Windows Autopilot device preparation user-driven Microsoft Entra join: Create a device group

Windows Autopilot device preparation user-driven Microsoft Entra join steps:

  • Step 3: Create a device group

For an overview of the Windows Autopilot device preparation user-driven Microsoft Entra join workflow, see Windows Autopilot device preparation user-driven Microsoft Entra join overview.

Note

The device group created in this step is specific to Windows Autopilot device preparation. Microsoft recommends creating a device group specifically for use with Windows Autopilot device preparation instead of reusing existing device groups used in other Autopilot scenarios.

Create a device group

Device groups are a collection of devices organized into a Microsoft Entra group. Device groups can be either dynamic or assigned:

  • Dynamic groups - Devices are automatically added to the group based on rules.
  • Assigned groups - Devices are manually added to the group and are static.

Windows Autopilot device preparation uses a device group as part of the Windows Autopilot device preparation policy. The device group specified in the Windows Autopilot device preparation policy is the device group where devices are added automatically during the Windows Autopilot device preparation deployment. The device group specified in the Windows Autopilot device preparation policy needs to be an assigned security group.

To create an assigned security device group for use with Windows Autopilot device preparation, follow these steps:

  1. Sign into the Microsoft Intune admin center.

  2. In the Home screen, select Groups in the left hand pane.

  3. In the Groups | All groups screen, make sure All groups is selected, and then select New group.

  4. In the New Group screen that opens:

    1. For Group type, select Security.

    2. For Group name, enter a name for the device group, such as Windows Autopilot device preparation device group.

    3. For Group description, enter a description for the device group.

    4. For Microsoft Entra roles can be assigned to the group, select No.

    5. For Membership type, select Assigned.

    6. For Owners, select the No owners selected link.

    7. In the Add owners screen that opens:

      1. Scroll through the list of objects and select the service principal Intune Provisioning Client with AppId of f1346770-5b25-470b-88bd-d5744ab7952c. Alternatively, use the Search bar to search for and select Intune Provisioning Client.

        Note

        • In some tenants, the service principal might have the name of Intune Autopilot ConfidentialClient instead of Intune Provisioning Client. As long as the AppID of the service principal is f1346770-5b25-470b-88bd-d5744ab7952c, it's the correct service principal.

        • If the Intune Provisioning Client or Intune Autopilot ConfidentialClient service principal with AppId of f1346770-5b25-470b-88bd-d5744ab7952c isn't available either in the list of objects or when searching, see Adding the Intune Provisioning Client service principal.

      2. Once Intune Provisioning Client is selected as the owner, select Select.

    8. Select Create to finish creating the assigned device group.

    Important

    Don't manually add any devices to the device group created in this step by selecting the No members selected link under Members. Devices are automatically added to this device group during the Windows Autopilot device preparation deployment.

Adding the Intune Provisioning Client service principal

If the Intune Provisioning Client service principal with AppId f1346770-5b25-470b-88bd-d5744ab7952c isn't available when selecting the owner of the device group, then follow these steps to add the service principal:

  1. On a device where Microsoft Intune or Microsoft Entra ID is normally administered, open a Windows PowerShell command prompt.

  2. In the Windows PowerShell command prompt window:

    1. Install the azuread module by entering the following command:

      Install-Module azuread
      

      If prompted to do so, agree to install NuGet and the azuread module from the PSGallery.

    2. Once the azuread module is installed, connect to Microsoft Entra ID by entering the following command:

      Connect-AzureAD
      
    3. If not already authenticated to Microsoft Entra ID, the Sign in to your account window appears. Enter the credentials of a Microsoft Entra ID administrator that has permissions to add service principals.

    4. Once authenticated to Microsoft Entra ID, add the Intune Provisioning Client service principal by entering the following command:

      New-AzureADServicePrincipal -AppId f1346770-5b25-470b-88bd-d5744ab7952c
      

Next step: Create a user group

For more information on creating groups in Intune, see the following articles: