Windows Autopilot is designed to both streamline and tailor your deployment flow to your users. By simplifying your deployment configuration, you'll experience higher levels of success, as well as greater user satisfaction during deployments. One of the key factors that can improve your success is to avoid targeting changes to policies and applications while devices are being provisioned. In this post, we highlight targeting guidelines to create successful Windows Autopilot experiences. First, let’s get a better understanding of how targeting impacts device provisioning in Intune.
How Intune processes changes to device membership and assignments
Intune recalculates device policy and application assignments as it learns about Security Group membership changes for devices, as well as the changes that you make in the Intune console. When assignment recalculation for a device begins, it takes a small amount of time before all the changes are applied. Changes made to device group memberships during device provisioning may have broader implications, potentially resulting in the service having a different view about device provisioning. This view may depend on when the device assignments are checked with respect to when the membership changes are detected, causing service issues. Examples include devices not being able to successfully complete provisioning or users reaching the desktop before the needed policies and applications are installed on the device.
Intune also recalculates device profile and application assignments when you make changes in the Intune console. These changes can impact the device as well. The impact of configuration changes to devices being provisioned are similar to the impacts described for device membership changes. To ensure that changes don’t negatively impact your devices, keep reading for tips and best practices.
Best practices for grouping in Windows Autopilot
Windows Autopilot supports the configuration of device policy and application assignments via the use of the Azure Active Directory (Azure AD) device object, which is pre-created for each device registration, and the object’s 'devicePhysicalIds' property. The 'devicePhysicalIds' property can be configured with attributes such as the 'OrderId', which can then be leveraged in Dynamic Security Grouping rules. The 'OrderId' for an Autopilot device can be configured at the time that a device is registered or later through Intune. See Create device groups for more information on Configuring the GroupTag for a device.
Autopilot also replicates the information contained in the 'devicePhysicalIds' property from the pre-created Azure AD device to the hybrid Azure AD device object for Autopilot hybrid configurations. This ensures that the memberships for the Autopilot device remain consistent as the device switches its identity from the pre-created Azure AD device to the hybrid Azure AD device.
Recommended grouping for Windows Autopilot
Leverage Windows Autopilot targeting support
By configuring dynamic security grouping rules that rely on the 'OrderId' attribute of the 'devicePhysicalIds' property of the Azure AD device, the likelihood that device assignments will be recalculated while devices are being provisioned is reduced. This is because dynamic security grouping rules rely on device attributes that can change while the device is being provisioned (Example: Device name). Making this configuration modification will also reduce the likelihood that device assignments will change when the devices transition from the pre-created Azure AD identity to the hybrid Azure AD identity for the Autopilot hybrid scenarios.
Please note that the use of “static” device properties such as “Manufacturer” to configure dynamic security group rules will also avoid the possibility of having device assignments be recalculated.
Planning for device configuration changes
Device provisioning should be taken into account when making changes to the policies and applications in Intune. Ideally, you should configure Autopilot to set up a small set of applications during device provisioning. This allows the process to reduce complexity and the possibility for errors, especially during device provisioning.
If you have any questions, please leave a comment below or reach out to us on Twitter @IntuneSuppTeam.
01/03/23: Updated post to clarify the section: "Planning for device configuration changes".