**DISCLOSURE: While I am contracted to Microsoft Corporation, I am not an employee. The articles that I write are not meant to represent the company, nor are they meant to represent me as an employee or spokesman for the company. As has always been the case, all articles on this website represent me and nobody else.
There are many reasons to use dynamic group membership in Microsoft Endpoint Manager. The one that came up in a customer discussion this week was this:
Mitch, we have a large group of computers that get patched on a regular basis. We are getting ready to push the newest version of Windows 10, but we have several mission-critical machines that we cannot patch until October. Is there a way that we can exclude a list of computers from this patch? All of these computers’ names start with the prefix MC-R.
So you are ready to patch all of your Windows 10 computers, but you do not want to patch any computers with a particular prefix. Let’s put real names to this: In my tenant I have a group called Loyal Order of Water Buffalos. I intend to apply my Windows 10 update ring to this group. There are several computers that belong to members of the group that I do not want to patch. They all have the prefix CL.
Assuming you already have an update ring created (see article), and you already have a group that the update ring will apply to, we need to create a group for all of the devices we want to exclude.
Let’s navigate to our Microsoft Endpoint Manager admin center. In the navigation pane click Groups. Click new Group.
In the New Group screen, make sure the Group type is set to Security. Give the group a name (and description if you like). Under Membership type select Dynamic Device.
Under Dynamic device members click Add dynamic query.
In the Dynamic membership rules screen click in the Property drop-down menu and select displayName.
In the Operator drop-down menu select Starts With.
In the Value field enter the prefix.
While we have the option of adding expressions (by clicking the +Add expression button, with either And/Or options, we are going to keep this rule simple.
The Rule syntax will appear after a few seconds. When it does, click Save.
**NOTE There are so many ways you can make dynamic membership work for you. Scroll through the options in the Property and Operator menus and you will see that you can do all sorts of cool stuff. If, for example, you want to create a group for OS version, or Device Manufacturer, or Device Model, those options are there… as are several others. Look through the list and see how flexible dynamic groups can be!
Back on the New Group screen, click Create.
After a few seconds, the group will have been created.
Now we want to go back to our Windows 10 update rings to add the Exclusion group.
In the navigation pane click Devices, and then select Windows 10 update rings. Select the update ring in question. Under Manage click Properties.
At the bottom of the page, next to Assignments click Edit.
Under Excluded groups click + Add groups.
In the Select groups to exclude sidebar select the group you just created and click Select.
In the Edit Windows 10 update ring page, confirm that your new group is listed under Excluded groups. At the bottom of the page click Review + save.
On the Review + save tab, verify again that the settings are the way you want them and click Save.
There are myriad uses for dynamic group membership, for both devices and for users. This article is only meant to show you where to go to explore what options are available to you, and only one of many ways you can use them. If you have a particular question you would like to ask, feel free to reach out to me with your questions.
Leslie Falor volunteered a couple of months ago to be my copy editor for technical articles for this blog… and I know she reads the articles about hockey (with somewhat less interest) as well. She is one of the driving forces that has kept me blogging every single day for the past six weeks; some days the articles have been longer, others shorter. I have made sure that every day I post something. It is partly in thanks to her. Thank you for your help and remember that any time you want to write another article, I will be happy to share it with my readers! –MDG
Leave a Reply