Support tip: Upcoming changes for deploying Windows Autopilot for existing devices

Hi @Jason_Sandys , yes technically, we can create the filter and apply it inside an https://learn.microsoft.com/mem/intune/enrollment/enrollment-restrictions-set

However, when we create the filter and click on the Preview button in the Filter preview section, we see hundreds of Entra device objects, that do not have their device.enrollmentProfileName attribute populated (all our devices in our tenant were enrolled at OOBE using Autopilot, so IMO there is no reason why it can be empty). So we are asking ourselves if this missing enrollmentProfileName attribute against Entra device objects, is a consequence of a small bug you haven't caught earlier somewhere else. We want to make sure, that this filter is also 100% reliable when used inside the enrollment restriction feature. So we opened a ticket this week, and waiting for Intune support feedback.   

I understand that behind the scenes, you must have implemented some logic (invisible to the MS customers), that when the device enters OOBE, the enrollment restriction filter is always evaluated, no matter if an Entra device already exists or not. Because if your filtering logic is somehow relying on Entra device object properties at a later point (example : after an OS reset on same machine/VM), we would like to avoid new edge cases, where the user to not be able to enroll, just because the device.enrollmentProfileName attribute is missing for unexplained reasons (yes, this is overcautious approach 😉 )