Microsoft Intune This book section is for MS Intune related documentations Dynamic Device Group for Company-Owned Windows Devices Field Details Document Type How-To Guide - Create a Dynamic Group Runbook Applies To Microsoft Entra ID & Microsoft Intune Audience 2nd Line, Entra ID & Intune Admin Author AK. Udofeh Last Updated Nov 2025 Overview This document explains how to create a dynamic device group in Microsoft Entra ID (formerly Azure AD) that automatically includes all Company-owned Windows devices that are Microsoft Entra-Joined. This group can then be targeted for Intune policies. Key properties used Devices: Windows 10 and Windows 11 Enrollment: Manual Microsoft Entra join by users Ownership: Company (Corporate-owned) Management: Intune-managed (MDM) Goal: Automatically group these devices without manual assignment. Steps to Create the Dynamic Device Group Sign in to Entra Admin Center Go to Intune Admin Center Microsoft Intune admin center Navigate to Groups > All Groups. Click + New Group. Group type: Security Group name: Corporate Windows Devices Membership type: Dynamic Device Add Dynamic Membership Rule Under Dynamic membership rules, click Edit. Choose Rule syntax and paste the following:  (device.deviceOSType -eq "Windows") and (device.trustType -eq "AzureAD") and (device.deviceOwnership -eq "Company") and (managementType -eq "MDM") Rule Breakdown device.deviceOSType -eq "Windows" -  Includes Windows devices only. device.trustType -eq "AzureAD"  -  Ensures the device is Microsoft Entra-Joined (not hybrid or registered only). device.deviceOwnership -eq "Company" -  Filters for University-owned devices. managementType -eq "MDM" - Includes devices managed by MDM (Intune), excludes None and co-managed hybrid devices (MDM/AD) in most cases. Limitation: Some co-managed or misreported devices may still appear; manual validation may be required. Validate and Save Click Validate Rules to confirm matching devices. Save and create the group. Common Device Attributes & Values Property Value Meaning device.trustType AzureAD Microsoft Entra joined (cloud-only)   ServerAD Hybrid joined (on-prem AD + Entra)   Workplace Registered only (personal/BYOD) device.deviceOwnership Company Corporate-owned device   Personal User-owned device device.deviceOSType Windows Windows OS devices only   managementType   MDM   MDM/AD Unknown Managed via Intune or another MDM Hybrid-managed Not managed device.deviceCategory Type in your device category name This depends on the category name that has been provisioned already Dynamic groups are evaluated automatically whenever device properties change. Ensure devices are marked as Company-owned during or after enrollment. Combine a broad dynamic device group with compliance/enrollment policies and manual validation to ensure only Intune-managed devices receive policies. HOW TO: Join a Windows Computer to Microsoft Intune Field Details Document Type How-To Guide - Join a Windows Computer to MS Intune Runbook Applies To Microsoft Entra ID & Microsoft Intune Audience 2nd Line, Entra ID & Intune Admin Author AK. Udofeh Last Updated Nov 2025 Overview This guide details the steps to follow to join a Company-owned Windows computer to Entra ID (formerly known as Azure AD). Joining a device to Microsoft Entra ID enables a secure Single Sign-On (SSO) experience to Corporate Apps, policy-based device management via Intune, and access controls via Entra ID Conditional Access Policy. It also allows Administrators to enforce compliance, manage updates, and remotely wipe lost or stolen devices. The device must be Windows 10 or 11 Pro, Enterprise or Education. The device must have internet access to reach Microsoft Entra services during the join process. User must sign in with the Organisation's account, and the account must have permissions to join devices. If another MDM agent (or on-prem AD join with GPO) is active, joining may fail or cause conflicts. Your old workgroup profile will be separate from the new Entra ID profile, and some personalisation may be lost. As such, you may want to move your data in the Downloads, Documents, and Desktop folders and export your Internet browser bookmarks, saved passwords and store the backup files in OneDrive or Box Cloud Storage before starting the device join process. You may have to install Company Portal from Microsoft Store if it is not already installed on your device. Bonus: You may want to follow these links for a guide on how to export and restore your browser bookmarks and saved passwords. HO W TO: Export & Import Microsoft Edge Browser Password HOW TO: Export & Import Microsoft Edge Browser Bookmarks HOW TO: Export & Import Chrome Browser Passwords HOW TO: Export & Import Chrome Browser Bookmarks Step 1: Click the Start menu on the Taskbar > type “Company Portal” in the search bar and click on the Company Portal App to open. Step 2: Click “Sign in”. Step 3: Type in your username and click Next. Step 4: Type in your password and click Sign in. Step 5: Type in the number shown into your Authenticator App to verify your log in. Step 6: Click “Yes” to register your device with Entra ID. Step 7: Click “Yes” to enrol your device for management in Intune. Step 8: Allow the registration process to complete Step 9: Select the category for this device (if unsure, please reach out to Helpdesk) Step 10: Device enrolment successfully completed. Step 11: You will need to "switch users" to log in to your new Organisation's account on your device. Click “Start” Menu > click your current user account > click three-dot menu > click “Switch user”. Step 12: Click “Other user” to sign in with your Organisation's domain account. Step 13: Type in your Organisation's domain account and password. Step 14: Viola, you’re now in.