Assigning Autopilot profiles by exception


I mentioned in my previous blog that I typically use an “All Autopilot Devices” dynamic group to assign an Autopilot profile automatically to most devices, while using two additional groups to let me manually assign devices that I want to deploy differently.  Given that there were several questions around that, I though it would be useful to provide some more details on how to do that.  So let’s recap the basic setup:

  • I have three Autopilot profiles:
    • User Driven Azure AD Admin
    • Self Deploying AAD Admin
    • User Driven Hybrid Azure AD Join Admin
  • I have three Azure AD groups:
    • All Autopilot Devices (dynamic group selecting all devices with a ZTDID, as described here)
    • Self Deploying Devices (manually assigned group)
    • Hybrid Azure AD Join Devices (manually assigned group)

As for assignments, the last two are obvious:

  • Assign the Self Deploying AAD Admin profile to the Self Deploying Devices group
    self deploying assignment
  • Assign the User Driven Hybrid Azure AD Join Admin profile to the Hybrid Azure AD Join Devices group
    hybrid assignment 

So that brings us back to the primary Autopilot profile, the User Driven Azure AD Admin profile.  It should be assigned to the All Autopilot Devices dynamic group:

user driven aad assignment 1

But then you need to exclude the other two groups, so click on the “Exclude” tab and specify those:

user driven aad assignment 2

Now, if you manually add a device to one of those groups, it will then be excluded from this assignment.  Great, but what if the device had already been assigned the User Driven Azure AD Admin profile (because it had been in the All Autopilot Devices group for a while)?  Intune would notice that the device is no longer assigned to that profile and would then re-assign the profile corresponding to the group that it is in, so it automatically fixes things up (after a short while).

Notice the information bar in the above screenshot (which for some reason has no text in it)?  Click on it to go to the documentation page that talks more about this include/exclude logic


Comments (6)

  1. Anonymous says:
    (The content was deleted per user request)
  2. I’m making the assumption here that you are adding previously provisioned machine to these 2 manual groups. Can you please explain how this would work to take new autopilot machines and get 3 different outcomes. I understood this should be possible with using EnrollmentProfilelName equal/contains/starts with *Should* work. I have only ever been successful with not equals. Since EnrollmentProfilelName is not exposed in the Graph do you have another way for us to have separate outcomes as we order new devices?

    1. No, I’m adding new machines (not yet provisioned) to those manual groups. When you import the device into Autopilot, it will *immediately* create an Azure AD object (named with the serial number of the device). You can place that AAD object into the right group to get Intune to assign the appropriate profile to it (even before the device ships from the OEM, if the OEM is registering it).

      Assigning profiles based on enrollmentProfileName is impossible 🙂 And creating groups that use enrollmentProfileName as a dynamic rule isn’t really necessary if you already used a group to assign the Autopilot profile in the first place – you can use that same group to assign policies.

      1. John Marcum says:

        How about machines that you are using for testing purposes meaning they are going through the Autopilot process over and over. I find that they tend to get flaky after a while. What I don’t understand is how do we clean these up? Let’s assume I’ve used the same computer 4-5 times and now I have several computer objects in AAD. Does deleting the computer object from AAD also delete what’s needed for Autopilot meaning I need to import the csv again?

        1. I’ve been deleting the object in Devices, AAD, and Windows enrollment devices just to make sure its completely gone.

      2. I think it would be really nice if we could key off the Autopilot template(s) used as the criteria for a machine being added to an AAD group. This would provide an HTA of sorts to choose multiple outcomes that go further than OOBE decisions. Plus with John’s recent post about packaging apps together we just might get to the nirvana everyone seems to think autopilot is.

Skip to main content