Create a Temporary Windows autopilot dynamic device group

Administration, Automation, Azure AD, Intune 2 Minutes

Hi everyone

In this post 👉🏻 Create a Device group from lastSyncedDate attribute I covered a very specific requirement.

Today’s post is a bit different.

I’d like to share something interesting about Intune and Dynamic Device Groups when it comes to Windows autopilot devices.

Scenario ☁️

  • application1 is required to be installed in All windows autopilot devices
  • pilot devices, also members of All Windows Autopilot devices dynamic device catch-all group have application2 targeted to them, and also these devices are added as an exclusion to existing application1 deployment in intune => check this post to get to know to do it
  • new application (application2) is required to be installed on All windows autopilot devices while application1

Known issue 🤯

  • if we target application2 to All windows autopilot devices without removing it from application1 we get into the following issue:
    • all targeted devices with application1 and application2 due to a limitation on Filters in Intune (up to 3072 characters which correspond to 200 Azure ad devices/Intune managed devices having 15 characters long name standards). For Enterprise and SMB companies with more than 250 devices, it becomes a problem

Fix 🧠

  • Leverage PowerShell to identify all brand new devices registered into Windows Autopilot devices and also registered into Intune (managed devices) from specific DATE
    • create a dynamic device security group in AAD (cloud-based security group)
    • define this group variable $targetedGroup
    • retrieve all Windows autopilot registered devices from $startdate
    • retrieve all Intune enrolled devices from $startdate
    • cross check the device IDs’ across AADS, AAD, INTUNE (windows autopilot and managed devices)
    • determine which device corresponds to the device object that’s synced from local AD for the HAADJ scenario
    • determine which device corresponds to the device object that’s AADJ only
    • schedule the script to run on a schedule (every hour)

Architecture 📚

  • When a computer/device object is created in ADDS (local AD) it has the following attributes:
  • When this computer/device object is created in ADDS (local AD) and gets synced to AAD (Azure AD) it has the following attributes:
  • When the same computer/device object is managed by Intune it has the following attributes:
  • When you list all of these attributes using PowerShell through the AzureAD module and MSGraph you have a few other IDs’ shown

The following image demonstrates all devices’ IDs in use for Hybrid and Azure AD AD joined-only scenarios.

Github script for download 🥷

Cheers,

Thiago Beier

Published by Thiago Beier

IT Solutions Architect

Published