question

yannara avatar image
0 Votes"
yannara asked Crystal-MSFT commented

Dynamic Group for only Autopilot phase

Current ZTDid rule keeps devices in the group after it has been applied by an user. I need a group syntax, which will keep device in the group only during Autopilot phase, but after it is applied on-field, the device would disappear. I've been playing around with (device.devicePhysicalIDs -any (_ -not contains "[USER-GID]")) but it has no effect.

mem-intune-generalmem-intune-enrollment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT commented

@yannara, I have connected to Azure AD via PowerShell using the following commands and check the device attributes:

78106-image.png
I find the AccountEnable attribute is not the same before and after Autopilot enroll. Then I create a dynamic group with the following rule syntax and find only the Autopilot devices which are not enrolled will be added into this group:
(device.accountEnabled -eq false) and (device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))
78070-image.png

We can try the same rule to see if it is working. Hope it can help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (14.5 KiB)
image.png (67.3 KiB)
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks, I will give it a try.

0 Votes 0 ·

@yannara,, We will wait for the update. if there's anything else we can help, feel free to let us know.

0 Votes 0 ·

@yannara,, Hope things are going well. I am writing to see if we have tried the suggestions. Was it helpful? If there's any update, feel free to let us know.

0 Votes 0 ·
Show more comments
RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered yannara commented

May I ask why? What is the end goal here?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sure. We need some stuff only to be applied during Autopilot phase, and not for on-field computers. Same needs are out there for SCCM / GPO on-prem enviroments.

0 Votes 0 ·
Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered yannara commented

@yannara, We can use PowerShell to query the devices. Compare one device before the Autopilot phase and one after the phase to see which attribute is different. Then check if the attribute is included in the Dynamic membership rules for groups in Azure Active Directory to see if there's any rule can accomplish what we want:
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

Hope it can help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That article does not reveal how to use Powershell. Not totally understending your point, are you telling that powershell can somehow reveal what query or syntax is needed?

0 Votes 0 ·