How to Create a Dynamic Group for Autopilot Devices in Microsoft Intune

Dynamic groups in Azure Active Directory (Azure AD) enable automatic membership based on defined criteria. For Windows Autopilot devices, a dynamic group ensures that devices meeting specific attributes are automatically added, simplifying profile assignments and management.

---

Steps to Create a Dynamic Group for Autopilot Devices

1. Sign In to Microsoft Endpoint Manager Admin Center
   Navigate to the intune.microsoft.com

2. Access Groups

   • Go to Groups > All groups in the left-hand menu.
   • Click New group to create a new dynamic group.

3. Configure Group Settings

   • Group Type: Select Security.
   • Group Name: Enter a meaningful name, e.g., Autopilot Devices.
   • Description: Optionally, provide details about the group, e.g., "Dynamic group for Autopilot-enrolled devices."

4. Set Membership Type
   Under the Membership type dropdown, select Dynamic Device.

5. Define the Dynamic Membership Rule

   • Click Add dynamic query.
   • In the Rule syntax field, use the following query to include all Autopilot devices:

     
     (device.devicePhysicalIds -any (_ -eq "[ZTDId]"))
     

     Explanation:
     • device.devicePhysicalIds: Attribute containing the physical IDs of devices.
     • [ZTDId]: A tag assigned to devices registered for Windows Autopilot.

6. Save the Query

   • Click Save to apply the dynamic membership rule.
   • Click Create to finalize the group creation.

7. Verify Group Membership

   • After creation, navigate to the group's Members tab.
   • Confirm that Autopilot devices are automatically added based on the rule.

 

Importing "Offline" Hardware Hash into Microsoft Intune for Windows Autopilot

Windows Autopilot provides a seamless deployment experience for new devices in an organization. For devices that are not connected to the internet during deployment, you can manually extract and import the hardware hash into Microsoft Intune. This blog outlines the offline process using PowerShell.

---

Prerequisites

1. Windows PowerShell: Ensure the latest version of Windows PowerShell is installed.
2. Admin Permissions: Run PowerShell as an administrator.
3. Network Access: Required only for uploading the hardware hash file to Microsoft Intune.
4. Export Folder: Create a folder to store the exported CSV file, e.g., C:\Devices.

---

Steps to Export and Import Offline Hardware Hash

1. Install the Script
   The Get-WindowsAutopilotInfo script is used to capture the hardware hash. Install it using the following command:

   Install-Script -Name Get-WindowsAutopilotInfo

2. Set the Execution Policy
   To run scripts that are not digitally signed, change the execution policy temporarily:

   Set-ExecutionPolicy Unrestricted

3. Export the Hardware Hash
   Use the script to export the hardware hash to a CSV file:

   Get-WindowsAutopilotInfo.ps1 -OutputFile C:\Devices\Device1.csv

   • What It Does:
     • Captures hardware details (hardware hash, serial number, etc.).
     • Saves the output to the specified file (C:\Devices\Device1.csv).

4. Upload the CSV File to Intune

   • Log in to the Microsoft Endpoint Manager admin center.
   • Navigate to Devices > Windows > Windows enrollment > Devices.
   • Select Import and upload the CSV file containing the hardware hash.

5. Assign Deployment Profile
   After the import is successful:

   • Navigate to Deployment profiles under Windows enrollment.
   • Assign the desired profile to the imported devices.

6. Restore Execution Policy
   For security purposes, reset the execution policy:

   Set-ExecutionPolicy Restricted

 

Importing "ONLINE" Hardware Hash into Microsoft Intune for Windows Autopilot

Windows Autopilot streamlines the deployment and management of new devices in an enterprise environment. One critical step in setting up Autopilot is importing the hardware hash into Microsoft Intune. This guide walks you through the process using PowerShell.

---

Prerequisites

1. Microsoft Intune License: Ensure your tenant is licensed for Intune.
2. Admin Permissions: You need appropriate permissions to add devices to Intune.
3. Windows PowerShell: Install the latest version of Windows PowerShell.
4. Network Access: Devices must have access to the internet during hash extraction.

---

Steps to Import Hardware Hash

1. Install the Required Script
   The script Get-WindowsAutopilotInfo is used to gather hardware hashes. To install it, run the following command in an elevated PowerShell session:

   
   Install-Script -Name Get-WindowsAutopilotInfo -Force
   

2. Gather Hardware Hash
   Run the script to extract the hardware hash and upload it directly to Microsoft Intune:

   
   Get-WindowsAutopilotInfo -Online
   

   • What It Does:
     • Captures hardware details (hardware hash, serial number, model, etc.).
     • Uploads this information directly to the Autopilot deployment service in Intune.

3. Verify Device Registration
   After executing the script, log in to the Microsoft Endpoint Manager admin center:

   • Navigate to Devices > Windows > Windows enrollment > Devices.
   • Ensure the imported device appears in the list with its hardware hash.

4. Assign an Autopilot Profile
   Assign a pre-configured deployment profile to the imported device:

   • Go to Devices > Windows > Windows enrollment > Deployment profiles.
   • Select a profile and assign it to the imported device.