Windows Autopilot for Existing Devices – Creating a Dynamic Group

When using the Windows Autopilot for Existing Devices scenario it's quite useful having those devices being automatically added to a group in Intune. This can be done by matching the ZtdCorrelationId from the Autopilot JSON file used in this scenario.

Credits: Special thanks to Michael Niehaus explaining how the ZtdCorrelationId worked in this Microsoft blog: Revisiting Windows Autopilot for existing devices – Microsoft Community Hub

Prerequisites

In this I assume you have downloaded your Autopilot deployment profile as a JSON file. If not, here is a post that guides you to do that: https://www.deploymentresearch.com/windows-autopilot-for-existing-devices-downloading-the-deployment-profile/

Note: Ensure that your Autopilot deployment profile is configured for either user-driven Microsoft Entra ID or user-driven hybrid Microsoft Entra Autopilot profiles. These are the only supported scenarios. For example, Self-deploying or pre-provisioning Autopilot profiles are not supported for this scenario.

Create the Dynamic Group

In Intune, create a dynamic group, and use the ZtdCorrelationId GUID from the exported Autopilot JSON file in the query. In the below example that value was: 32bac56e-bcb2-4451-8c91-984a0f0b796b

{
    "CloudAssignedTenantId":  "0eda229c-38be-4cb0-b75b-b8dfa729a426",
    "CloudAssignedAutopilotUpdateTimeout":  1800000,
    "CloudAssignedAutopilotUpdateDisabled":  1,
    "CloudAssignedForcedEnrollment":  1,
    "Version":  2049,
    "Comment_File":  "Profile UserDriven Scenario Admin User",
    "CloudAssignedAadServerData":  "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"ForcedEnrollment\":1,\"CloudAssignedTenantDomain\":\"viamonstra.com\"}}",
    "CloudAssignedOobeConfig":  1308,
    "CloudAssignedDomainJoinMethod":  0,
    "ZtdCorrelationId":  "32bac56e-bcb2-4451-8c91-984a0f0b796b",
    "CloudAssignedLanguage":  "os-default",
    "CloudAssignedTenantDomain":  "viamonstra.com"
}

To create the query for the dynamic group set the device.enrollmentProfileName value to be equal to "OfflineAutopilotProfile-e466861d-d13e-455f-a059-40bce86475b9" (replace the guid with your guid). Here is what the full query would look like. Note the OfflineAutopilotProfile- word prefixing the guid.

(device.enrollmentProfileName -eq "OfflineAutopilotProfile-e466861d-d13e-455f-a059-40bce86475b9")

If you have enrolled a device earlier into Autopilot using this profile, you can use the Validate Rules option when creating the group. Simply add that device to validate.

Using the Validate Rules option in Intune.

Optional – Assigning Applications

The final step – which is optional – is to assign any required applications to that group. In my example, I had assigned three applications to the group, and they were all installed as part of the enrollment process.

Note: With this scenario the applications won't show during the enrollment status page, but if they are assigned they will still be installed.

The Enrollment Status Page.

The finished setup, showing the assigned apps being installed.

About the author

Johan Arwidmark

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

>