Skip to main content

Dynamic Device Group for Company-Owned Windows Devices

Field

Details

Document Type

How-To Guide - Create a Dynamic Group Runbook

Applies To

Microsoft Entra ID & Microsoft Intune

Audience

2nd Line, Entra ID & Intune Admin

Author

AK. Udofeh

Last Updated

Nov 2025
Overview

This document explains how to create a dynamic device group in Microsoft Entra ID (formerly Azure AD) that automatically includes all Company-owned Windows devices that are Microsoft Entra-Joined. This group can then be targeted for Intune policies.

Key properties used

  • Devices: Windows 10 and Windows 11

  • Enrollment: Manual Microsoft Entra join by users

  • Ownership: Company (Corporate-owned)

  • Management: Intune-managed (MDM)

  • Goal: Automatically group these devices without manual assignment.

Steps to Create the Dynamic Device Group

  • Sign in to Entra Admin Center

  • Go to Intune Admin Center Microsoft Intune admin center

  • Navigate to Groups > All Groups.

  • Click + New Group.

  • Group type: Security

  • Group name: Corporate Windows Devices

  • Membership type: Dynamic Device

  • Add Dynamic Membership Rule

  • Under Dynamic membership rules, click Edit.

  • Choose Rule syntax and paste the following:

 

 (device.deviceOSType -eq "Windows") and (device.trustType -eq "AzureAD") and (device.deviceOwnership -eq "Company") and (managementType -eq "MDM")
Rule Breakdown

    device.deviceOSType -eq "Windows" -  Includes Windows devices only.

    device.trustType -eq "AzureAD"  -  Ensures the device is Microsoft Entra-Joined (not hybrid or registered only).

    device.deviceOwnership -eq "Company" -  Filters for University-owned devices.

    managementType -eq "MDM" - Includes devices managed by MDM (Intune), excludes None and co-managed hybrid devices (MDM/AD) in most cases.

    Limitation: Some co-managed or misreported devices may still appear; manual validation may be required.

    Validate and Save

      Click Validate Rules to confirm matching devices.

      Save and create the group.

      Common Device Attributes & Values

      Property

      Value

      Meaning

      device.trustType

      AzureAD

      Microsoft Entra joined (cloud-only)

       

      ServerAD

      Hybrid joined (on-prem AD + Entra)

       

      Workplace

      Registered only (personal/BYOD)

      device.deviceOwnership

      Company

      Corporate-owned device

       

      Personal

      User-owned device

      device.deviceOSType

      Windows

      Windows OS devices only

       

      managementType

       

      MDM

       

      MDM/AD

      Unknown

      Managed via Intune or another MDM

      Hybrid-managed

      Not managed

      device.deviceCategory

      Type in your device category name

      This depends on the category name that has been provisioned already

      Dynamic groups are evaluated automatically whenever device properties change.

      Ensure devices are marked as Company-owned during or after enrollment.

      Combine a broad dynamic device group with compliance/enrollment policies and manual validation to ensure only Intune-managed devices receive policies.

      Back to top