Windows Autopilot device preparation user-driven Microsoft Entra join: Create a device group

• Applies to:

  ✅ Windows 11

Windows Autopilot device preparation user-driven Microsoft Entra join steps:

• Step 1: Set up Windows automatic Intune enrollment
• Step 2: Allow users to join devices to Microsoft Entra ID

• Step 3: Create a device group

• Step 4: Create a user group
• Step 5: Assign applications and PowerShell scripts to device group
• Step 6: Create Windows Autopilot device preparation policy
• Step 7: Add Windows corporate identifier to device (optional)

For an overview of the Windows Autopilot device preparation user-driven Microsoft Entra join workflow, see Windows Autopilot device preparation user-driven Microsoft Entra join overview.

Note

The device group created in this step is specific to Windows Autopilot device preparation. Microsoft recommends creating a device group specifically for use with Windows Autopilot device preparation instead of reusing existing device groups used in other Autopilot scenarios.

Create a device group

Device groups are a collection of devices organized into a Microsoft Entra group. Device groups can be either dynamic or assigned:

• Dynamic groups - Devices are automatically added to the group based on rules.
• Assigned groups - Devices are manually added to the group and are static.

Windows Autopilot device preparation uses a device group as part of the Windows Autopilot device preparation policy. The device group specified in the Windows Autopilot device preparation policy is the device group where devices are added automatically during the Windows Autopilot device preparation deployment. The device group specified in the Windows Autopilot device preparation policy needs to be an assigned security group.

To create an assigned security device group for use with Windows Autopilot device preparation, follow these steps:

1. Sign into the Microsoft Intune admin center.

2. In the Home screen, select Groups in the left hand pane.

3. In the Groups | All groups screen, make sure All groups is selected, and then select New group.

4. In the New Group screen that opens:

   1. For Group type, select Security.

   2. For Group name, enter a name for the device group, such as Windows Autopilot device preparation device group.

   3. For Group description, enter a description for the device group.

   4. For Microsoft Entra roles can be assigned to the group, select No.

   5. For Membership type, select Assigned.

   6. For Owners, select the No owners selected link.

   7. In the Add owners screen that opens:

      1. Scroll through the list of objects and select the service principal Intune Provisioning Client with AppId of f1346770-5b25-470b-88bd-d5744ab7952c. Alternatively, use the Search bar to search for and select Intune Provisioning Client.

         Note

         • In some tenants, the service principal might have the name of Intune Autopilot ConfidentialClient instead of Intune Provisioning Client. As long as the AppID of the service principal is f1346770-5b25-470b-88bd-d5744ab7952c, it's the correct service principal.

         • If the Intune Provisioning Client or Intune Autopilot ConfidentialClient service principal with AppId of f1346770-5b25-470b-88bd-d5744ab7952c isn't available either in the list of objects or when searching, see Adding the Intune Provisioning Client service principal.

      2. Once Intune Provisioning Client is selected as the owner, select Select.

   8. Select Create to finish creating the assigned device group.

   Important

   Don't manually add any devices to the device group created in this step by selecting the No members selected link under Members. Devices are automatically added to this device group during the Windows Autopilot device preparation deployment.

Adding the Intune Provisioning Client service principal

If the Intune Provisioning Client service principal with AppId f1346770-5b25-470b-88bd-d5744ab7952c isn't available when selecting the owner of the device group, then follow these steps to add the service principal:

1. On a device where Microsoft Intune or Microsoft Entra ID is normally administered, open an elevated Windows PowerShell command prompt.

2. In the Windows PowerShell command prompt window:

   1. Install the Microsoft.Graph.Authentication module by entering the following command:

      Install-Module Microsoft.Graph.Authentication
      

      If prompted to do so:

      • Agree to install NuGet by entering Y or Yes, or selecting the Yes button.
      • Agree to install from the PSGallery untrusted repository by entering Y or Yes, or selecting the Yes button.

      For more information, see Microsoft.Graph.Authentication and Set-PSRepository -InstallationPolicy.

   2. Install the Microsoft.Graph.Applications module by entering the following command:

      Install-Module Microsoft.Graph.Applications
      

      If prompted to do so, agree to install from the PSGallery untrusted repository by entering Y or Yes, or selecting the Yes button.

      For more information, see Microsoft.Graph.Applications and Set-PSRepository -InstallationPolicy.

   3. Once the Microsoft.Graph.Authentication and Microsoft.Graph.Applications modules are installed, connect to Microsoft Entra ID by entering the following command:

      Connect-MgGraph -Scopes "Application.ReadWrite.All"
      

      For more information, see Connect-MgGraph.

   4. If not already authenticated to Microsoft Entra ID, the Sign in to your account window appears. Enter the credentials of a Microsoft Entra ID administrator that has permissions to add service principals.

   5. If the Permissions requested window appears, select the Consent on behalf of your organization checkbox, and then select the Accept button.

   6. Once authenticated to Microsoft Entra ID and proper permissions are granted, add the Intune Provisioning Client service principal by entering the following command:

      New-MgServicePrincipal -AppID f1346770-5b25-470b-88bd-d5744ab7952c
      

      For more information, see New-MgServicePrincipal -BodyParameter.

      Note

      • The following error message is displayed if the Intune Provisioning Client service principal already exists in the tenant:

        New-MgServicePrincipal : The service principal cannot be created, updated, or restored because the service principal name 
        f1346770-5b25-470b-88bd-d5744ab7952c is already in use.
        Status: 409 (Conflict)
        ErrorCode: Request_MultipleObjectsWithSameKeyValue
        

      • The following error message is displayed if one of the following conditions is true:

        • The account used to sign in with the Connect-MgGraph command doesn't have permissions to add a service principal to the tenant.
        • The -Scopes "Application.ReadWrite.All" argument isn't added to the Connect-MgGraph command.
        • The Permissions requested window isn't accepted.
        • The Consent on behalf of your organization checkbox isn't selected in the Permissions requested window.

        New-MgServicePrincipal : Insufficient privileges to complete the operation.
        Status: 403 (Forbidden)
        ErrorCode: Authorization_RequestDenied
        

Next step: Create a user group

Step 4: Create a user group

Related content

For more information on creating groups in Intune, see the following articles:

• Create device groups.
• Add groups to organize users and devices.
• Manage Microsoft Entra groups and group membership.
• Dynamic membership rules for groups in Microsoft Entra ID.