Intune aka Microsoft Endpoint Manager can be extremely powerful but as it always goes with great power comes great responsibility.
To make sure I’m only targeting the devices I want, I like to make a few dynamic device groups that I’ll use for various Intune policy targeting.
The dynamic device groups I create are:
- Windows AAD Joined for all the Windows devices joined to Azure AD.
- Windows Hybrid AAD Joined for all the Windows devices that are hybrid joined to Azure AD.
- Windows AAD Registered for all the Windows devices that are registered to Azure AD this is typically BYOD (Bring Your Own Device).
- Windows Personal for all the personal Windows devices.
By creating these groups I can correctly target my Intune policies to always have the intended outcome.
Here are the dynamic membership rules I use for the dynamic device groups.
Windows AAD Joined
This group is for targeting Windows devices that are joined only to Azure AD.
For Windows AAD Joined I use the following rule syntax.
(device.deviceTrustType -eq "AzureAD") and (device.deviceOSType -eq "Windows")
and (device.accountEnabled -eq True)
Windows Hybrid AAD Joined
This group is typically only needed if you are mixing in on-premises AD devices in with Azure AD.
For Windows Hybrid AAD Joined I use the following rule syntax.
(device.deviceTrustType -eq "ServerAD") and (device.deviceOSType -eq "Windows")
and (device.accountEnabled -eq True)
Windows AAD Registered
Typically this group will be for BYOD. This group is great for gathering all of the devices that are registered to Azure AD aka Workplace Joined.
For Windows AAD Registered I use the following rule syntax.
(device.deviceTrustType -eq "Workplace") and (device.deviceOSType -eq "Windows") and (device.accountEnabled -eq True)
Windows Personal
I typically use this group to collect all the personal Windows devices. These can be devices that are personal but may also be managed by Intune.
For Windows Personal I use the rule syntax.
(device.deviceOwnership -eq "Personal") and (device.deviceOSType -eq "Windows") and (device.accountEnabled -eq True)
Final Notes
With those groups I’m able to safely target exactly what I need very easily.
The use cases and rule syntaxes you can do for dynamic device group is endless.
If you want to read more about it you can read Microsoft’s documentation about it here.