Group Windows 11 Devices with Intune
All / Azure / Intune / Windows

Group Windows 11 Devices with Intune

jannikreinhard

Once you start treating Windows 11 as a different deployment ring than Windows 10, you’ll need a clean way to scope policies, applications and Conditional Access to “all Windows 11 devices in the tenant” — without manually maintaining a static group. The good news is that Entra ID supports dynamic device groups with rich rule syntax, and you can target Windows 11 by OS version, build number or device-category attribute with a single line of dynamic-membership rule. This post lays out the membership rules I use in production tenants, with examples for Windows 11 21H2 through 23H2 and beyond.

With Windows 11 widely deployed across enterprise estates, you might want to test configurations or apps specifically on Windows 11 devices. For that testing you need a group in Microsoft Entra ID. In this blog I want to show you how to create a dynamic group that contains all Windows 11 devices. I also want to show you how to create a device filter for Windows 11.

Create a dynamic Microsoft Entra ID group for Windows 11

We will now start with the creation of a dynamic Microsoft Entra ID group. Of course you can use this procedure for other groupings based on other attributes.

  • Select Groups
Group Windows 11 Devices with Intune
  • Click + New group
Group Windows 11 Devices with Intune
  • Enter a Group name
  • Select Dynamic Device as Membership type
  • Click Add dynamic query under Dynamic Device Members.
Group Windows 11 Devices with Intune
  • Create the following rule:
(device.deviceOSVersion -startsWith "10.0.2")
  • Select “deviceOSVersion” as Property
  • Select “Starts With” as Operator
  • Insert “10.0.2” as Value
  • Click Save
Group Windows 11 Devices with Intune
  • Click Create
Group Windows 11 Devices with Intune
  • Create the following rule:
(device.deviceOSVersion -startsWith "10.0.2")
  • Open the Group
  • Click Dynamic membership rules
  • Click Validate Rules (Preview)
Group Windows 11 Devices with Intune
  • Click Add devices
  • Select a Windows 11 device
  • Check if the filter fits for the device. You can check this by the green checkmark.
Group Windows 11 Devices with Intune

After a short delay, the devices should appear in the group as members.

Group Windows 11 Devices with Intune

Create a Windows 11 device filter

After creating the dynamic Microsoft Entra ID group we will look at how you can create a filter. This can be useful for user assignments for example.

  • Select Tenant administration
  • Select Filter (Preview)
  • Click + Create
Group Windows 11 Devices with Intune
  • Insert a Name for the filter
  • Click Next
  • Select Windows 10 and later as platform
Group Windows 11 Devices with Intune
  • Select “deviceOSVersion” as Property
  • Select “Starts With” as Operator
  • Insert “10.0.2” as Value
  • Click Next
Group Windows 11 Devices with Intune
  • Click Create
Group Windows 11 Devices with Intune

Conclusion

Although Microsoft kept the underlying version scheme as 10.0.2XXXX rather than switching to 11.X.X, this blog will help you group your Windows 11 devices so you can target them with policies, apps and Conditional Access.

Stay healthy, Cheers
Jannik