If you’re working with Microsoft Intune, I assume you deploy new updates, configurations or applications gradually, with different ring groups to gradually roll these out and avoid an outage because of a change.
Today, I share an approach in creating device ring groups for your ring deployments.
Let’s say we want to gradually roll out Windows Feature updates in a wave of 5 different groups. For that we need 5 different (device) groups. The first group contains our own devices and that of your IT colleagues, this is the test group. The second group contains the devices of the early adaptors and application owners, who want to test updates, settings and applications as soon as possible (but after the first validation by IT). This is the pilot group. These two groups contain devices that we add manually to the two groups.
After these two groups, we need a couple of production groups, to not target all our production devices at once. In this example we use three additional groups for production. The first production group contains a small number of devices (for example ~15%), the second group contains a bigger number of devices (~25%) and the third group contains about 60% of the devices.
It would be nice if these production groups are automatically filled with the production devices. In Entra ID we have dynamic groups available and we can fill these groups with queries, based on all kinds of information. We could for example add devices based on the device name. But in some environments that’s not a great option when using dynamic groups and the name contains the serial number. If you for example buy a large number of devices at once, these have about the same serial number, and the devices all end up in the same group. To overcome that situation, we need to fill our groups based on something else. What about using the device ID of the devices? These are always unique, in unlike device name when using random names.
The logic behind the dynamic groups
Device IDs seem a good option to use when building our dynamic groups. We can build our queries to filter on company owned Windows devices and the starting number or letter of the device ID.
The device IDs follow a standardized format, which use hexadecimal characters. Therefor the Device IDs only contain digits (0-9) and the (lower case) letters a-f. If I count correctly this means our devices IDs can start with 16 different digits/ letters.
Assuming that the distribution in terms of initial numbers and letters are approximately evenly distributed, each initial letter represents about 6,25% of our devices (do you still follow me 😊).
So, if we would create a query like (device.deviceOSType -eq “Windows”) and (device.deviceOwnership -eq “Company”) and (device.deviceId -startsWith “0”), that group should contain approximately 6,25% of our Windows devices. With that in mind, we can build dynamic groups of various sizes.
Ring groups
In the query we not only filter on the deviceId, but also on deviceOSType, deviceOwnership and deviceManagementAppId. I think the first two don’t need an explanation, but deviceManagementAppId might need an explanation. We filter on deviceManagementAppId not equals null, to filter out devices that don’t have an Management App Id (are not MDM managed). These devices are not found in every Entra environment, but when using hybrid joined for example, you might find devices without an Management App Id.
As described for this example we set up five different ring groups:
| Group | Number of devices | Group type | Dynamic query |
| Ring 1 – Test | Assigned | Not applicable | |
| Ring 2 – Pilot | Assigned | Not applicable | |
| Ring 3 – Production | ~12,5% | Dynamic | (device.deviceOSType -eq “Windows”) and (device.deviceOwnership -eq “Company”) and ( device.deviceManagementAppId -ne null) and ((device.deviceId -startsWith “0”) or (device.deviceId -startsWith “1”)) |
| Ring 4 – Production | ~25% | Dynamic | (device.deviceOSType -eq “Windows”) and (device.deviceOwnership -eq “Company”) and ( device.deviceManagementAppId -ne null) and ((device.deviceId -startsWith “2”) or (device.deviceId -startsWith “3”) or (device.deviceId -startsWith “4”) or (device.deviceId -startsWith “5”)) |
| Ring 5 – Production | ~62,5% | Dynamic | (device.deviceOSType -eq “Windows”) and (device.deviceOwnership -eq “Company”) and ( device.deviceManagementAppId -ne null) and ((device.deviceId -startsWith “6”) or (device.deviceId -startsWith “7”) or (device.deviceId -startsWith “8”) or (device.deviceId -startsWith “9”) or (device.deviceId -startsWith “a”) or (device.deviceId -startsWith “b”) or (device.deviceId -startsWith “c”) or (device.deviceId -startsWith “d”) or (device.deviceId -startsWith “e”) or (device.deviceId -startsWith “f”)) |
*The percentage of devices is an estimate. When assigning these groups to items in Intune, we need to exclude the first 2 groups, so these numbers are still deducted from the total. But that’s for another blog post.
Eswar Koneti informed me on X, that we are also able to use regular expressions (regex) in the queries. Using regex simplifies the query when we query or a lot of characters. In the above example we used ((device.deviceId -startsWith “0”) or (device.deviceId -startsWith “1”)), with regex this would be simplified in (device.deviceId -match “^[01].*”). so certainly with queries that need to match character x, or y, z etc, this simplifies the query.
Nick Benton dives way deeper in this topic and using regex, so also check his blog post.
If we change the queries a little bit by moving the startWith deviceId, the percentage looks a bit different. So change these to your own needs. These are other examples but with using regex:
| Group | Number of devices | Group type | Dynamic query |
| Ring 1 – Test | Assigned | Not applicable | |
| Ring 2 – Pilot | Assigned | Not applicable | |
| Ring 3 – Production | ~20% | Dynamic | (device.deviceOSType -eq “Windows”) and (device.deviceOwnership -eq “Company”) and ( device.deviceManagementAppId -ne null) and (device.deviceId -match “^[012].*”) |
| Ring 4 – Production | ~30% | Dynamic | (device.deviceOSType -eq “Windows”) and (device.deviceOwnership -eq “Company”) and ( device.deviceManageme(device.deviceOSType -eq “Windows”) and (device.deviceOwnership -eq “Company”) and ( device.deviceManagementAppId -ne null) and (device.deviceId -match “^[34567].*”) |
| Ring 5 – Production | ~50% | Dynamic | (device.deviceOSType -eq “Windows”) and (device.deviceOwnership -eq “Company”) and ( device.deviceManagementAppId -ne null) and (device.deviceId -match “^[89abcdef].*”) |
The above queries can be added to your own dynamic queries.
With regex used:
Change the queries and the number of groups to your own needs.
Good luck with setting up your ring deployment groups. In a follow-up stories we’ll have a look at how we can use these groups in Microsoft Intune.
Thanks for reading!
