Create a dynamic Entra ID group for Windows 11 devices

In this post I will share with you how to create an Entra ID group for Windows 11 devices.

Actually there are already many posts about that.

However sometimes existing query I found on posts may failed for some devices.

Indeed the query to filter on Windows 11 devices is the follwing one:

This version is based on the build version of Windows.

This build version is composed as below:

- 10.0.1 for Windows 10 devices

- 10.0.2 for Windows 11 devices

It means Windows 11 devices all start with 10.0.2 whereas Windows 10 devices all start with 10.0.1

See below examples:

- 10.0.19045.5487 is Windows 10 22H2

- 10.0.26100.3194 is Windows 11 24H2

To add a filter on an Entra ID group, we need to play with the deviceOSVersion property.

It will look into the version property from Entra ID.

The issue is that sometimes some Windows 11 devices may be not recognized by the existing below query:

The reason is that for sometimes the build version is written like this 10.0 (22631), as below:

If you use the above query, when you go in the Validate Rules part you will get the below error:

This is because of the "(" character.

To avoid this, the query to use to filter on Windows 11 devices is:

In our example we want to filter as below:

- Windows 11 devices

- Owner is company

- ManagementType is MDM

See below the query:

Now let's create the Entra ID group to gather Windows 11 devices.

Dynamic Entra ID Group for Windows 11

1. Go to Groups

2. Click on New group

3. In Group type, choose Security

4. Type a group name

5. In Membership type, select Dynamic devices

6. Click on Add dynamic query

7. Click on Edit

8. Add the following query

9. Click on OK

10. Click on Save