I mentioned in my previous blog that I typically use an “All Autopilot Devices” dynamic group to assign an Autopilot profile automatically to most devices, while using two additional groups to let me manually assign devices that I want to deploy differently. Given that there were several questions around that, I though it would be useful to provide some more details on how to do that. So let’s recap the basic setup:
- I have three Autopilot profiles:
- User Driven Azure AD Admin
- Self Deploying AAD Admin
- User Driven Hybrid Azure AD Join Admin
- I have three Azure AD groups:
- All Autopilot Devices (dynamic group selecting all devices with a ZTDID, as described here)
- Self Deploying Devices (manually assigned group)
- Hybrid Azure AD Join Devices (manually assigned group)
As for assignments, the last two are obvious:
- Assign the Self Deploying AAD Admin profile to the Self Deploying Devices group
- Assign the User Driven Hybrid Azure AD Join Admin profile to the Hybrid Azure AD Join Devices group
So that brings us back to the primary Autopilot profile, the User Driven Azure AD Admin profile. It should be assigned to the All Autopilot Devices dynamic group:
But then you need to exclude the other two groups, so click on the “Exclude” tab and specify those:
Now, if you manually add a device to one of those groups, it will then be excluded from this assignment. Great, but what if the device had already been assigned the User Driven Azure AD Admin profile (because it had been in the All Autopilot Devices group for a while)? Intune would notice that the device is no longer assigned to that profile and would then re-assign the profile corresponding to the group that it is in, so it automatically fixes things up (after a short while).
Notice the information bar in the above screenshot (which for some reason has no text in it)? Click on it to go to the documentation page that talks more about this include/exclude logic.