Create device groups
- Windows 10
- Windows Holographic, version 2004 or later
HoloLens 2 devices require Windows Autopilot self-deploying mode. For more information about using Windows Autopilot to deploy HoloLens 2 devices, see Windows Autopilot for HoloLens 2.
Create an Autopilot device group using Intune
In the Microsoft Endpoint Manager admin center, select Groups > New group.
In New Group, configure the following properties:
Group type: Select Security.
Group name and Group description: Enter a name and description for your group.
Azure AD roles can be assigned to the group (Preview): Yes allows Azure AD roles to be assigned to the group you're creating. Once set, the group is permanently and always allowed to be assigned Azure AD roles. When set to No, Azure AD roles aren't assigned to the this group.
For more information, see Use cloud groups to manage role assignments in Azure AD.
Membership type: Choose how devices become members of this group. Select Assigned, Dynamic user, or Dynamic Device. For more information, see Add groups to organize users and devices.
Owners: Select users that own the group. Owners can also delete this group.
Members: Select Autopilot devices that belong to this group. Autopilot devices that aren't enrolled show the serial number for the device name.
Dynamic device members: Select Add dynamic query > Add expression.
Create rules using Autopilot device attributes. Autopilot devices that meet these rules are automatically added to the group. Creating an expression using non-autopilot attributes doesn't guarantee that devices included in the group are registered to Autopilot.
When creating expressions:
- To create a group that includes all of your Autopilot devices, enter:
(device.devicePhysicalIDs -any (_ -contains "[ZTDId]")).
- Intune's group tag field maps to the
OrderIDattribute on Azure AD devices. To create a group that includes all Autopilot devices with a specific group tag (the Azure AD device
(device.devicePhysicalIds -any (_ -eq "[OrderID]:179887111881")).
- To create a group that includes all your Autopilot devices with a specific Purchase Order ID, enter:
(device.devicePhysicalIds -any (_ -eq "[PurchaseOrderId]:76222342342"))
Save your expressions.
- To create a group that includes all of your Autopilot devices, enter:
Edit Autopilot device attributes
After you've uploaded an Autopilot device, you can edit certain attributes of the device.
- In the Microsoft Endpoint Manager admin center, select Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program.
- Select the device you want to edit.
- In the pane on the right of the screen, you can edit:
- Device name.
- Group tag.
- User Friendly Name (if you've assigned a user).
- Select Save.
Device names can be configured for all devices, but are ignored in Hybrid Azure AD joined deployments. Device name still comes from the domain join profile for Hybrid Azure AD devices.
Alerts for Windows Autopilot unassigned devices
Alerts will show how many Autopilot program devices don't have Autopilot deployment profiles. Use the information in the alert to create profiles and assign them to the unassigned devices. When you click the alert, you see a full list of Windows Autopilot devices and detailed information about them.
To see alerts for unassigned devices, in the Microsoft Endpoint Manager admin center, choose Devices > Overview > Enrollment alerts > Unassigned devices.
Autopilot deployments report
You can see details on each device deployed through Windows Autopilot. To see the report, go to the Microsoft Endpoint Manager admin center, choose Devices > Monitor > Autopilot deployments. The data is available for 30 days after deployment.
This report is in preview. Device deployment records are currently triggered only by new Intune enrollment events. Deployments that don't trigger a new Intune enrollment won't appear this report. This case includes any kind of reset that maintains enrollment and the user portion of Autopilot pre-provisioning.
Assign a user to a specific Autopilot device
You can assign a licensed Intune user to a specific Autopilot device. This assignment:
- Pre-fills a user from Azure Active Directory in the company-branded sign-in page during Windows setup.
- Lets you set a custom greeting name.
- Doesn't pre-fill or modify Windows sign-in.
Prerequisites: Azure Active Directory Company Portal has been configured and Windows 10, version 1809 or later.
Assigning a user to a specific Autopilot device doesn't work if you are using ADFS.
In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program > choose the device > Assign user.
Choose an Azure user licensed to use Intune and choose Select.
In the User Friendly Name box, type a friendly name or just accept the default. This string is the friendly name that displays when the user signs in during Windows setup.
Delete Autopilot devices
You can delete Windows Autopilot devices that aren't enrolled into Intune:
- Delete the devices from Windows Autopilot at Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program. Choose the devices you want to delete, then choose Delete. Windows Autopilot device deletion can take a few minutes to complete.
Completely removing a device from your tenant requires you to delete the Intune device, the Azure Active Directory device, and the Windows Autopilot device records. These deletions can all be done from Intune:
If the devices are enrolled in Intune, you must first delete them from the Intune All devices blade.
Delete the devices in Azure Active Directory devices at Devices > Azure AD devices.
Delete the devices from Windows Autopilot at Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program >. Choose the devices you want to delete, then choose Delete. Windows Autopilot device deletion can take a few minutes to complete.
Using Autopilot in other portals
If you aren't interested in mobile device management, you can use Autopilot in other portals. While using other portals is an option, we recommend you only use Intune to manage your Autopilot deployments. When you use Intune and another portal, Intune isn't able to:
- Display changes to profiles created in Intune, but edited in another portal.
- Synchronize profiles created in another portal.
- Display changes to profile assignments done in another portal.
- Synchronize profile assignments done in another portal.
- Display changes to the device list that were made in another portal.
Windows Autopilot for existing devices
You can group Windows devices by a correlator ID when enrolling using Autopilot for existing devices through Configuration Manager. The correlator ID is a parameter of the Autopilot configuration file. The Azure AD device attribute enrollmentProfileName is automatically set to equal "OfflineAutopilotprofile-<correlator ID>". So, arbitrary Azure AD dynamic groups can be created based off correlator ID by using the enrollmentprofileName attribute.
Because the correlator ID is not pre-listed in Intune, the device may report any correlator ID they want. If the user creates a correlator ID matching an Autopilot or Apple ADE profile name, the device will be added to any dynamic Azure AD device group based off the enrollmentProfileName attribute. To avoid this conflict:
- Always create dynamic group rules matching against the entire enrollmentProfileName value
- Never name Autopilot or Apple ADE profiles beginning with "OfflineAutopilotprofile-".
After you configure Windows Autopilot for registered Windows 10 devices, learn how to manage those devices. For more information, see What is Microsoft Intune device management?