Dynamic groups based on device.enrollmentProfileName for WIndows 10 devices

Brass Contributor

Didn't really find an answer to this and getting a proper answer from support seemed hard because the functionality spans multiple teams. So here it goes. 


As I read in the dynamic group documentation (Docs Page - Device Rules) the "device.enrollmentProfileName" would allow me to create dynamic groups of Win10 devices based on their assigned autopilot profile. I was getting mixed results when I was trying/testing this however. 


What I could establish so far is that it seems this value for the device is set as it's getting deployed with the profile or getting enrolled in Intune. And if you later reassign the device to a different Autopilot profile the value is not changed until you restage or re-enroll the device. 


I'ld like to have some confirmation that this is actually correct and if it is at Autopilot deployment only or also when re-enrolling the device in intune. 


As an extra it would be nice to export this value for all devices, but so far saw no reference to this attribute when polling devices with PowerShell or the MSGraph. 


Who could clarify this a little bit for me? 

6 Replies
EnrollmentProfileName is more for Android Dedicated devices.

You could look into devicePhysicalIDs, check out this website: https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-autopilot#create-an-autopilot-devi...
I could, and I am for now.
But that doesn't quench my curiosity about this. :)

I've also seen scenario's where suddenly the Autopilot related attributes in devicePhysicalIDs seem to have disappeared. But that is a problem for another time. Haven't been able to replicate that one.
Have you looked into GroupTags?
What they might mean for you?
I haven't seen easy issues with them disappearing.

@Thijs Lecomte 


Yes, but the grouptags are pretty much the devicephysicalIDs. 


U use them in dynamic groups just the same: 

(device.devicePhysicalIds -any _ -eq "[OrderID]:Sales") 


I know all that, but I want to know the answer to my question. Out of curiosity. You can solve my problem in many different ways. But my curiosity is only solved with knowledge. :D

@ShellBlazer I'm curious about this too. Were you ever able to find a solution for this?

Check the profileenrollmentname value via the Graph API. It's a good option but it's not always clear to me which policy is applied to which device.


enrollmentProfileName (Enrollment profile name): Create a filter rule based on the enrollment profile name. This property is applied to a device when the device enrolls. It's a string value created by you, and matches the Windows Autopilot, Apple Automated Device Enrollment (ADE), or Google enrollment profile applied to the device. To see your enrollment profile names, sign in to the Intune admin center, and go to Devices > Enroll devices.

Enter the full string value (using -eq, -ne, -in, -notIn operators), or partial value (using -startswith, -contains, -notcontains operators).


(device.enrollmentProfileName -eq "DEP iPhones")
(device.enrollmentProfileName -startsWith "Autopilot Profile")
(device.enrollmentProfileName -ne $null)
This property applies to:

Android Enterprise
Windows 11
Windows 10