I’ve recently started working on validating Windows 11 in my organisation. We manage our devices primarily with Intune now so I need a quick and easy way to identify these devices.

I’m a big fan of using Azure AD Dynamic Groups to reduce admin overhead, and I use these a lot (both Device and User) to help me manage my environment.

I have a standard Windows 10 Dynamic group

The Query used here (device.managementType -eq “MDM”) -and (device.deviceOSType -contains “Windows”) will look for all Windows devices that are Intune managed and add them to this Azure AD group.

However, at this stage, there is nothing to differentiate between Windows 10 and Windows 11 with my existing Dynamic Device query, so I need to come up with something that will do this.

My work around…

I have created a Windows 11 Dynamic Device group that is very similar to my Windows 10 one, but added the deviceOSVersion property with a value of 10.0.22000 to the query

I can use this group to target my Windows 11 Configuration Profiles as well as other Intune related things that would be relevant specifically for Windows 11 (fortunately at this stage, many of my existing Configuration Profiles, Compliance Policies, Apps, Scripts and other Intune components work perfectly fine for Windows 11 – but always test and validate)

In the cases where they won’t e.g. my Windows 10 Start layout configuration profile, I can use the Windows 11 Dynamic group to exclude this profile from Windows 11 devices.

I am not sure what Microsoft is planning going forward to help differentiate between these these two versions of Windows, but if the versioning number does indeed switch to something like 11.x, it should be a simple case of updating the Windows 11 dynamic device group query.

P.

UPDATE: I’ve made a few changes to some of the configurations – please check out this post for more information.