Windows Autopilot devices

Why Windows Autopilot devices is important?

If you’re willing to have a solution to onboard users remotely you probably heard about Autopilot.

This is not about deploying Windows 10/11 from “the cloud” to your device.


All procured devices are enrolled to your M365 tenant by default and they’ll get the “blank” GroupTag

You can leverage the GroupTag to associate all autopilot devices (in blank) to be either AADJ (Azure AD joined) or HAADJ (Hybrid Azure AD joined).

All Autopilot devices (device.devicePhysicalIDs -any (_ -contains “[ZTDID]”))
Segmenting AADJ (device.devicePhysicalIds -any (_ -eq “[OrderID]:AADJ“))
Segmenting HAADJ (device.devicePhysicalIds -any (_ -eq “[OrderID]:HAADJ“))
Segmenting by Purchase Order Id (device.devicePhysicalIds -any (_ -eq “[PurchaseOrderId]:76222342342“))


For each Windows autopilot deployment that you assign an included group with its targeted devices you should exclude the other WAP sec. groups from it. Or you can use the “All Autopilot devices” however, excluding all AADJ and HAADJ Group tags from it (check table below).

WAP Name / Join Type Assignments – Included Groups Assignments – Excluded Groups
AADJ / Azure AD joined All-AADJ-Devices All-HAADJ-Devices
HAADJ / Hybrid Azure AD joined All-HAADJ-Devices All-AADJ-Devices
HAADJ / Hybrid Azure AD joined All Autopilot devices All-AADJ-Devices


Here you should exclude all Dynamic Device Groups where you have GroupTags associated with them.

Windows autopilot devices (Screenshot)

Post 1 – PPKG part 1

Post 2 – PPKG part 2

You can use PPKG to register your devices hash to Windows autopilot devices based on the GroupTag (AADJ or HAADJ WAP) as the previous table.


Thiago Beier