Create Smart Groups for Wave Deployment of Configurations in Intune

How do you distribute configuration profile, apps or other configurations in Intune today? In this blog I want to explain and provide a script how you can easily roll out objects in Intune using waves. Here I will help you to create groups defined by you that will pack a specified percentage of your devices into the groups so that you can perform a slow rollout and thus guarantee the quality. The current script describes how you can create device groups. If you are also interested in how to apply this to user groups or how to create a automation for the assignment then let me know.

How can I get the script?

You can find the script in my GitHub repository.

What I have to do bevor running the script?

Bevor running the script you have to define the tenant Id, the client secret and the app Id form your app registration. How to create a app registration you can find below.

In addition to this you have to define the group names for the different waves and the percentage how many devices should be added to this group. If you want to have more groups you only have to add the following line:

$groups += '{"GroupName" : "NAME_OF_THE_GROUP" : "NUMBER_OF_PERCENTS"}' | ConvertFrom-Json

Currently the script use all devices as scope. It is very important to add filters to get only the required devices. How to filter is explain below.

How to add filter to the call?

You can find in the script an example filter. But you can filter for more or less all attribute you have within the graph object.
The best way is to create the filter via the graph explorer. For this run an query for and add ?$filter= and add your filter condition. More informations can be found here.


?$filter=operatingSystem eq 'Windows'

How can I create a app registration?

  • Search for Azure Active Directory
  • Select App registration
  • Select +New registration
  • Enter a Name and click Register
  • Click API permissions and +Add a permission
  • Select Microsoft Graph
  • Select Application permissions
  • Search for Group.ReadWrite.All and Device.Read.All
  • Click Grant admin consent for *** and approve with Yes
  • Select Certificates & secrets and click +New client secret
  • Enter a Description and select a Expires time
  • Click Add
  • Copy and save the Value and the Secret ID

How does it work and how can I use this groups?

The script will create the groups with the size defined by you.

You can attached this groups in new created configuration profiles, apps and all other Intune objects. You can start with the first group to test you configuration on a few devices and attached after one or two days the next group. Finally, you can either append the last group or remove everything else and apply the configuration to all devices. Of course you can also use for the assignment filter

13 thoughts on “Create Smart Groups for Wave Deployment of Configurations in Intune

  1. It works perfectly!. Thank you!. Is there anyway that we can scope this script to a existing AAD group, so that it will add devices only from that group?


  2. Great. I did manage to modify the script to get members from existing AAD group. Thanks a lot. Since we have 9k+ devices, the script runs more than an hour and access token expires, in the mid of third group creation. I am just working on that to refresh/reissue the access token.


Comments are closed.