Understanding enrollment time grouping

This week is all about one of the key features of Windows Autopilot device preparation. That feature is enrollment time grouping. Windows Autopilot device preparation itself is a new iteration of Windows Autopilot and is used to quickly set up and configure new Windows devices. So far, nothing new. The focus, however, of Windows Autopilot device preparation is to further simplify the deployment of Windows devices, by delivering consistent configurations, enhancing the overall setup speed, and improving the troubleshooting capabilities. Besides that, it also takes away the requirement of first registering Windows devices with the Windows Autopilot service. Instead the Windows Autopilot device preparation profile is assigned to users and applied after user authentication during the out-of-box experience (OOBE). That provides a much more flexible process. Another important enhancement of Windows Autopilot device preparation is enrollment time grouping. This post will focus on that feature.

Note: Keep in mind that enrollment time grouping is just a part of the new Windows Autopilot device preparation.

Introducing enrollment time grouping

When looking at enrollment time grouping, it’s all focussed on providing an easier method to assign apps, PowerShell scripts, and policies, by using direct assignments. Enrollment time grouping is all about a pre-defined static device security group that is used during the Windows Autopilot device preparation process. At the moment that the user authenticates into the Windows device, that device will automatically be added to that static device security group. When deploying apps, PowerShell scripts, and policies, to that group, the deployment is much quicker and more efficient compared to using a dynamic security group. No more waiting on dynamic updates of the security in Microsoft Entra. That makes the initial deployment of apps, PowerShell scripts, and policies instant, based on the direct group membership of the device.

The apps and PowerShell scripts that are configured as part of the Windows Autopilot device preparation policy should be assigned to that device group, to make sure that they’re applied during OOBE. Any other apps and PowerShell scripts that are assigned to that device group, will be applied after the Windows Autopilot device preparation deployment is completed. The policies that are assigned to that device group, will be synced during Windows Autopilot device preparation. It does, however, not track if those policies are actually applied during the deployment. At this moment, those policies might apply during deployment, or right after the deployment is completed.

Configuring enrollment time grouping

After being familiar with enrollment time grouping, it’s important to look at the configuration. The configuration of enrollment time grouping contains two basics steps. Step one being creating an assigned group with the right owner, and step two being adding that group to the Windows Autopilot device preparation profile.

Creating the assigned device group

The first step is is creating the assigned device group. That group on itself is not that special, but it does require a specific configuration. And that configuration includes the owner of the group. That owner should be configured so that the Windows device preparation profile can be used to add devices to that group. The following three steps walk through that process.

  1. Open the Microsoft Intune admin center navigate to Groups
  2. On the Groups | All groups page, click New group
  3. On the New Group page, as shown in Figure 1, provide the following information and click Create
  • Group type: Select Security as the type of the group
  • Group name: Specify a unique name for the group to distinguish it from other groups
  • Group description: Specify a description for the group to further distinguish it from other groups
  • Microsoft Entra roles can be assigned to the group: Select No to not use this group for role assignments
  • Membership type: Select Assigned as the membership type of the group
  • Owners: Select No owners selected and select the service principal with AppID f1346770-5b25-470b-88bd-d5744ab7952c
  • Members: Members will be added to the group by the Windows Autopilot device preparation profile

Note: Keep in mind that in some tenants the name of the required service principal is Intune Provisioning Client and others it is Intune Autopilot ConfidentialClient.

Creating the Windows Autopilot device preparation profile

The second step is the pretty straight forward and logical next action to actually use that created group. That can be achieved by creating a Windows Autopilot device preparation profile. Or by editing an existing profile, but that should already contain a group. The following steps walk through the process of creating such a profile, with the focus on the group.

  1. Open the Microsoft Intune admin center navigate to DevicesEnrollment Windows > Device preparation profile
  2. On the Device preparation policies page, click New policy
  3. On the Introduction page, read the information and click Next
  4. On the Basics page, provide a unique name and description, and click Next
  5. On the Device group page, as shown below in Figure 2, select the earlier created group and click Next
  1. On the Configuration settings page, configure the required configuration and click Next
  2. On the Scope tags page, configure the applicable scope tags and click Next
  3. On the Assignments page, select the applicable user group for the assignment and click Next
  4. On the Review + create page, review the configuration and click Create

Note: This group can also be used for the assignments of the apps and PowerShell scrips in the configuration.

Experiencing enrollment time grouping

After creating the Windows Autopilot device preparation profile, with the specified group, it’s time to experience the actual enrollment time grouping. That is of course something that is not something that is really easy to experience. The easiest would be to just run through the new Windows Autopilot experience and to verify the group membership of the created security group. And that already happens at the beginning of the Windows Autopilot process. That behavior is shown below in Figure 3. Adding the device to that security group already happened a bit earlier, but it clearly shows that it happened at the beginning.

Note: Windows Autopilot device preparation Windows 11, version 22H2/23H2 with KB5035942 or later.

More information

For more information about Windows Autopilot device preparation and enrollment time grouping, refer to the following docs.

7 thoughts on “Understanding enrollment time grouping”

  1. Hi Peter,

    Our entire Policy structure is based around Dynamic Grouping, the membership of which is driven off strongly typed DeviceNames. For example, a DeviceName of ‘DIV-TYPE-USRn’ where DIV = Division, TYPE = Desktop, Mobile, Shared, Home and USRn = User Initials and Number.

    My question is – how does this new approach handle the naming of Device’s, or doesn’t it?

    At present, we can look at a DeviceName and know exactly how it should be configured based on the name.

    2 –

  2. Hi Peter,

    Great post. I notice in the Device preparation policies\Configuration settings\Join type, ‘Microsoft Entra joined’ is the only option. Do you know if Microsoft will add ‘Microsoft Entra hybrid joined’?

    Thank you


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.