Autopilot/Intune (group assignments) - Whats your approach?

Blindf8th 61 Reputation points
2022-05-12T18:10:19.913+00:00

Good afternoon,

Still relatively new to Autopilot/Intune and I wanted to ask a few questions to the community regarding the groups you use and why? As I evaluate our existing dynamic groups associated to Autopilot/Intune, there is high level of overlap between them (group members) and I do not see any benefit to this approach. The key thing I'd like to find out is whether or not your Autopilot deployment profile targets the All Devices as its assignment along with your Domain Join Configuration Profile?

Are you using different dynamic groups for multiple Domain Join Configuration Profiles? Currently we are not leveraging tags and although I believe I understand there purpose, they don't seem to be very beneficial. How do you use them if at all?

Leveraging the All Devices for these two purposes to me makes sense as I believe it can cause errors when dynamic groups are leveraged and the Autopilot process begins before said device is associated to the dynamic group you might be targeting in the assignments. The same issue can occur with the Autopilot deployment profile assignment. Thoughts?

Any feedback is welcomed as I have read several documents and forums and so far most of them seem extremely generic in what they state. In the following article it talks about the assignment needed, but shares nothing about the thought process we might consider and walk through when it comes to the group (dynamic or static) it talks about assigning (just 1 example of many).

https://learn.microsoft.com/en-us/mem/intune/enrollment/tutorial-use-autopilot-enroll-devices

Thanks,

Blind

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
477 questions
0 comments No comments
{count} votes

Accepted answer
  1. Crystal-MSFT 50,496 Reputation points Microsoft Vendor
    2022-05-16T06:59:15.047+00:00

    @Blindf8th , Thank for the reply. For your follow up questions, here are my answers:
    Q1: So if I understood your response correctly, if we are only using 1 Autopilot deployment profile and 1 Domain Join configuration profile, targeting All Devices is perfectly fine. However, if we intend to leverage multiple Autopilot deployment profiles and or Domain Join configuration profiles, best practices is to create groups to avoid issues?
    A1: If all the devices are prepared to do Autopilot with Hybrid Azure AD join using the same profiles, yes, you can target the profile to all devices. And if we want different profile settings, yes, best practice is to create different groups to assign the profile.

    Q2: If you open up Autopilot deployment profile and go to Assignments, is there any reason why companies may want several groups listed here (no matter the group type)? To me if a company plans to use a single Autopilot deployment profile, then targeting All Devices OR having a single dynamic group makes sense. Do you agree or disagree?
    A2: Yes, we can do this if the deployment is the same. And we will consider multiple groups when the existing group can't find all the devices we want to do Autopilot enrollment. Then we will add another one to include the devices we want.

    Q3: My thought would be to have two Autopilot profiles. Is this a good example as to how companies might approach a multi Autopilot deployment profile solution? Having trouble finding anything that speaks to best practices, generic solutions, or deeper thoughts for future proofing this config.
    A3: For Localadmin Group if it is a group of user, this will cause issue. We need to set it with device group because Autopilot profile need to be gotten before the user logging. If this is group with devices, it's OK.

    Hope it can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Crystal-MSFT 50,496 Reputation points Microsoft Vendor
    2022-05-13T04:33:59.26+00:00

    @Blindf8th , Thanks for posting in Q&A. For your questions, here are my answers for the reference:
    Q1: As I evaluate our existing dynamic groups associated to Autopilot/Intune, there is high level of overlap between them (group members) and I do not see any benefit to this approach. The key thing I'd like to find out is whether or not your Autopilot deployment profile targets the All Devices as its assignment along with your Domain Join Configuration Profile?
    A1: When we create group, we can choose Dynamic user group, Dynamic device group or Assigned group. For assigned group, we need to add or remove the member manually. For dynamic group, we can use dynamic group rules to automatically add and remove devices which will more convenient for us. Here is a link with more details for the reference:
    https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

    For Autopillot deployment profile, this is used for Autopilot enrollment. if we deploy one Autopilot profile or domain join profile to all the devices, that means all the devices will apply the same setting, If we want a different profile setting and deploy another profile, it will be conflict and get issue. So the recommended method is only deploying the profile to the required group.

    Q2: Are you using different dynamic groups for multiple Domain Join Configuration Profiles? Currently we are not leveraging tags and although I believe I understand there purpose, they don't seem to be very beneficial. How do you use them if at all?
    A2: If we need different domain join configuration profile setting to assign to different groups, we can create different groups to apply the profile. If the profile setting is the same, we can assign it to one group.
    For the group tag, we can use it to group devices together, allowing us to then specify different Autopilot enrollment options for each group of devices with the same group tag. Here is a link for the reference:
    https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-using-group-tags-to-import-devices-into-intune-with/ba-p/815336

    We can consider the group tag, when the existing properties can't help us to create the dynamic group we want. If it can, we don't need this.
    https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

    Q3 :Leveraging the All Devices for these two purposes to me makes sense as I believe it can cause errors when dynamic groups are leveraged and the Autopilot process begins before said device is associated to the dynamic group you might be targeting in the assignments. The same issue can occur with the Autopilot deployment profile assignment. Thoughts?
    A3: Typically, for dynamic group, directories with small numbers of users will see the group membership changes in less than a few minutes. Directories with a large number of users can take 30 minutes or longer to populate.
    https://learn.microsoft.com/en-gb/azure/active-directory/enterprise-users/groups-troubleshooting

    Yes, if the device is not added into the group when we do Autopilot. It will fail. So before we do Autopilot, we need to check the group members to ensure the device is there..

    Hope it can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Blindf8th 61 Reputation points
    2022-05-13T20:04:33.033+00:00

    Crystal-MSFT,

    Good afternoon and thank you for your reply. I have a couple of follow ups and really appreciate your input.

    "For Autopillot deployment profile, this is used for Autopilot enrollment. if we deploy one Autopilot profile or domain join profile to all the devices, that means all the devices will apply the same setting, If we want a different profile setting and deploy another profile, it will be conflict and get issue. So the recommended method is only deploying the profile to the required group."

    So if I understood your response correctly, if we are only using 1 Autopilot deployment profile and 1 Domain Join configuration profile, targeting All Devices is perfectly fine. However, if we intend to leverage multiple Autopilot deployment profiles and or Domain Join configuration profiles, best practices is to create groups to avoid issues?

    Question 1:
    If you open up Autopilot deployment profile and go to Assignments, is there any reason why companies may want several groups listed here (no matter the group type)? To me if a company plans to use a single Autopilot deployment profile, then targeting All Devices OR having a single dynamic group makes sense. Do you agree or disagree?

    Question 2:
    My thought would be to have two Autopilot profiles. Is this a good example as to how companies might approach a multi Autopilot deployment profile solution? Having trouble finding anything that speaks to best practices, generic solutions, or deeper thoughts for future proofing this config.

    Autopilot deployment profile (Standard account type):
    Dynamic group with the Assignments All Devices
    Excluded Groups LocalAdmin group

    Autopilot deployment profile (Administrator account type):
    Static group labelled with the Assignments LocalAdmin group

    Thanks again for any feedback you may have :o)

    Blind

    0 comments No comments

  3. Blindf8th 61 Reputation points
    2022-05-16T13:54:49.29+00:00

    Crystal-MSFT,

    For the last A3 response we would be leveraging the device of those users who would require the LocalAdmin rights specified in the Autopilot Deployment Profile (ADP) which should work out just fine. The overall challenge I have seen is that single ADP's seem straight forward, but when multiple ADP's are used it appears very challenging to separate devices so they can be grouped appropriately for multi-group uses. Same goes for Domain Profiles. If you are aware of any good articles on how people are configuring multiple ADP's and Domain Profiles I'd love to read them. Thanks again for taking the time to respond and have a great day :o)

    Sincerely,

    Blind


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.