Recently, I came across an insightful blog post on X (formerly Twitter) by Peter, discussing dynamic group creation for Intune deployments. Inspired by that, I wanted to share my own method—using regular expressions (regex) in Entra ID dynamic groups to build deployment rings based on percentage logic for Intune.
🧩 The Use Case
Imagine managing 3,000 Windows devices across different locations, regions, or countries. You want to stage your Intune deployments in phases—starting with a pilot, then gradually rolling out to production in multiple rings.
Here’s a rollout schedule I prefer (though you can adjust the % as needed):
| Ring name | Group Name | % of devices (~) | Count of devices |
| Pilot | Intune - Dynamic computers - Pilot | 5 | 150 |
| Prod Ring 1 | Intune - Dynamic computers - Ring 1 | 10 | 300 |
| Prod Ring 2 | Intune - Dynamic computers - Ring 2 | 20 | 600 |
| Prod Ring 3 | Intune - Dynamic computers - Ring 3 | 25 | 750 |
| Prod Ring 4 | Intune - Dynamic computers - Ring 4 | 40 | 1200 |
| Total | 100 | 3000 | |
🧠 How Does This Work?
Device object IDs in Entra ID are 32-character hexadecimal strings, ending with a character from (16 combinations): a, b, c, d, e, f, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
That’s 16 unique characters, and each one represents roughly 6.25% of all possible values. So if we match devices whose object IDs end in certain characters, we can approximate a percentage-based split.
Approximate Regex Matches by Percentage
| %(~) | Regex Suffix | Matches Hex Chars |
| 5% | [0]$ or [f]$ | 1 Char |
| 0% | [0f]$ | 2 Char |
| 20% | [0f1]$ | 3 char |
| 25% | [0f12]$ | 4 char |
| 40% | [0f1234]$ | 6 char |
🛠️ Example: Dynamic Group RulesHere’s how the regex-based dynamic rules look for each ring:
| Ring name | Group Name | % of devices | Count of devices | Query (~ based on hex value) |
| Pilot | Intune - Dynamic computers - Pilot | 5 | 150 | (device.deviceId -match "^.*[0]$") |
| Prod Ring 1 | Intune - Dynamic computers - Ring 1 | 10 | 300 | (device.deviceId -match "^.*[0f]$") |
| Prod Ring 2 | Intune - Dynamic computers - Ring 2 | 20 | 600 | (device.deviceId -match "^.*[0f1]$") |
| Prod Ring 3 | Intune - Dynamic computers - Ring 3 | 25 | 750 | (device.deviceId -match "^.*[0f12]$") |
| Prod Ring 4 | Intune - Dynamic computers - Ring 4 | 40 | 1200 | (device.deviceId -match "^.*[0f1234]$") |
| Total | 100 | 3000 | ||
🎯 Real-World Filtering Example
Here’s a full dynamic membership rule for Windows 10/11 devices that:
- Start with OS version
10.0.1or10.0.2 (windows 10 or Windows 11) - Are not MDE Managed
- Belong to the ~5% Pilot ring
- you can also add deviceManagementAppId for devices that are SCCM/Intune managed as well https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership
((device.deviceOSVersion -startsWith "10.0.1")
-or (device.deviceOSVersion -startsWith "10.0.2"))
-and (device.deviceOSType -startsWith "Windows")
-and (device.systemLabels -notContains "MDEManaged")
-and (device.deviceId -match "^.*[0]$")
🔍 In My Lab
In my test environment with around 170 devices, using the pilot ring rule (deviceId ends in [0]) results in about 10 devices, which is roughly 6% — as expected.
📸 Screenshot below showing filtered devices in pilot ring:
✅ Summary
This regex-based approach is a simple, scalable way to:
- Divide devices into rollout rings
- Avoid manual tagging or static groups
- Work with native Entra ID (Azure AD) features
You can easily adapt this method for 200, 3,000, or even 100,000 devices — and it works seamlessly with Intune, Windows Autopatch, or Feature Update rings.
2 Comments
Eswar, this is perfect from my testing so far and something I've wanted to work on for a while. It's a great start and I just have to carve out OS types for my environment. Thank you!
Glad it is useful!
Thanks,
Eswar