Windows AutoPilot Devices Azure AD Dynamic Groups Intune

I explained about Windows AutoPilot deployment in the previous post. In this post, we will see another useful tip for enterprise implementation of AutoPilot. We have an option to create Azure AD (AAD) dynamic device groups based on Windows AutoPilot profiles.

Windows AutoPilot Profile AAD Dynamic Device Groups are helpful to deploy application and security policies to each department as part of the device enrollment process.

[Windows Autopilot Related Posts]

Beginners Guide Setup Windows AutoPilot Deployment
Dynamically Deploy Security Policies and Apps to Windows AutoPilot Devices (This post)
Where is AutoPilot Assign Profile Button in Intune Portal
Windows AutoPilot End to End Process Guide

What is AAD Dynamic Device Groups?

AAD dynamic Device groups are similar to dynamic device collections in SCCM world. Azure AD (AAD) dynamic device group is a set of devices grouped together based on a common attribute value. This can be used to target different security policies and applications to a specific group of devices. So this is very important in the world of modern management of devices using Microsoft Intune.

I have a post which talks more details about the logic of Azure AD dynamic queries. How to create Windows AutoPilot Profile AAD Dynamic Device Group is not covered in this post.

Patch My PC

Video Tutorial – Windows AutoPilot Profile AAD Dynamic Device Groups

Watch this video on YouTube.

Create New Windows AutoPilot Deployment Profile

For this post, I will create an AutoPilot Deployment profile to customize the OOBE experience for the end user. Windows AutoPilot profile provides only three (3) options to customize. As shown in the video tutorial, I have created a new AutoPilot profile called “Sales Team Profile“.

All the Windows 10 devices from sales and marketing department will be enrolled using this Sales Team Profile. This deployment profile name will be used to create Windows AutoPilot Profile AAD Dynamic Device Group.

  1. Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment
  2. Click on Deployment profiles under Windows Autopilot Deployment Program and select Create profile.
  3. In the Create profile blade, set the name to “Sales Team Profile“, click on Out-of-box experience (OOBE) and configure the following:

OOBE Customization Settings
Privacy Settings >Value > Hide
End user license agreement (EULA) >Value> Hide
User account type Standard or Administrator >Value> Standard User

1E Nomad

How to Create Windows AutoPilot Profile AAD Dynamic Device Groups?

Once the Autopilot deployment profile has created, we can “group” the devices assigned to “Sales Team Profile” dynamically based on following Azure AD attribute :-

OrderID

“PurchaseOrderId”

“devicePhysicalIDs”

So all the devices all assigned to Windows AutoPilot deployment profile will automatically get added to the Azure AD dynamic device group. Let’s see how to create Windows AutoPilot Profile AAD Dynamic Device Groups.

Windows AutoPilot Profile AAD Dynamic Device Groups
  1. Navigate via Azure Portal -> Azure Active Directory -> Groups – All Groups -->
  2. Click on “+ New Group
  3. Select Security as Group Type
  4. Enter Group Name “Sales Team AutoPilot Group” (any name is fine)
  5. Enter Group Description “Windows AutoPilot Profile AAD group for Sales Dept” (any description is fine)
  6. Select Dynamic Device as Membership type
  7. Click on Add Dynamic Query under Dynamic Device Members
  8. On the Dynamic Membership Rules blade, select OrderID from “Add Devices Where” column
  9. Select the operator as Equals
  10. Enter OderID for the profile and its “Sales Team Profile
  11. Click on add query button
  12. Click on Create button to create an AAD Dynamic device group based on AutoPilot Profile
Windows AutoPilot Devices Azure AD Dynamic Groups Intune 2
Windows AutoPilot Devices Azure AD Dynamic Groups Intune 5
Dynamic Query ==> 1. (device.devicePhysicalIds -any _ -contains "Sales Team Profile")
2. (device.devicePhysicalIds -any (_ -eq "[OrderID]:7856526"))
3. (device.devicePhysicalIds -any (_ -eq "[PurchaseOrderId]:76222342342"))

How to Dynamically Deploy Security Policies & Apps to Windows AutoPilot Profile

Now created we have created an Azure AD dynamic device group associated with Windows AutoPilot profile. Whenever a device gets assigned to Windows AutoPilot profile, you can use the AAD dynamic device group to deploy security policies or applications.

Assign an application to Azure AD dynamic device group associated with Windows Autopilot profile. Dynamically deploy security policies & apps to Windows AutoPilot devices.

  1. Navigate via Azure Portal --> Microsoft Intune --> Microsoft Endpoint Manager – Applications
  2. Select the application called “MBCA
  3. Select Assignments from App blade
  4. Click on “Add Group” from Group blame
  5. Select Assigned Type “Required” from Add Group blame
  6. Select AAD dynamic Group “Sales Team AutoPilot Group” from “Included Groups”
  7. Click on Select button
  8. Click OK  – OK button
  9. Click Save button
Watch this video on YouTube.

Resources:-

Using attributes to create rules for device objects 

https://docs.microsoft.com/en-us/mem/autopilot/enrollment-autopilot