Creating groups in a new tenant

Best practice recommendations for creating groups in a tenant that has been recently connected to Devicie

Overview

Devicie's configuration content is assigned to devices and users via the use of groups. When you first connect a new tenant, we recommend that you create two groups:

1. Device Group: we recommend the use of a dynamic group with tag-based rules device category rule. You will first need to set up the group, and then tag devices accordingly to start receiving policies. 
2. User Group: a standard Entra Security Group will be needed for this group. Create the group and add users to receive policies. 

Step by step details on how to set up these two groups are are described below. This article also includes recommended steps on creating an Enrollment Status Page (ESP) profile and assigning to the device group. 

Video tutorial (6:51)

Group 1: Dynamic Device Group

1. Navigate to Azure Portal

Go to Azure Portal and sign in with administrative credentials.

2. Create a Dynamic Device Group

On the left hand side main menu, select Microsoft Entra ID > Groups.

 

Click "New group"

Enter group details

Enter the group details provided below. You will need to click "Add dynamic query" before you can create the group. Details included in the next step. 

Group Type: Security
Group Name: DEVICIE-INTUNE-WIN-Device
Description:
Dynamic group containing Windows devices for Intune management tagged with ‘Devicie’.
Microsoft Entra role assignment: No
Membership Type: Dynamic Device

3. Configure Dynamic Membership Query

Click "Add dynamic query"

Click the "Edit" option at the top right of the "Rule syntax" box, at the bottom of the page:

Enter the following query (this will add any device to the group that has a group tag starting with Devicie).
(device.devicePhysicalIds -any (_ -startsWith "[OrderID]:Devicie")) -or (device.deviceCategory -eq "Devicie")

Click Save to apply the query

Create the group.

4. Tag device(s) to add to the group 

To add devices to this group, you will need to use group tags in Windows Autopilot settings. This requires your devices to be enrolled into Intune.

As part of tenant preparation, we recommend blocking personal devices from enrolling into Intune. So to enrol corporate devices into Intune, you will need to import them using their hardware ID. For detail on this process read below:

• How to Capture Hardware Hash on a Windows device
• How to Import hardware hash CSV file to Intune

Once the relevant devices are available in Intune, you will need to tag them with a group tag that meets the dynamic group rule configured above (starts with "Devicie"). 

Navigate to Windows Autopilot devices in Intune

Intune > Devices > Enrollment > Windows Autopilot / Devices

Add group tag

Find the relevant devices and add the group tag:

Create device category

Using the Intune portal, navigate to Devices > Device category and click Create.

Give the name Devicie to the category.

Click Next > Next > Create

Add a tag to a device

On the Intune portal, navigate to Devices > Windows > Search and find the device you want to add the category to.

Click on the device and go to Properties.

From the Device category drop down, select Devicie then click Save.

Check group membership

Navigate back to the settings page of your recently created dynamic device group. You should now see the device you have tagged under the group members view.

Validate dynamic group rule

If needed, you can also validate the dynamic rule, shown below under "Dynamic membership rules > Validate rules".

Group 2: User Group

1. Create a User Group

Navigate back to Microsoft Entra ID > Groups, select "New group".

Enter group details:

Group Type: Security
Group Name: DEVICIE-INTUNE-WIN-User
Description: Assigned user group for Windows users associated with Devicie deployments.
Microsoft Entra role assignment: No
Membership Type: Assigned

Then click "Create" to complete group creation.

2. Add Users

Navigate to the new user group's overview page and click "Add members"

Manually add any relevant users who should receive policies and configurations

Click "Select" and then refresh the page. You should now see the added members:

Create and Configure Enrollment Status Page (ESP) Profile

1. Navigate to Microsoft Intune Admin Center

Sign into Microsoft Intune Admin Center with administrative credentials.

2. Create ESP Profile

Navigate to Devices > Enrollment > Enrollment Status Page

Click "Create"

Enter profile details:

Name: DEVICIE-PROD-ESP
Description: ESP Profile for production devices tagged with Devicie.

3. Configure ESP Settings

Set desired ESP settings such as blocking device use until apps and profiles are installed, and specifying timeouts.

Recommended Settings

4. Assign ESP to Dynamic Device Group

Under Assignments, select Add groups.
Search and select the group: DEVICIE-INTUNE-WIN-Device.

Click Next > No scopes required, click next again > Review + create

5. Capture ESP GUID

Once the profile is created, select it from the list. The URL in your browser will contain the ESP GUID, formatted similarly to this:

https://intune.microsoft.com/#view/Microsoft_Intune_Enrollment/EnrollmentStatusPageMenuBlade/~/overview/profileId/{ESP_GUID}_Windows10EnrollmentCompletionPageConfiguration

Copy and document the {ESP_GUID} for future reference. You will be requested to share with the Devicie team as part of onboarding, or new tenant set up.