User-driven Microsoft Entra hybrid join: Create a device group

• Applies to:

  ✅ Windows 11, ✅ Windows 10

Autopilot user-driven Microsoft Entra hybrid join steps:

• Step 1: Set up Windows automatic Intune enrollment
• Step 2: Install the Intune Connector
• Step 3: Increase the computer account limit in the Organizational Unit (OU)
• Step 4: Register devices as Autopilot devices

• Step 5: Create a device group

• Step 6: Configure and assign Autopilot Enrollment Status Page (ESP)
• Step 7: Create and assign Microsoft Entra hybrid join Autopilot profile
• Step 8: Configure and assign domain join profile
• Step 9: Assign Autopilot device to a user (optional)
• Step 10: Deploy the device

For an overview of the Windows Autopilot user-driven Microsoft Entra hybrid join workflow, see Windows Autopilot user-driven Microsoft Entra hybrid join overview

Note

If you have already created device groups from another Autopilot scenario, you can skip this step and move on to Step 6: Configure and assign Autopilot Enrollment Status Page (ESP). However, if you're deploying multiple different Autopilot scenarios to different devices, separate device groups are required for each Autopilot scenario.

Create a device group

Device groups are a collection of devices organized into a Microsoft Entra group. Device groups are used in Autopilot to target devices for specific configurations such as what policies to apply to a device and what applications to install on the device. They're also used by Autopilot to target Enrollment Status Page (ESP) configurations, Autopilot profile configurations, and domain join profiles to devices.

Device groups can be either dynamic or assigned:

• Dynamic groups - Devices are automatically added to the group based on rules
• Assigned groups - Devices are manually added to the group and are static

When an admin configures Autopilot in an enterprise environment, dynamic groups are primarily used since a large number of devices are normally involved. Adding the devices in automatically using rules makes management of the group a lot easier. Adding a large amount of device in manually via an assigned group would be impractical. However, if there's only a few devices, for example for testing purposes, an assigned group can be used instead.

To create a dynamic device group for use with Autopilot, follow these steps:

1. Sign in to the Microsoft Intune admin center.

2. In the Home screen, select Groups in the left hand pane.

3. In the Groups | All groups screen, make sure All groups is selected, and then select New group.

4. In the New Group screen that opens:

   1. For Group type, select Security.

   2. For Group name, enter a name for the device group.

   3. For Group description, enter a description for the device group.

   4. For Microsoft Entra roles can be assigned to the group, select No.

   5. For Membership type, select Dynamic Device.

   6. For Owners, select users that own the group.

   7. For Dynamic device members (available once Dynamic Device is selected for Membership type), select Add dynamic query. Selecting Add dynamic query opens the Dynamic membership rules screen:

      1. Make sure that Configure Rules is selected at the top.

      2. Select Add expression. Rules and expressions can be added that defines what devices are added to the device group.

         Rules can be entered in the rule builder via the drop-down boxes or the rule syntax can be directly entered via the Edit option in the Rule syntax section.

         The most common type of dynamic device group when using Autopilot is a device group that contains all Autopilot devices. A dynamic device group that contains all Autopilot devices has the following syntax:

         (device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]"))

         This rule can be entered in by selecting the Edit option in the Rule syntax section and then pasting in the rule in the Edit rule syntax screen under Rule syntax. Once the rule is pasted in, select OK.

      3. Once the desired rule is entered, select Save on the toolbar to close the Dynamic membership rules window.

         For more information on creating rules for dynamic groups, see Dynamic membership rules for groups in Microsoft Entra ID.

5. In the New Group screen, select Create which finishes creating the dynamic group.

Note

The above steps are creating a dynamic group in Microsoft Entra which is used by Intune and Autopilot. Although the groups can be accessed in the Intune portal, they are Microsoft Entra groups.

Tip

For Configuration Manager admins, device groups are similar to device based collections. Dynamic device groups are similar to query based device collections while assigned device groups are similar to direct membership device collections.

Next step: Configure and assign the Enrollment Status Page (ESP)

Step 5: Configure and assign Autopilot Enrollment Status Page (ESP)

More information

For more information on creating groups in Intune, see the following article(s):

• Create device groups
• Add groups to organize users and devices
• Manage Microsoft Entra groups and group membership