With some change in Intune and Autopilot profile assignment is it not possible to do Autopilot profile assignment per device anymore, only on groups. But the change gives the possibility to do automatic profile assignment directly from Intune. This does not change the manual process for Autopilot profile assignment in Microsoft Store for Business. There are two possible ways of doing this, static or dynamic Azure AD groups, static groups do not give us the automatic we want, so in this blog post I will walk through the automatic profile assignment.

First we need to know about the new ZTDID and OrderID attribute on the AzureAD object. When a device is getting uploaded through the AutoPilot service the devices gets a unique ZTDID and then we can determent that it is a Autopilot device. Then there is the OrderID, that is a value that you can choose, so it is more like a tag, the OrderID can group Autopilot devices for a specific purpose like a ShareDevice, A Skype Room System, KIOSK device or something else.

You have the normal information Device Serial Number,Windows Product ID,Hardware Hash – then you just have to create a custom column named OrderID with the value you want to use for creating you Autopilot dynamic group for profile assignment, in my example “SharedDevice”

After importing the Autopilot information in Intune you can use the Microsoft Graph explorer to see the device with the information you just created

goto to the Graph Explorer : https://developer.microsoft.com/en-us/graph/graph-explorer

Enter https://graph.microsoft.com/v1.0/devices to get all devices – then you can finde the device you just created and see that it has both the ZTDID with a unique value and the OrderID.

Now we have all the information we need to create two dynamic AzureAD groups, one for all AutoPilot devices and one for our SharedDevices.
The two dynamic groups I name “All AutoPilot Devices” and “All AutoPilot SharedDevice”

The first group “All AutoPilot Devices” has a dynamic group membership rulelike this : (device.devicePhysicalIDs -any _ -contains “[ZTDId]”) -and -not (device.devicePhysicalIDs -any _ -eq “[OrderID]:SharedDevice”)
This rule will find all devices with the ZTDid and exclude all devices with a OrderID SharedDevice

The first group “All AutoPilot SharedDevice” has a dynamic group membership rulelike this : (device.devicePhysicalIds -any _ -eq “[OrderID]:SharedDevice”)
This rule will find all devices with the OrderID SharedDevice

How to create the two groups with PowerShell:

Install-Module AzureADPreview
$AzureAdCred = Get-Credential
Connect-AzureAD -Credential $AzureAdCred
# Create a dynamic group called "All AutoPilot Devices"
New-AzureADMSGroup -Description “All AutoPilot Devices” -DisplayName “All AutoPilot Devices” -MailEnabled $false -SecurityEnabled $true -MailNickname “Win” -GroupTypes “DynamicMembership” -MembershipRule '(device.devicePhysicalIDs -any _ -contains "[ZTDId]") -and -not (device.devicePhysicalIDs -any _ -eq "[OrderID]:SharedDevice")' -MembershipRuleProcessingState “On”
# Create a dynamic group called "All AutoPilot SharedDevice"
New-AzureADMSGroup -Description “All AutoPilot SharedDevice” -DisplayName “All AutoPilot SharedDevice” -MailEnabled $false -SecurityEnabled $true -MailNickname “Win” -GroupTypes “DynamicMembership” -MembershipRule '(device.devicePhysicalIds -any _ -eq "[OrderID]:SharedDevice")' -MembershipRuleProcessingState “On”

Then you can get stated by assigning the Intune Autopilot profiles automatic.

Start the Microsoft 365 device admin center : https://devicemanagement.portal.azure.com/

Goto : Home > Device enrollment – Windows enrollment > Windows Autopilot deployment profiles

Create two Windows Autopilot deployment profiles

Properties:
Name : Windows AutoPilot Default Profile
Deployment mode : User-Driven
Join to Azure AD as : Azure AD Joined Settings:

End user license agreement (EULA) : Hide

Privacy Settings : Hide
User account type : Standard

Assignments : All AutoPilot Devices

Properties:
Name : Windows AutoPilot Shared Device
Deployment mode : Self-Deploying (preview)
Join to Azure AD as : Azure AD Joined Settings:

Language (Region) : Danish (Denmark)

Automatically configure keyboard : Yes
End user license agreement (EULA) : Hide
Privacy Settings : Hide
User account type : Standard

Assignments : All AutoPilot SharedDevice

So now when a new Autopilot devices is getting into the service – it will automatic end up in one of the two groups.

Read more:

Enroll Windows devices by using the Windows AutoPilot