Targeting newly enrolled devices is a challenging feat but a necessary one; before a few weeks ago, Intune had no way of performing such action at enrollment. There are countless scenarios where you need to have the ability to target new devices without affecting existing devices while doing it in a dynamic way. Ben from Powers-Hell.com works through two solutions that display a way of creating such groups: (163) S02E36 – Building Custom Dynamic Groups with Power Automate – (I.T) – YouTube & Create advanced dynamic groups with PowerShell & Azure Functions | Powers Hell (powers-hell.com). It’s a great solution, unfortunately this assignment only occurs after enrollment, therefore if you have a new Autopilot Profile or are pushing apps and/or policies during ESP it won’t receive it due to the assignment not occurring yet.
A few weeks ago, Microsoft deployed filters into public preview, which offers a solution to this scenario by attaching filters to group assignments and modifying existing profiles. The graphic below shows a scenario with a current and future flow of a device and its assignment.
In the current state devices are assigned to Autopilot, followed by user/device assignments which are members of enrollment profiles and various workloads.
We will be using filters to create a separation between existing and net new devices. To separate them moving forward, you need to create the following:
- A new Autopilot profile.
- A filter targeting that new Autopilot profile.
- Any new workloads that will be targeted to only new devices.
You have to start with the creation of a new Autopilot profile, this can contain the same settings; there is no requirement around that, although you will want to ensure the name is different from the old Autopilot profile because moving forward, that old profile will not be utilized. Also, do not assign a group to it, this will be done at the end. You must then create a filter with the settings as shown below.
Value: Name of the New Autopilot Profile
Create any workloads you wish to target to new enrollments. For the assignments, target your user/device assignments as usual with the addition of applying the enrollmentProfileName filter you just created.
Note: Keep in mind that not all workloads have the ability to apply a filter, but more will be added overtime. You may need to get creative depending on your workloads, and some scenarios you could target all devices. Check out the Microsoft documentation for a list of supported workloads.
Applying the filter on the assignment is crucial in order to only target new devices otherwise, if not applied all devices will receive the workloads. Finally, head back into the original Autopilot profile and remove the group assignment(typically, this will be the dynamic device group with the ztd expression), then reapply that group into the group assignment of the new Autopilot profile. In doing all this you will ensure all existing devices will not be affected by this implementation until refreshed/wiped. Any new Autopilot enrollments will be enrolled utilizing the new Autopilot profile and receive any workloads containing the filter created above.