@Pavel Yannara Mirochnitchenko , I have connected to Azure AD via PowerShell using the following commands and check the device attributes:
I find the AccountEnable attribute is not the same before and after Autopilot enroll. Then I create a dynamic group with the following rule syntax and find only the Autopilot devices which are not enrolled will be added into this group:
(device.accountEnabled -eq false) and (device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))
We can try the same rule to see if it is working. Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.