Adds a group as an include assignment to one or more Intune policies.
# By name (default)
Add-LKPolicyAssignment
-GroupName <String>
-PolicyName <String[]>
[-NameMatch <String>]
[-SearchPolicyType <String[]>]
[-Intent <String>]
[-FilterName <String>]
[-FilterMode <String>]
[-WhatIf] [-Confirm]
[<CommonParameters>]
# Pipeline
Add-LKPolicyAssignment
-GroupName <String>
[-InputObject <PSCustomObject>]
[-Intent <String>]
[-FilterName <String>]
[-FilterMode <String>]
[-WhatIf] [-Confirm]
[<CommonParameters>]
# By ID
Add-LKPolicyAssignment
-GroupName <String>
-PolicyId <String>
[-PolicyType <String>]
[-Intent <String>]
[-FilterName <String>]
[-FilterMode <String>]
[-WhatIf] [-Confirm]
[<CommonParameters>]
For each target policy, fetches the current assignments, appends a group include entry, and writes back the complete assignment set. Policies that already include the group are silently skipped. Performs a scope mismatch check - if the group scope is incompatible with the policy scope, the assignment is skipped with a warning.
The exact display name of the Entra ID group to assign.
Attribute Value Type String Required Yes
One or more policy name patterns.
Attribute Value Type String[] Required Yes (ByName)
Attribute Value Type String Default Contains Valid values Contains, Exact, Wildcard, Regex
Restrict the policy name search to specific types.
Attribute Value Type String[] Required No Valid values DeviceConfiguration, SettingsCatalog, CompliancePolicy, EndpointSecurity, AppProtectionIOS, AppProtectionAndroid, AppProtectionWindows, AppConfiguration, EnrollmentConfiguration, PolicySet, GroupPolicyConfiguration, PlatformScript, Remediation, DriverUpdate, App
Attribute Value Type PSCustomObject Pipeline ByValue
Attribute Value Type String Required Yes (ById)
Optional - auto-resolved if omitted.
Attribute Value Type String Required No
The deployment intent for app assignments. Only applies to App policy type.
Attribute Value Type String Required No Valid values Required, Available, Uninstall
Name of an Intune assignment filter to apply to the assignment. Must be used together with -FilterMode.
Attribute Value Type String Required No
Whether to include or exclude devices matching the filter. Must be used together with -FilterName.
Attribute Value Type String Required No Valid values Include, Exclude
Shows what would happen without performing the action.
Attribute Value Type SwitchParameter
Prompts for confirmation before performing the action.
Attribute Value Type SwitchParameter
Property Type Description PolicyName String Modified policy name PolicyType String Normalised type key Action String AssignmentAdded GroupName String Assigned group name GroupId String Assigned group GUID
Add-LKPolicyAssignment -PolicyName "Contoso - Win - SC - Microsoft Edge" -GroupName 'SG-Intune-U-Pilot Users'
Get-LKPolicy -Name "Contoso - TestConfig" | Add-LKPolicyAssignment -GroupName 'SG-Intune-TestDevices'
Get-LKPolicy -Name "Google Chrome" -PolicyType App | Add-LKPolicyAssignment -GroupName 'All Users' -Intent Required
Get-LKPolicy -Name "Windows Update - 24H2" | Add-LKPolicyAssignment -GroupName 'SG-Intune-D-All Devices' -FilterName 'Windows 24H2+ Devices' -FilterMode Include
$mismatches = Test-LKPolicyAssignment | Where-Object Severity -eq 'Mismatch'
foreach ( $m in $mismatches ) {
Remove-LKPolicyAssignment -PolicyName $m . PolicyName -NameMatch Exact `
-SearchPolicyType $m . PolicyTypeId -GroupName $m . GroupName -Confirm : $false
$correctGroup = if ( $m . PolicyScope -eq 'Device' ) {
"SG-Intune-D-Pilot Devices"
} else {
"SG-Intune-U-Pilot Users"
}
Add-LKPolicyAssignment -PolicyName $m . PolicyName -NameMatch Exact `
-SearchPolicyType $m . PolicyTypeId -GroupName $correctGroup -Confirm : $false
}
Performs a scope mismatch check before assigning. To add an exclusion instead, use Add-LKPolicyExclusion .