I take a step back on this post and revisit Autopilot v1. Although Autopilot Device Preparation is likely the future of Autopilot, it still lacks many of the features of Autopilot v1, and Autopilot v1 isn’t going anywhere, anytime soon. Especially until Autopilot Device prep can support pre-provisioning and self-deploying profiles. If you read the title and you came here specifically for the dynamic query, scroll to the very bottom of the post.
Organizations often start with a single Autopilot profile assigned to a single dynamic group containing all Autopilot devices. I inherit many organizations like this. As the organization evolves, there becomes a need for additional profiles. Perhaps it’s a new location that requires a different profile setting, they want to add Kiosk devices, or you need to do some testing for a proof of concept. Regardless of the reason, you may be stuck with an “All Autopilot Devices” dynamic group that adds any Autopilot registered device and assigns the main Autopilot profile, but now you have a separate profile you want to assign to a subset of devices.
As a side note – if you’re just starting to use Autopilot, I recommend starting with a generic top-level Grouptag since you can always append the Grouptag, and then separate subgroups. But, for this post, we’re assuming you’ve inherited a tenant that’s already using the All Autopilot Devices dynamic group.
If you’re not familiar with using dynamic groups for Autopilot, visit this MS Learn article – https://learn.microsoft.com/en-us/autopilot/enrollment-autopilot. Also, if you’re not familiar with dynamic groups in general, they’re essentially groups that query a value or property for users/devices and automatically add those users/devices to the group. For example, you can make a dynamic group for any devices that start with “DEV-“ and they will all be added to the group. There are three primary ways to use dynamic groups with Autopilot devices. When I saw three ways, this is why:
- The most common one I come across when I inherit a tenant is a group that contains all autopilot devices:
(device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]"))- This is the group I was referring to earlier in this post. Any device that gets registered to autopilot, regardless of grouptag or purchase order ID will be added to this group.
- Next, you can use the grouptag field, which is tied to the OrderID field on the device object.
(device.devicePhysicalIds -any (_ -eq "[OrderID]:Kiosk"))- This is essentially some metadata added to the device object. You can set a group tag manually in the Intune portal, or at the time the device is registered. Using this dynamic syntax, any device with the grouptag “Kiosk” is added to the group automatically.
- Lastly, you can use a Purchase Order ID.
(device.devicePhysicalIds -any (_ -eq "[PurchaseOrderId]:76222342342"))- I don’t see this used very often since when making a large device purchase, the OEM can register the devices for you, or provide you a CSV of the hardware hashes you can import.
Now that you have an idea of how this works, let’s look at the situation described earlier I see some organizations running into. We have a single All Autopilot Devices group and a single Autopilot profile assigned to that group. We want to add another Autopilot profile that gets assigned to a Dynamic group that uses the grouptag “Kiosk”. However, this doesn’t work because even though we are registering devices to Autopilot with the grouptag Kiosk, they’re also added to the All Autopilot Devices group and end up with the wrong profile assigned. Like this:
Here’s the dynamic group for the Kiosk group tag. But, this same device is also assigned to the All autopilot dynamic device group.
And you can see why if we look up the device details in Graph Explorer. We see the grouptag value for Kiosk, which matches our dynamic group syntax for the Autopilot-Kiosk group, but we also have an attribute for ZTDID, which matches the dynamic group query for all autopilot devices.
So, we need to somehow exclude the devices with the Kiosk grouptag from the All Autopilot Devices group. The solution is rather easy, but we need to make some modifications to the syntax for our All Autopilot devices group. First, you should read up on dynamic group syntax from this MS learn page. And more specifically, this section for rules with multiple expressions.
First, let’s take the dynamic group queries for our two dynamic groups:
(device.devicePhysicalIDs -any (_ -startsWith "[ZTDId]"))(device.devicePhysicalIds -any _ -eq "[OrderID]:Kiosk")
Next, we need to determine which property is best to exclude. Both groups of devices contain the ZTDID attribute, but only some of the devices have the Kiosk grouptag. So, we want to exclude any devices with the Kiosk grouptag from the All Autopilot Devices group. To do that, we will add the Kiosk grouptag dynamic query separated by “ -and -not” to the All Autopilot device group query. Our query should looks like this:
(device.devicePhysicalIDs -any (_ -startsWith "[ZTDId]")) -and -not (device.devicePhysicalIds -any _ -eq "[OrderID]:KIOSK")
If we validate the rules, we can see now that the device with the Kiosk grouptag won’t be a member of the all autopilot devices group.
And in the verification details, we see that both queries are met and the device won’t be added to the group due to the -not operator matching for the second query.
Shortly after editing your group, Autopilot should assign the profile to your device based on the grouptag assignment:
If you came here just for the query – change Kiosk in the query below to your grouptag to have those devices excluded from the all autopilot devices dynamic group:
(device.devicePhysicalIDs -any (_ -startsWith "[ZTDId]")) -and -not (device.devicePhysicalIds -any _ -eq "[OrderID]:KIOSK")