Device managementIntermediate26 min read

What Does Device group Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

A device group is like a folder for computers and mobile devices that need the same settings. IT admins put devices that share a role, location, or purpose into a group. Then they can apply security policies, software updates, and settings to all devices in that group at once instead of one by one. This saves time and helps keep everything consistent.

Commonly Confused With

Device groupvsUser group

A user group contains user accounts, while a device group contains device objects. Policies that configure device settings (like disk encryption or Wi-Fi) must be assigned to a device group. Policies that grant user access to apps or control user behavior under conditional access can be assigned to a user group. These two group types are not interchangeable.

A VPN configuration policy should be assigned to a device group, not a user group. But an app assignment that gives a user access to Microsoft Word can be assigned to a user group.

Device groupvsOrganizational Unit (OU)

An OU is a container in Active Directory that reflects your company's organizational hierarchy and is used with Group Policy in on-premises environments. A device group in Intune is a cloud-based construct that does not depend on your AD structure. OUs are hierarchical (parent-child), while device groups are flat containers that can overlap or be cross-functional.

In on-premises Group Policy, you might link a policy to the 'Sales' OU. In Intune, you could create a dynamic device group that includes all devices with a 'Sales' department tag, regardless of which OU they belong to in AD.

Device groupvsSecurity group

A security group is used to assign permissions to resources (like file shares or cloud apps) and can contain users, devices, or other groups. A device group is a specific type of security group used exclusively for device management in Intune. Not all security groups are device groups, but all device groups in Intune are technically security groups scoped for device objects.

You can create a security group in Azure AD containing users and use it to grant access to a SharePoint site. But to apply a BitLocker policy to devices, you need a security group that is configured as a 'device group' in Intune, meaning it contains only devices.

Device groupvsConfiguration profile

A configuration profile is the set of settings you want to apply (e.g., password length, Wi-Fi config). A device group is the collection of devices that will receive those settings. They work together but are separate concepts. You assign profiles to groups, not to individual devices.

Think of the configuration profile as the instruction manual and the device group as the list of devices that need to follow that manual. You do not give each device its own manual; you give the manual to the whole group.

Must Know for Exams

For the MD-102 (Microsoft 365 Endpoint Administrator) exam, device groups are a core topic that appears in multiple objective domains. The exam measures your ability to plan and implement endpoint management solutions using Microsoft Intune and other Microsoft 365 technologies. Device groups are specifically relevant to the objective 'Plan and manage endpoint devices' and 'Manage security policies and compliance'. You will need to understand the difference between dynamic and static device groups, how to create and configure them, and how to assign policies and profiles to groups.

Exam questions often test your knowledge of membership query rules for dynamic groups. You might be given a scenario where the IT team needs to automatically group all Windows 11 devices that are enrolled in Intune and have a 'Sales' department tag. You will need to construct, or recognize, the correct rule expression using device attributes like deviceOSType, deviceOSVersion, and deviceDepartment. Another common question type involves troubleshooting why a policy is not applying to a device. The root cause might be that the device is not a member of the target group, or that its membership has not updated because the device has not checked in with the Intune service recently.

The MD-102 exam also tests nested group considerations. For instance, if a device is a member of two groups that have conflicting policies, which policy wins? In Intune, the order of conflict resolution is based on the policy type and the last applied policy. You need to know that settings from a group with a higher priority (as defined by the admin) will override settings from a lower-priority group. Questions may present a table of policies and their assigned groups and ask you to determine the effective settings on a device.

Finally, the exam expects you to understand how device groups interact with other features like Windows Update rings, App Protection Policies, and AutoPilot deployment profiles. You might see a question where you must select the most appropriate group type (dynamic vs. static) for a given scenario, such as grouping devices that belong to a specific user group versus grouping devices that are in a specific physical building. Mastering these distinctions is crucial for exam success, as device group questions often appear as part of larger scenario-based items that combine multiple concepts.

Simple Meaning

Imagine you are the coach of a large soccer club with dozens of teams. Each team has players, but not all players need the same instructions. The first-team players need different training drills than the youth team. The goalkeepers need separate practice from the forwards. Instead of giving each player individual instructions every day, you group them. You tell the first team to go to one field, the youth team to another, and the goalkeepers to work with a specialist. You give one set of instructions to each group, and everyone in that group follows those same instructions.

In IT, device groups work the same way. An organization might have hundreds or thousands of computers, phones, tablets, and other devices. The IT team cannot possibly configure each device separately. Instead, they create device groups based on things like department, location, operating system, or what the device is used for. For example, all sales laptops might be in one group, all engineering workstations in another, and all conference room tablets in a third.

The key idea is that a device group is not about the hardware itself, but about how the device is managed. A laptop and a phone can be in the same group if they need similar security policies. A device can even belong to more than one group, depending on the management system. The big benefit is that when the IT team makes a change to a group, every device in that group gets that change automatically. This makes managing large fleets of devices fast, consistent, and less error-prone than handling each device alone.

Full Technical Definition

A device group is a management construct used in modern device management platforms such as Microsoft Intune, Configuration Manager, Jamf, and Workspace ONE. It is a logical container that holds a set of managed device objects based on criteria like operating system version, hardware model, organizational unit, assigned user, or custom tags. Device groups are central to policy-based management because they define the scope of policy application, software deployment, and configuration enforcement.

In Microsoft Intune, device groups are often defined using dynamic membership rules based on Azure Active Directory (now Microsoft Entra ID) device attributes. For example, a dynamic device group might include all devices that have the deviceOSVersion attribute equal to 'Windows 11' and are marked as corporate-owned. These groups update automatically as devices are enrolled or change attributes, ensuring that policies always apply to the correct devices. Static groups, by contrast, consist of manually selected devices and are used when membership must remain fixed.

The relationship between device groups and policies is governed by the concept of 'targeting'. A configuration profile or compliance policy can be assigned to one or more device groups. When a device is a member of a targeted group, the system evaluates whether the device meets the policy requirements and applies the necessary settings. This is often done through a combination of Windows Management Instrumentation (WMI) queries, group policy objects (GPOs) in on-premises environments, or MDM (Mobile Device Management) protocols like OMA-DM (Open Mobile Alliance Device Management) in cloud environments.

Device groups also interact with update rings and feature update policies. In Windows Update for Business, for instance, an update ring defines how and when updates are deployed, and the ring is assigned to a device group. Devices in the same group receive the same update schedule and deferral settings. This enables staged rollouts, where a pilot group gets updates first to verify compatibility before wider deployment.

Real IT implementation often involves a tiered group structure. At the top, there might be a global group that includes all devices for baseline security policies. Lower-level groups apply more specific settings, such as encryption requirements for finance devices or kiosk mode for shared devices. The order of policy evaluation matters: some systems apply the most specific policy, while others merge policies from all groups the device belongs to, with settings determined by a priority or 'last write wins' mechanism. Understanding this hierarchy is critical for avoiding conflicting policies.

Overall, device groups are not just a convenience; they are the backbone of scalable, automated device management in enterprise IT. Without them, managing even a few hundred devices would require constant manual effort and nearly guarantee configuration drift and security gaps.

Real-Life Example

Think of a busy hospital. It has many different kinds of workers with very different technology needs. Doctors need tablets that can quickly access patient records and medical imaging. Nurses need mobile workstations on wheels to update charts and administer medication at the bedside. Administrative staff need desktop computers for billing and scheduling. The hospital's IT department cannot treat all these devices the same way. If they apply the same settings to a doctor's tablet and an admin's desktop, they would cause problems. The tablet might not have enough storage for the software the admin needs, and the desktop might not have the security apps a mobile device requires.

To solve this, the IT team creates device groups. They put all the nursing station computers into one group and apply a policy that locks down the web browser to only hospital-approved sites. They put the doctors' tablets into another group and push a configuration that enables VPN access to the medical records system and installs a specific telemedicine app. They put the administrative desktops into a third group and apply strict password policies and disk encryption rules because those machines store sensitive billing data.

When a new tablet is issued to a doctor, the IT person simply enrolls it in the management system. The device is automatically sorted into the correct group based on its department tag or user role. Immediately, the tablet gets the VPN settings, the telemedicine app, and all the right security policies without anyone having to touch it manually. When the hospital updates its security requirements, they change one policy for the entire doctor tablet group, and every doctor's tablet updates within hours. This approach mirrors the real-world principle of 'manage by exception', you group similar things, set the standard, and then only worry about the devices that don't fit.

Why This Term Matters

Device groups matter because they are the primary tool IT administrators use to scale their management efforts. In a small company with twenty computers, it is possible to configure each machine individually. But once an organization grows beyond a few dozen devices, that approach becomes impossible. Manually configuring each device is time-consuming, error-prone, and inconsistent. One person might forget to apply a critical security update, leaving a vulnerability open. Device groups eliminate this risk by automating the application of policies to every device that meets certain criteria.

From a security perspective, device groups are essential for enforcing compliance. For example, an organization might require that all mobile devices that access email must have a PIN lock and encryption enabled. By placing all mobile email devices into a single group and assigning a compliance policy, the IT team can ensure that any device without a PIN is blocked from accessing email until the user corrects the issue. If a device falls out of compliance, the system can automatically mark it as non-compliant and restrict access to corporate resources.

Operationally, device groups enable efficient troubleshooting and change management. If a new security vulnerability is discovered in a specific version of an operating system, the IT team can create a temporary group for all devices running that version and quickly push a patch or a mitigation script. They do not have to hunt down each device individually. Similarly, when rolling out a new software application, they can first deploy it to a small test group, monitor for issues, and then expand the group to the full organization.

In modern zero-trust security models, device groups play a key role in conditional access policies. A device that is a member of a 'compliant devices' group might be granted access to sensitive data, while a device in the 'non-compliant' group is blocked or limited to basic access. This dynamic, group-based approach is far more manageable than maintaining lists of individual device identities. For any IT professional working with MDM or endpoint management platforms, mastering device groups is not optional, it is a fundamental skill that underpins nearly every management task.

How It Appears in Exam Questions

In the MD-102 exam, device group questions usually fall into three main patterns: scenario-based design, configuration troubleshooting, and policy conflict resolution. Scenario-based questions present a company with certain device management requirements and ask you to choose the correct group type or membership rule. For example: 'A company wants to automatically manage all laptops that are running Windows 11 and are used by the finance department. Which type of device group should they create?' The answer is a dynamic device group with a rule combining deviceOSVersion and deviceDepartment attributes. Another variant might ask you to write the correct rule syntax or select it from multiple choices.

Configuration troubleshooting questions present a situation where a policy is not reaching a device. You must identify why. For instance, 'An Intune administrator created a compliance policy for a static device group. A new device was enrolled, but the policy is not applied. What is the most likely cause?' The answer could be that the new device was not manually added to the static group. Alternatively, if the group is dynamic, the issue might be that the device's attributes do not match the rule, or that the device has not completed its initial sync with Intune. You may also be asked to check the group membership report in the Intune console.

Policy conflict resolution questions show overlapping assignments. For example: 'Device A belongs to Group X and Group Y. Group X has a policy setting 'Require BitLocker' set to Yes. Group Y has the same setting set to Not configured. What is the effective BitLocker setting on Device A?' In Intune, if there is no explicit conflict, the setting from Group X would apply. But if Group Y had set 'Require BitLocker' to No, then a conflict would arise, and the IT admin must know how to resolve it using configuration profiles' priority or by reviewing settings in the 'Monitor' section. These questions test your ability to predict behavior based on group membership and policy assignment rules.

You might also encounter questions that ask about the difference between device groups and user groups. For instance, a scenario might say: 'An admin wants to push a VPN configuration to devices regardless of who is using them. Should they assign the policy to a device group or a user group?' The correct answer is a device group, because the VPN setting is device-specific, not user-specific. Understanding this distinction is important because certain policies like app assignments can be targeted to user groups, while device configuration profiles are typically targeted to device groups. Exam questions deliberately blur these lines to test your knowledge.

Study MD-102

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Scenario: Tailspin Toys is a medium-sized company with 500 employees. They have recently adopted Microsoft Intune to manage their Windows 11 laptops and company-owned Android phones. The IT manager, Sarah, wants to ensure that all laptops used by the sales team have a specific VPN profile for secure access to the company CRM. She also wants all Android devices to have a set of kiosk apps that restrict them to only running the company inventory tool.

Sarah decides to use device groups to make this easy. She first creates a dynamic device group called 'Sales Laptops' with a rule that says: (device.deviceOSType -eq 'Windows') and (device.deviceDepartment -eq 'Sales'). Every time a new salesperson joins and their laptop is enrolled, it automatically joins this group. She then creates a VPN configuration profile and assigns it to the 'Sales Laptops' group.

For the Android phones, she creates a static device group called 'Company Android Devices' because only a fixed set of 50 phones are owned by the company. She manually adds those 50 devices. Then she creates a kiosk configuration profile and assigns it to this static group. She double-checks that the Android devices are running the correct OS version to support kiosk mode.

Three months later, the company adds a new salesperson named Mike. Mike's laptop is enrolled in Intune automatically via AutoPilot. Because Mike's user account is in the 'Sales' department, his laptop's deviceDepartment attribute is populated, and it is automatically added to the 'Sales Laptops' group. Within an hour, the VPN profile installs on Mike's laptop without any manual intervention. Sarah is pleased because the device group saved her from having to configure Mike's laptop by hand. At the same time, the company buys five more Android phones for warehouse staff. Sarah adds those five devices to the 'Company Android Devices' group, and the kiosk profile applies instantly.

This scenario shows how device groups, both dynamic and static, allow an admin to manage devices efficiently at scale. Dynamic groups are ideal for large, changing fleets where you want automation. Static groups work well for fixed or small sets of devices that require manual control. The key takeaway is that the choice of group type depends on how often membership changes and whether you can rely on device attributes to determine membership automatically.

Common Mistakes

Using a user group when a device group is needed for a device configuration policy.

User groups assign policies based on the user identity, but device configuration policies like VPN, Wi-Fi, or BitLocker apply to the device itself. If you assign a device configuration policy to a user group, it will not apply because Intune expects the policy to be targeted at device objects.

Always use a device group for any policy that configures settings on the device hardware or operating system. Use user groups only for policies that follow the user, like app assignments or conditional access policies that depend on user identity.

Creating a static group when the device fleet changes frequently.

Static groups require manual addition and removal of devices. If devices are enrolled or retired often, keeping a static group current is tedious and error-prone. Devices that should be managed may be missed, leaving them unsecured.

Use dynamic groups based on device attributes (like OS version, model, or department) so that membership updates automatically as devices change. This ensures all eligible devices are always in the group without manual work.

Assuming policy conflict resolution works the same as in on-premises Group Policy.

In on-premises Active Directory Group Policy, the policy that is applied last (e.g., at the OU level) usually wins. In Intune, conflict resolution is different. If two policies from different groups have conflicting settings, Intune uses a priority system based on the policy type and the order you assign, not the group hierarchy.

In Intune, check the 'Settings catalog' or 'Configuration profiles' tile to see which policies are assigned to a device and their priority order. Use the monitoring features to identify conflicts and adjust assignments to resolve them.

Forgetting that devices must check in to Intune before a group membership change takes effect.

When a device's attributes change (e.g., department tag), the dynamic group membership updates on the server side, but the device does not receive new policies until it checks in. If the device is offline or has a long check-in interval, there can be a delay.

Inform users that policies may take a few hours to apply after a change. For critical updates, use the 'Sync' button in the Intune console or ask users to manually sync their device from the Settings app to trigger an immediate check-in.

Exam Trap — Don't Get Fooled

{"trap":"The exam presents a scenario where a device is a member of both a dynamic group and a static group, each with conflicting policies. It asks which policy 'wins'. Many learners choose the dynamic group policy because they think it is 'smarter' or newer."

,"why_learners_choose_it":"Learners assume that dynamic groups are more authoritative because they automatically update based on rules. They also misunderstand that in Intune, all groups are equal in terms of how they affect policy application. The type of group (dynamic vs.

static) does not determine policy priority.","how_to_avoid_it":"Remember that in Intune, policy conflict is resolved by the specific policy assignment order, not by group type. Both static and dynamic groups are just containers.

The priority is set when you assign policies, and you can adjust the order in the 'Assignments' tab. Always check the assignment order and the policy's 'overwrite' settings rather than guessing based on group type."

Step-by-Step Breakdown

1

Identify the devices to manage

First, determine which devices need to be managed together. This could be based on operating system (all Windows 11 laptops), department (all engineering workstations), location (all devices in the London office), or any other attribute. This step defines the scope of the group.

2

Choose between dynamic and static group

If your criteria are based on device attributes that are set automatically (like OS type or department tag), choose a dynamic group. The group membership will update automatically as devices are enrolled or changed. If you need precise control over which specific devices are included and the list rarely changes, choose a static group and manually add devices.

3

Create the device group in the management console

In Microsoft Intune, you navigate to 'Groups' in Azure AD (or use the Intune portal). You specify a name and description. For dynamic groups, you write a membership rule using PowerShell syntax or the rule builder. For static groups, you skip the rule and later add members.

4

Define the membership rule (for dynamic groups)

Write a rule that uses device attributes. For example: (device.deviceOSType -eq 'Windows') and (device.deviceManufacturer -eq 'Microsoft'). The rule is evaluated every time a device changes or checks in. Only devices that match all conditions become members. Test the rule using the 'Validate Rules' feature before finalizing.

5

Add members (for static groups)

For static groups, manually select the device objects from the directory. You can search by device name or other attributes. This step must be repeated each time a new device needs to be added, which is why static groups work best for small or stable fleets.

6

Assign policies and profiles to the device group

Navigate to the policy or profile you want to apply (e.g., a compliance policy, a configuration profile, or an update ring). In the 'Assignments' tab, add the device group as a target. You can also assign exclusion groups if certain devices should not receive the policy.

7

Verify and monitor policy application

After assigning the policy, wait for the devices to check in. In Intune, you can monitor the status of the policy per device from the 'Device compliance' or 'Device configuration' sections. Check for success, error, or conflict messages. If a device is not receiving the policy, verify its group membership and check-in status.

Practical Mini-Lesson

Device groups are the backbone of any modern endpoint management strategy. Professionals working with Microsoft Intune, Workspace ONE, or Jamf rely on device groups to automate management at scale. The first practical skill is understanding the difference between dynamic and static group types. In most enterprise environments, dynamic groups are preferred because they reduce manual overhead and prevent configuration drift. However, static groups are useful for piloting new software on a specific set of test devices or for devices that do not have the necessary attributes to populate a dynamic rule.

When creating dynamic groups, you must be careful with attribute values. For example, the deviceDepartment attribute is not populated automatically; it must be set manually on the device or via an enrollment profile. If you expect a dynamic group to work based on department, you must ensure that the attribute is correctly set on every device. Otherwise, devices will not appear in the group, and policies will not apply. In practice, many IT teams use a combination of user-driven attributes and device-driven attributes. For instance, they might use deviceCategory, which is set based on the user's department during enrollment.

Another important practical consideration is the concept of group nesting for policy assignment. In Intune, you cannot nest device groups within other device groups for policy assignment. However, you can assign a policy to multiple groups. If a device belongs to several groups that each have the same policy, the device might receive duplicate or conflicting settings. Professionals need to use the 'Settings catalog' to see which policy has the highest priority. In case of conflict, the policy with the higher priority (lower number in the priority list) wins. Best practice is to keep policies simple and apply the most specific policy to a smaller group and the baseline policy to a larger group.

What can go wrong? A common issue is that a dynamic group has an incorrect rule that inadvertently includes or excludes devices. For example, a rule that checks for deviceOSType -eq 'Windows' might include Windows 10 devices when you only wanted Windows 11. Always test the rule against a sample of devices before applying policies. Another issue is that a device might be a member of a group but not receive a policy because the policy is assigned to a user group, not a device group. This is a frequent misconfiguration. Always double-check the assignment target type in the policy's assignments.

Finally, professionals should know how to audit device group membership. In Intune, you can view the members of a group and see the effective policy status. Regular auditing helps ensure that no device is missing a critical security policy. Using the 'Device compliance' dashboard, you can quickly identify non-compliant devices that may have fallen out of a group due to an attribute change. Keeping device groups well-organized and documented is a mark of a mature IT operation.

Memory Tip

Think 'DAD' for Device groups: Dynamic for Automation, Assign policies to Device groups (not user groups), and always check the effective policy with the Device configuration monitor.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Can a device belong to more than one device group?

Yes, a device can be a member of multiple device groups in Intune. This is normal and often intended, because you can assign different policies to different groups for different purposes, such as a baseline security policy from one group and a specific app configuration from another.

Do device groups work for personal (BYOD) devices?

Yes, but only if the personal device is enrolled in management (e.g., as a work profile on Android or with an MDM profile on iOS). The device then becomes a managed object and can be added to a device group. However, you may choose to keep personal devices in a separate group with limited policies to respect user privacy.

How quickly do dynamic group memberships update?

Dynamic group membership is updated by Azure AD within a few minutes after a device attribute changes or after enrollment. However, the device must also check in with Intune to receive policies. The check-in interval varies but typically occurs every 8 hours for Windows devices. A manual sync can speed this up.

What happens if a device matches the rule for a dynamic group but is also in a static group that gets a different policy?

The device will be a member of both groups, and both policies will apply. If there is a conflict, Intune uses the policy priority order to decide which setting takes effect. The group type (dynamic vs. static) does not affect priority. You should check the effective policy on the device to see which setting won.

Can I use device groups to assign apps?

Yes, you can assign apps to device groups. This is common for line-of-business (LOB) apps that should be installed on every device in a specific department. For user-targeted apps, you would typically assign to a user group instead.

What is the difference between a device group and an intune enrollment profile?

An enrollment profile defines how a device is onboarded into management (e.g., enrollment token, settings during setup). A device group determines what policies and configurations the device receives after enrollment. They work together but are separate concepts. The enrollment profile usually assigns the device to a group automatically.

Summary

A device group is a foundational concept in endpoint management that allows IT administrators to logically organize and manage devices at scale. Instead of configuring each computer, phone, or tablet individually, admins group similar devices together and apply policies, configuration profiles, and software updates to the entire group at once. This saves time, reduces errors, and ensures consistency across the organization. There are two main types of device groups: dynamic groups, which automatically update membership based on device attributes like operating system or department, and static groups, which require manual member management. Each has its best use case.

In the context of the MD-102 exam, device groups are essential. You must understand how to create and manage both dynamic and static groups, write membership rules correctly, and troubleshoot why a policy might not be applying to a device. You also need to know how device groups differ from user groups and security groups, and how policies are resolved when a device belongs to multiple groups with conflicting settings. The exam will test your ability to apply these concepts in realistic scenarios.

The key takeaway for learners is that device groups are not just an administrative convenience, they are a critical control point for security and compliance. In a modern zero-trust environment, the decision to grant or deny access often depends on whether a device is a member of a compliant device group. Mastering device groups will help you pass your exam and make you a more effective IT professional. Always remember that the type of group (dynamic vs. static) does not determine policy priority, and that device groups are for device-specific policies, not user-specific ones.