Export (0) Print
Expand All

Use groups to manage users and devices in Windows Intune

Updated: June 30, 2014

Applies To: Windows Intune

Groups in Windows Intune give you great flexibility for managing your devices and users. You can set up groups to suit your organizational needs (for example, by geographic location, department, or hardware characteristics).

To create and manage groups, you use the Groups workspace in the Windows Intune administrator console. The Groups Overview page contains status summaries that help you identify and prioritize issues that require your attention for:

  • Alerts

  • Software updates

  • Endpoint Protection

  • Policy

  • Software management

Additionally, a hierarchical view of your groups is shown that lets you view status summaries, identify and resolve problems for members of a selected group.

Windows Intune provides eight built-in groups that you cannot edit or delete:

  • All Users

    • Ungrouped Users

  • All Devices

    • All Computers

    • All Mobile Devices

      • All Direct Managed Devices

      • All Exchange ActiveSync Managed Devices

    • Ungrouped Devices

  • A group can contain either users or devices, but not both.

    • Device groups: This includes both computers and mobile devices. Before you can add a computer to a group, it must be enrolled. Before you can add a mobile device to a group, your environment must be configured to support mobile devices, and the devices must be enrolled, or discovered from Exchange ActiveSync.

    • User groups: A group can contain users from security groups, which are groups that synchronize from your Active Directory. If you do not use Active Directory synchronization, you can manually create these groups.

  • A device or a user can belong to more than one group.

  • A group can include and exclude members based on the following membership rules:

    • Criteria Membership: These are dynamic rules that Windows Intune runs to include or exclude members. This criteria uses security groups and other information synchronized from your local Active Directory. When the security group or data that is synchronized changes, the group membership can change.

    • Direct Membership: These are static rules that explicitly add or exclude members. The membership list is static.

  • Active Directory Domain Services (AD DS) is not required to create user groups or device groups that include users or computers, but for device groups to include mobile devices, your environment must be configured to support mobile devices.

    Additionally, the devices must be discovered and added to Windows Intune.

  • Every group you create must have a parent group and you cannot change a group’s parent group once the group is created.

  • When adding users or devices to a child group:

    • Child groups are always subsets of the parent group.

    • New members you add to a child group are automatically added to that groups parent group.

    • You cannot add a member to a child group when that member is excluded from the parent group.

  • The membership of a parent group defines the available membership for the child group.

  • When you delete a parent group, all child groups are deleted.

  • You can deploy content and policies to a parent group while excluding deployment to child groups.

  • You can add a specific user or device to a child group that is not a member of the parent group. If you do so, the new group member will be added to the parent group.

    However, you cannot add a member to a child group that is excluded from the parent group.

  • Group membership is recursive. For example:

    • Pat is a member of only one group, the Laptop Users security group.

    • The Laptop Users group is a member of the Approved Users security group.

    • You create a group in Windows Intune that uses a dynamic membership query that includes the members of the Approved Users group. The result is that your Windows Intune user group includes Pat.

  1. In the Windows Intune administration console, click Groups > Overview > Create Group.

  2. Specify a name and optional description for the group, select a device group as the parent group, then click Next.

  3. On the Define Membership Criteria page, select the type of devices the group will include. Additional options to configure the group depend on the type of devices you select:

    • Computer: Specify whether to include all members of the parent group, the Organizational Units you want to include or exclude and the domains you want to include or exclude. The OU and domain information for a computer is obtained from inventory.

    • Mobile: Specify to include only mobile devices that are managed by Windows Intune, those managed by Exchange ActiveSync, or both.

    • All devices: This option includes all devices with no exclusions based on criteria.

  4. On the Define Direct Membership page, include or exclude individual devices you specify by clicking Browse. If you use the option to select devices that are not in the parent group you specified, those devices are automatically added to the parent group.

  5. On the Summary page, review the actions that will be taken, and then click Finish.

The newly created group can be found in the Groups list, in the Groups workspace, under the parent group. From here, you can also edit or delete the group.

  1. In the Windows Intune administration console, click Groups > Overview > Create Group.

  2. Specify a name and optional description for the group, select a user group as the parent group, then click Next.

  3. On the Define Membership Criteria page, specify whether to include all members of the parent group or to start with an empty group. You can then configure the following criteria:

    • Security groups: Include or exclude members based on the groups of users that you manually configure in the account portal or that synchronize from your local Active Directory. If the membership of a security group changes, membership of user groups based on that security group can also change.

    • Manager: When you synchronize users from your local Active Directory and the user information includes the manager of the user, you can use these criteria to include or exclude users from the group. However, to use a specific manager as criteria, that manager must be a user account that synchronized from your local Active Directory.

  4. On the Define Direct Membership page, include or exclude individual users you specify by clicking Browse. If you use the option to select users that are not in the parent group you specified, those devices are automatically added to the parent group.

  5. On the Summary page, review the actions that will be taken, and then click Finish.

The newly created group can be found in the Groups list, in the Groups workspace, under the parent group. From here, you can also edit or delete the group.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft