Support tip: Targeting apps and policies with Windows Autopilot

Posted by

This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.


Windows Autopilot is designed to both streamline and tailor your deployment flow to your users. By simplifying your deployment configuration, you'll experience higher levels of success, as well as greater user satisfaction during deployments. One of the key factors that can improve your success is to avoid targeting changes to policies and applications while devices are being provisioned. In this post, we highlight targeting guidelines to create successful Windows Autopilot experiences. First, let’s get a better understanding of how targeting impacts device provisioning in Intune.


How Intune processes changes to device membership and assignments

Intune recalculates device policy and application assignments as it learns about Security Group membership changes for devices, as well as the changes that you make in the Intune console. When assignment recalculation for a device begins, it takes a small amount of time before all the changes are applied. Changes made to device group memberships during device provisioning may have broader implications, potentially resulting in the service having a different view about device provisioning. This view may depend on when the device assignments are checked with respect to when the membership changes are detected, causing service issues. Examples include devices not being able to successfully complete provisioning or users reaching the desktop before the needed policies and applications are installed on the device.


Intune also recalculates device profile and application assignments when you make changes in the Intune console. These changes can impact the device as well. The impact of configuration changes to devices being provisioned are similar to the impacts described for device membership changes. To ensure that changes don’t negatively impact your devices, keep reading for tips and best practices.


Best practices for grouping in Windows Autopilot

Windows Autopilot supports the configuration of device policy and application assignments via the use of the Azure Active Directory (Azure AD) device object, which is pre-created for each device registration, and the object’s 'devicePhysicalIds' property. The 'devicePhysicalIds' property can be configured with attributes such as the 'OrderId', which can then be leveraged in Dynamic Security Grouping rules. The 'OrderId' for an Autopilot device can be configured at the time that a device is registered or later through Intune. See Create device groups for more information on Configuring the GroupTag for a device.


Autopilot also replicates the information contained in the 'devicePhysicalIds' property from the pre-created Azure AD device to the hybrid Azure AD device object for Autopilot hybrid configurations. This ensures that the memberships for the Autopilot device remain consistent as the device switches its identity from the pre-created Azure AD device to the hybrid Azure AD device.


Recommended grouping for Windows Autopilot

Leverage Windows Autopilot targeting support

By configuring dynamic security grouping rules that rely on the 'OrderId' attribute of the 'devicePhysicalIds' property of the Azure AD device, the likelihood that device assignments will be recalculated while devices are being provisioned is reduced. This is because dynamic security grouping rules rely on device attributes that can change while the device is being provisioned (Example: Device name). Making this configuration modification will also reduce the likelihood that device assignments will change when the devices transition from the pre-created Azure AD identity to the hybrid Azure AD identity for the Autopilot hybrid scenarios.


Please note that the use of “static” device properties such as “Manufacturer” to configure dynamic security group rules will also avoid the possibility of having device assignments be recalculated.


Planning for device configuration changes

Device provisioning should be taken into account when making changes to the policies and applications in Intune. Ideally, you should configure Autopilot to set up a small set of policies and applications during device provisioning to allow the process to complete in a short amount of time and to reduce complexity and possibilities for errors. Minimizing the number of policies and applications also reduces the likelihood of errors during device provisioning. We recommend applying deployment configuration changes prior to devices starting the provisioning process.


If you have any questions, please leave a comment below or reach out to us on Twitter @IntuneSuppTeam.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.