Intune Naming Conventions: Sysadmin Step-by-Step Guide

• An active Microsoft Intune tenant with at least Intune Administrator rights.
• Windows Autopilot configured or planned if you want automated device name templates.
• A shared document (wiki, spreadsheet, or runbook) where your team can record and enforce the agreed conventions.
• Familiarity with the Intune admin center at intune.microsoft.com.
• Optional: an existing on-premises AD or Azure AD group naming scheme to extend.

Step 1: Define Your Naming Principles

Before writing a single name, agree on four ground rules with your team. These principles keep your scheme usable long-term.

• Clarity over cleverness - every token in a name must be immediately obvious to a new team member.
• No sensitive data - never embed employee IDs, personal details, or security-tier labels that could aid an attacker.
• Short and precise - shorter names reduce typos during manual entry and fit within field-length limits.
• Consistent separators - pick one separator character (hyphen is safest across platforms) and use it everywhere.

Document these principles in your runbook before moving on. Skipping this step leads to drift within weeks. When we rolled this framework out across a hybrid tenant, teams that skipped the runbook step were revising group names within a month.

Step 2: Device Naming Conventions for Autopilot Templates

Intune with Autopilot lets you generate device names automatically using two built-in tokens.

%RAND:x%   - inserts a zero-padded random number; replace x with digit count (e.g. 3 = 001-999)
%SERIAL%   - inserts the hardware serial number

Hard limit: 15 characters total. Everything beyond character 15 is cut without warning. Review the Microsoft Docs page on Autopilot device name templates before finalising your pattern.

Two practical patterns that fit within that limit:

# Simple pattern - company prefix plus random number
ACME-%RAND:5%
# Renders as: ACME-00042

# Advanced pattern - location, department, serial fragment
CH-IT-%SERIAL%
# Renders as: CH-IT-FD3648  (verify your serial length fits)

The simple pattern works for single-site organisations. The advanced pattern suits multi-location or multi-department environments where the name alone must identify where a machine belongs.

In our testing, Dell hardware serial numbers frequently ran 7 characters, which leaves just 8 characters for your prefix and separator. Count every character before committing to a template.

Step 3: Standardize Application Display Names

Application names appear directly in the Company Portal, so end users see them every day. Keep names clean and human-readable. Three tiers cover most environments.

# Tier 1 - app name only (recommended default)
Visual Studio Code

# Tier 2 - vendor, app name, language pack info
Microsoft Visual Studio Code MUI

# Tier 3 - vendor, app name, explicit version, language (use sparingly)
Microsoft Visual Studio Code 1.81.0 MUI

Avoid Tier 3 unless you have a hard compliance reason. Intune already stores version data in a dedicated field visible in the portal. Putting the version in the display name means renaming the app on every update cycle, which creates churn and confuses users browsing the Company Portal.

For teams also managing app deployments through other tooling, the Deploy Citrix Workspace App via Intune Enterprise App Catalog guide shows how consistent naming carries through the full deployment workflow.

Step 4: Establish User Account Naming Patterns

Standard user accounts should be predictable and easy to script against. Privileged and service accounts need a role marker so admins can spot them in audit logs without guessing.

# Standard user


# Admin account with role suffix


# Role-based account with abbreviated name (break-glass, service accounts)

Keep the standard format consistent with whatever Azure AD or on-premises UPN format you already use. The goal is zero ambiguity when you see a name in a sign-in log at 2 AM.

Step 5: Build a Group Naming Taxonomy

Groups drive policy and app assignment logic, which makes them the most consequential object to name correctly. A well-structured prefix system makes bulk operations and reporting far easier to manage.

# App assignment groups - device-targeted
INTUNE-DEV-VSCode
INTUNE-DEV-VSCode-install
INTUNE-DEV-VSCode-optional
INTUNE-DEV-VSCode-uninstall

# App assignment groups - user-targeted
INTUNE-USR-MicrosoftTeams

# Device groups by deployment ring or function
INTUNE-DEV-Pilot
INTUNE-DEV-Broad
INTUNE-DEV-Kiosk
INTUNE-DEV-Marketing

# User groups by deployment ring or function
INTUNE-USR-Pilot
INTUNE-USR-All
INTUNE-USR-Marketing

The `INTUNE-` prefix is the most important token here. It instantly separates Intune-managed groups from on-premises synced groups in a hybrid environment.

The DEV vs USR token tells you at a glance whether the group targets devices or user accounts. See the Microsoft Docs page on Intune group naming policy for character limits and reserved-word restrictions that apply to Azure AD group names.

If you are migrating existing mail groups into this taxonomy, the Migrate Distribution Groups to Microsoft 365 with PowerShell guide covers the renaming steps you will need alongside the migration itself.

Step 6: Structure Configuration Profile Naming Conventions

Configuration profile names appear in the Intune admin center, in export files, and in audit logs. Adding OS and department tokens saves real time when you are troubleshooting a policy conflict or reviewing an exported CSV where column headers are not visible.

# Simple - single-purpose, small environment
BitLocker
InternetSecurity

# Medium - OS prefix added
WIN-BitLocker
iOS-WLAN-corpnet

# Advanced - OS, department scope, and purpose
WIN-All-BitLocker
WIN-ICT-BitLocker
AND-RD-MSLauncher

Pick the tier that matches your environment size today. Design the advanced format now even if you skip it for now.

When we migrated a 500-seat tenant to this scheme, moving from undifferentiated profile names to the OS-department-purpose pattern cut average troubleshooting time per policy conflict noticeably - engineers could identify the scope of a profile from the export file alone, without opening the admin center.

Did the Naming Conventions Take Effect?

Verification is quick when you know what to check. Run through each object type before declaring your rollout complete.

• In the Intune admin center, filter the Devices list by name prefix. If your convention is correct, devices group logically without additional filters.
• Open the Company Portal from a test device and confirm that application names display cleanly without version clutter.
• Export a configuration profile list to CSV and verify the OS and department tokens are readable without the admin center column headers.
• Run a sign-in log query in Azure AD filtered to -adm@ UPN suffix. Only admin accounts should appear, confirming your user naming separates roles correctly.
• Ask a team member who was not involved in the design to identify the OS, department, and purpose of five random object names. If they struggle, revisit your tokens.

For environment-wide DNS hygiene that complements your Intune naming work, the DNS-over-HTTPS on Windows Server 2025 setup guide is a useful next step. And if you manage Exchange alongside Intune, the Renew Exchange Server Auth Certificate guide covers the certificate lifecycle tasks that naming conventions alone will not handle.