Windows AutoPilot Devices Azure AD Dynamic Groups Intune

I explained about Windows AutoPilot deployment in the previous post. In this post, we will see another useful tip for enterprise implementation of AutoPilot. We have an option to create Azure AD (AAD) dynamic device groups based on Windows AutoPilot profiles.

Windows AutoPilot Profile AAD Dynamic Device Groups are helpful to deploy application and security policies to each department as part of the device enrollment process.

[Windows Autopilot Related Posts]

Beginners Guide Setup Windows AutoPilot Deployment
Dynamically Deploy Security Policies and Apps to Windows AutoPilot Devices (This post)
Where is AutoPilot Assign Profile Button in Intune Portal
Windows AutoPilot End to End Process Guide

What is AAD Dynamic Device Groups?

AAD dynamic Device groups are similar to dynamic device collections in the SCCM world. Azure AD (AAD) dynamic device group is a set of devices grouped together based on a common attribute value. This can be used to target different security policies and applications to a specific group of devices. So this is very important in the world of modern management of devices using Microsoft Intune.

Patch My PC

I have a post which talks more details about the logic of Azure AD dynamic queries. How to create Windows AutoPilot Profile AAD Dynamic Device Group is not covered in this post.

Video Tutorial – Windows AutoPilot Profile AAD Dynamic Device Groups

Watch this video on YouTube.

Create New Windows AutoPilot Deployment Profile

For this post, I will create an AutoPilot Deployment profile to customize the OOBE experience for the end-user. Windows AutoPilot profile provides only three (3) options to customize. As shown in the video tutorial, I have created a new AutoPilot profile called “Sales Team Profile“.

All the Windows 10 devices from the sales and marketing department will be enrolled using this Sales Team Profile. This deployment profile name will be used to create Windows AutoPilot Profile AAD Dynamic Device Group.

1E Nomad
  1. Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment
  2. Click on Deployment profiles under Windows Autopilot Deployment Program and select Create profile.
  3. In the Create profile blade, set the name to “Sales Team Profile“, click on Out-of-box experience (OOBE) and configure the following:

OOBE Customization Settings
Privacy Settings >Value > Hide
End-user license agreement (EULA) >Value> Hide
User account type Standard or Administrator >Value> Standard User

How to Create Windows AutoPilot Profile AAD Dynamic Device Groups?

Once the Autopilot deployment profile has been created, we can “group” the devices assigned to “Sales Team Profile” dynamically based on the following Azure AD attribute:-

OrderID

“PurchaseOrderId”

“devicePhysicalIDs”

So all the devices assigned to the Windows AutoPilot deployment profile will automatically get added to the Azure AD dynamic device group. Let’s see how to create Windows AutoPilot Profile AAD Dynamic Device Groups.

Windows AutoPilot Profile AAD Dynamic Device Groups
  1. Navigate via Azure Portal -> Azure Active Directory -> Groups – All Groups – >
  2. Click on “+ New Group
  3. Select Security as Group Type
  4. Enter Group Name “Sales Team AutoPilot Group” (any name is fine)
  5. Enter Group Description “Windows AutoPilot Profile AAD group for Sales Dept” (any description is fine)
  6. Select Dynamic Device as Membership type
  7. Click on Add Dynamic Query under Dynamic Device Members
  8. On the Dynamic Membership Rules blade, select OrderID from “Add Devices Where” column
  9. Select the operator as Equals
  10. Enter OderID for the profile and its “Sales Team Profile
  11. Click on add query button
  12. Click on Create button to create an AAD Dynamic device group based on AutoPilot Profile
Windows AutoPilot Devices Azure AD Dynamic Groups Intune 2
Windows AutoPilot Devices Azure AD Dynamic Groups Intune 5
Dynamic Query ==> 1. (device.devicePhysicalIds -any _ -contains "Sales Team Profile")
2. (device.devicePhysicalIds -any (_ -eq "[OrderID]:7856526"))
3. (device.devicePhysicalIds -any (_ -eq "[PurchaseOrderId]:76222342342"))

How to Dynamically Deploy Security Policies & Apps to Windows AutoPilot Profile

Now created we have created an Azure AD dynamic device group associated with the Windows AutoPilot profile. Whenever a device gets assigned to the Windows AutoPilot profile, you can use the AAD dynamic device group to deploy security policies or applications.

Assign an application to the Azure AD dynamic device group associated with Windows Autopilot profile. Dynamically deploy security policies & apps to Windows AutoPilot devices.

  1. Navigate via Azure Portal – > Microsoft Intune – > Microsoft Endpoint Manager – Applications
  2. Select the application called “MBCA
  3. Select Assignments from App blade
  4. Click on “Add Group” from Group blame
  5. Select Assigned Type “Required” from Add Group blame
  6. Select AAD dynamic Group “Sales Team AutoPilot Group” from “Included Groups”
  7. Click on Select button
  8. Click OK  – OK button
  9. Click Save button
Watch this video on YouTube.

Author

About Author -> Anoop is Microsoft’s Most Valuable Professional Award winner from 2015 on the technologies! He is a Solution Architect on enterprise device management solutions with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like Configuration Manager, Windows 365 Cloud PC, Intune, Azure Virtual Desktop, Windows 10, and Windows 11.