Group type, select Security.
For Group name, enter a name for the device group.
For Group description, enter a description for the device group.
For Microsoft Entra roles can be assigned to the group, select No.
For Membership type, select Dynamic Device. Setting the Membership type option to Dynamic Device changes the option Members to Dynamic device members.
For Owners, select the No owners selected link.
In the Add owners screen that opens:
Scroll through the list of objects and select owners for the user group. Alternatively, use the Search bar to search for and select owners of the group.
Once all of the desired owners are selected, select Select.
For Dynamic device members, select Add dynamic query. The Dynamic membership rules screen opens.
In the Dynamic membership rules screen:
Make sure that Configure Rules is selected at the top.
Select Add expression. Rules and expressions can be added that defines what devices are added to the device group.
Rules can be entered in the rule builder via the drop-down boxes. Alternatively, the rule syntax can be entered directly via the Edit option in the Rule syntax section.
The most common type of dynamic device group when using Windows Autopilot is a device group that contains all Windows Autopilot devices. A dynamic device group that contains all Windows Autopilot devices has the following syntax:
(device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]"))
To enter in this rule:
Select the Edit option in the Rule syntax section.
Paste in the following rule in the Edit rule syntax screen under Rule syntax:
(device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]"))
Once the rule is pasted in, select OK.
Once the desired rule is entered, select Save on the toolbar to close the Dynamic membership rules window.
For more information on creating rules for dynamic groups, see Dynamic membership rules for groups in Microsoft Entra ID.
Select Create to finish creating the dynamic device group.
Note
The above steps are creating a dynamic group in Microsoft Entra that is used by Intune and Windows Autopilot solutions. Although the groups can be accessed in the Intune portal, they're Microsoft Entra groups.
Tip
For Configuration Manager admins, device groups are similar to device based collections. Dynamic device groups are similar to query based device collections while assigned device groups are similar to direct membership device collections.
Next step: Configure and assign the Enrollment Status Page (ESP)
Related content
For more information on creating groups in Intune, see the following articles: