Windows Autopilot group tags make dynamic device management simple. By mapping group tags to Microsoft Entra ID attributes, IT admins can automatically organize devices into security groups during provisioning. This guide walks you step-by-step through creating dynamic groups in Intune using Autopilot group tags, ensuring streamlined enrollment and policy assignment.
If you’re new to Windows Autopilot, you may want to start with the basics of device provisioning. In our guide How to Provision Devices with Windows Autopilot, we walk through the enrollment process step by step. Once devices are provisioned, you can use group tags—as explained in this post—to automatically organize them into dynamic Microsoft Entra ID groups for streamlined management.
Dynamic Membership Rule Expressions for Autopilot Groups
When creating expressions:
- To include all Autopilot devices, use the following syntax:
(device.devicePhysicalIds -any (_ -startsWith “[ZTDid]”))
- To include Autopilot devices with a specific group tag (mapped to the OrderID attribute in Microsoft Entra ID), use:
(device.devicePhysicalIds -any (_ -eq “[OrderID]:179887111881”))
Replace 179887111881 with the actual Group Tag (OrderID) value assigned to your devices.
Step-by-Step: Creating Dynamic Groups in Intune
Follow these steps to create a Microsoft Entra ID group using a Windows Autopilot group tag.
- Open the Microsoft Intune admin portal at https://intune.microsoft.com,
- Navigate to the Groups blade, and select New Group to begin creating your dynamic group.
On the New Group page, provide the following details:
- Group Type: Security
- Group Name: Enter a clear, descriptive name for your group (e.g., Site-XYZ-Devices).
- Group Description: Add a meaningful description that explains the purpose of the group.
- Membership Type: Select Dynamic.
Next, click Add dynamic query to define a dynamic membership rule. The group membership will be automatically populated based on this rule.
On the Dynamic membership rules > Configure Rules page:
- Click the Edit link under Rule syntax.
- Enter the following expression, replacing GroupTag with the actual tag you assigned during Autopilot registration:
(device.devicePhysicalids -any _ -eq “[OrderID]:GroupTag”)
For example: (device.devicePhysicalids -any _ -eq “[OrderID]:WA-Test-PP”)
All the Windows Autopilot devices with the group tag “WA-Test-PP” will become members of the group.
On the Members tab:
- Click the Refresh link.
- The device should now appear in the group, automatically added based on the dynamic membership rule you configured in the previous step
Related Posts
- How to Get AAD Group Members’ Details Using PowerShell SDK for Microsoft Intune Graph API
- Powershell Script to Add Bulk Users / Computers to AD Group
- Dynamic Group Based on Enrollment Profile in Intune
- Deny M365 Apps access from Untrusted Locations | Intune
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.