With some change in Intune and Autopilot profile assignment is it not possible to do Autopilot profile assignment per device anymore, only on groups. But the change gives the possibility to do automatic profile assignment directly from Intune. This does not change the manual process for Autopilot profile assignment in Microsoft Store for Business. There are two possible ways of doing this, static or dynamic Azure AD groups, static groups do not give us the automatic we want, so in this blog post I will walk through the automatic profile assignment.
First we need to know about the new ZTDID and OrderID attribute on the AzureAD object. When a device is getting uploaded through the AutoPilot service the devices gets a unique ZTDID and then we can determent that it is a Autopilot device. Then there is the OrderID, that is a value that you can choose, so it is more like a tag, the OrderID can group Autopilot devices for a specific purpose like a ShareDevice, A Skype Room System, KIOSK device or something else.
You have the normal information Device Serial Number,Windows Product ID,Hardware Hash – then you just have to create a custom column named OrderID with the value you want to use for creating you Autopilot dynamic group for profile assignment, in my example “SharedDevice”
After importing the Autopilot information in Intune you can use the Microsoft Graph explorer to see the device with the information you just created
goto to the Graph Explorer : https://developer.microsoft.com/en-us/graph/graph-explorer
Enter https://graph.microsoft.com/v1.0/devices to get all devices – then you can finde the device you just created and see that it has both the ZTDID with a unique value and the OrderID.
Now we have all the information we need to create two dynamic AzureAD groups, one for all AutoPilot devices and one for our SharedDevices.
The two dynamic groups I name “All AutoPilot Devices” and “All AutoPilot SharedDevice”
The first group “All AutoPilot Devices” has a dynamic group membership rulelike this : (device.devicePhysicalIDs -any _ -contains “[ZTDId]”) -and -not (device.devicePhysicalIDs -any _ -eq “[OrderID]:SharedDevice”)
This rule will find all devices with the ZTDid and exclude all devices with a OrderID SharedDevice
The first group “All AutoPilot SharedDevice” has a dynamic group membership rulelike this : (device.devicePhysicalIds -any _ -eq “[OrderID]:SharedDevice”)
This rule will find all devices with the OrderID SharedDevice
How to create the two groups with PowerShell:
Install-Module AzureADPreview $AzureAdCred = Get-Credential Connect-AzureAD -Credential $AzureAdCred # Create a dynamic group called "All AutoPilot Devices" New-AzureADMSGroup -Description “All AutoPilot Devices” -DisplayName “All AutoPilot Devices” -MailEnabled $false -SecurityEnabled $true -MailNickname “Win” -GroupTypes “DynamicMembership” -MembershipRule '(device.devicePhysicalIDs -any _ -contains "[ZTDId]") -and -not (device.devicePhysicalIDs -any _ -eq "[OrderID]:SharedDevice")' -MembershipRuleProcessingState “On” # Create a dynamic group called "All AutoPilot SharedDevice" New-AzureADMSGroup -Description “All AutoPilot SharedDevice” -DisplayName “All AutoPilot SharedDevice” -MailEnabled $false -SecurityEnabled $true -MailNickname “Win” -GroupTypes “DynamicMembership” -MembershipRule '(device.devicePhysicalIds -any _ -eq "[OrderID]:SharedDevice")' -MembershipRuleProcessingState “On”
Then you can get stated by assigning the Intune Autopilot profiles automatic.
Start the Microsoft 365 device admin center : https://devicemanagement.portal.azure.com/
Goto : Home > Device enrollment – Windows enrollment > Windows Autopilot deployment profiles
Create two Windows Autopilot deployment profiles
Properties:
Name : Windows AutoPilot Default Profile
Deployment mode : User-Driven
Join to Azure AD as : Azure AD Joined
Settings:
End user license agreement (EULA) : Hide
Privacy Settings : Hide
User account type : Standard
Assignments : All AutoPilot Devices
Properties:
Name : Windows AutoPilot Shared Device
Deployment mode : Self-Deploying (preview)
Join to Azure AD as : Azure AD Joined
Settings:
Language (Region) : Danish (Denmark)
Automatically configure keyboard : Yes
End user license agreement (EULA) : Hide
Privacy Settings : Hide
User account type : Standard
Assignments : All AutoPilot SharedDevice
So now when a new Autopilot devices is getting into the service – it will automatic end up in one of the two groups.
Read more:
Enroll Windows devices by using the Windows AutoPilot
Mobile-First Cloud-First 
Having some fun times trying to get this cmdlet working…
PS C:\WINDOWS\system32> New-AzureADMSGroup -Description “All AutoPilot Devices” -DisplayName “All AutoPilot Devices” -Ma
ilEnabled $false -SecurityEnabled $true -MailNickname “Win” -GroupTypes “DynamicMembership” -MembershipRule ‘(device.dev
icePhysicalIDs -any _ -contains “[ZTDId]”)’ -MembershipRuleProcessingState “On”
New-AzureADMSGroup : A parameter cannot be found that matches parameter name ‘MembershipRule’.
At line:1 char:189
+ … ickname “Win” -GroupTypes “DynamicMembership” -MembershipRule ‘(devic …
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-AzureADMSGroup], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.Open.MSGraphV10.PowerShell.NewMSGroup
You need to have AzureAD module 2 or above – I have had issue with the AzureAD module that is why I use the AzureADPreview. Check the version by using this command : Get-Module AzureADPreview
the rule (device.devicePhysicalIDs -any _ -contains “[ZTDId]”) -and -not (device.devicePhysicalIDs -any _ -eq “[OrderID]:MYTAG”) doesn’t actually work. it does not evaluate the exclusion…
That is strange – it is working for me. Also in other tenants where I have implemented it – I just checked now.
Thanks for this its a great idea but the rules done seem to work. I get errors saying they contain invalid characters.
Dynamic membership rule validation error: Invalid characters found in the rule.