As Intune Admins you would want to use Intune device groups in order to keep your devices organized and managed.
Dynamic Azure AD groups plays an important part of managing devices and users in your client's environment. The tricky part is to get the queries right for the groups to automatically populate devices and users. In this post I would like to share few queries that are used widely and also based on what I have done for my clients.
Microsoft has a good documentation done if you want to understand dynamic group queries: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership
Device queries
Description | Query |
All Company owned devices | (device.deviceOwnership -eq “Company”) |
All personally owned devices | (device.deviceOwnership -eq “Personal”) |
All devices not managed by a MDM | (device.managementType -ne “MDM”) |
All devices managed by a MDM | (device.managementType -eq “MDM”) |
Windows Device | |
All Windows Devices | (device.deviceOSType -match “Windows”) |
All company owned Windows 10 devices managed by MDM | (device.deviceOSVersion -startsWith "10.0") and (device.deviceOSType -startsWith "Windows") and (device.managementType -eq "MDM") and (device.deviceOwnership -eq "Company") |
All personally owned Windows devices | (device.deviceOSType -eq “Windows”) -and (device.deviceOwnership -eq “Personal”) |
All Windows virtual machines | (device.deviceModel -eq “Virtual Machine”) |
Android | |
All Android devices | (device.deviceOSType -match “Android”) |
All company owned Android devices | (device.deviceOSType -eq “Android”) -and (device.deviceOwnership -eq “Company”) |
All Android Enterprise devices | (device.deviceOSType -match “AndroidEnterprise”) |
All personally owned Android devices | (device.deviceOSType -eq “Windows”) -and (device.deviceOwnership -eq “Personal”) |
IOS | |
All iPhones devices | (device.deviceOSType -eq “IPhone”) |
All Corporate owned iPhone devices | (device.deviceOSType -eq “IPhone”) -and (device.deviceOwnership -eq “Company”) |
All personally owned iPhone devices | (device.deviceOSType -eq “IPhone”) -and (device.deviceOwnership -eq “Personal”) |
macOS | |
All Company owned Mac devices | (device.deviceOSType -eq “MacMDM”) -and (device.deviceOwnership -eq “Company”) |
Autopilot Dynamic Queries
Description | Query |
All Autopilot registered devices | (device.devicePhysicalIDs -any _ -contains “[ZTDId]”) |
A specific device thats autopilot registered | (device.devicePhysicalIDs -contains “[ZTDId]:<enter the device ID>”) |
Autopilot devices with a specific OrderID | (device.devicePhysicalIds -any (_ -eq "[OrderID]:<orderID here>")) |
Autopilot devices that have been enrolled using a specific enrollment profile | (device.enrollmentProfileName -eq “APHybridJoin”) |
Hope the above queries can help you better manage devices. Thank you.