Azure AD Dynamic Groups not showing Compliance Flag from Intuned machines by default.

%3CLINGO-SUB%20id%3D%22lingo-sub-2928434%22%20slang%3D%22en-US%22%3EAzure%20AD%20Dynamic%20Groups%20not%20showing%20Compliance%20Flag%20from%20Intuned%20machines%20by%20default.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2928434%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Azure%20AD%20team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CSTRONG%3EWhat%20is%20our%20end%20goal%3F%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3ETo%20be%20able%20to%20deploy%203rd%20party%20patches%20to%20an%20application%20via%20Company%20Portal%20to%20devices%20that%20have%20passed%20the%20Autopilot%20phase.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3EWhat%20do%20we%20need%20to%20achieve%20this%20easily%3F%20%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3EWe%20need%20Dynamic%20Device%20Group%20Queries%20to%20include%20the%20FLAG%20Compliance%20State%20from%20Intune%20in%20its%20rules.%3C%2FDIV%3E%3CDIV%3EThe%20flag%20is%20already%20present%20there%2C%20but%20accessible%20only%20with%20workarounds%20like%20power%20automate%20and%20other%20connectors%20that%20ask%20for%20too%20many%20rights%20for%20organizations%20that%20are%20big%20to%20approve.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3EWorkflow%20explained%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3EAt%20this%20moment%20our%20organization%20does%20the%20following%3A%20we%20package%20an%20application%20(%20example%20name%20update%20for%207%20zip)%20and%20we%20package%20the%20latest%20version%20with%20a%20detection%20script%20attached%2C%20that%20will%20detect%20if%20the%20application%20is%20installed%20or%20not.%3C%2FDIV%3E%3CDIV%3EIf%20the%20application%20is%20installed%2C%20it%20will%20download%20the%20payload%20and%20push%20the%20new%20version%20to%20the%20end%20customer%20via%20the%20company%20portal.%3CSTRONG%3E%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3EThe%20problem%20detailed%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3EThe%20problem%20we%20are%20experiencing%20is%20the%20lack%20of%20functionality%20in%20Dynamic%20Group%20creation%20via%20normal%20Intune%2FAAD%20measures.%3C%2FDIV%3E%3CDIV%3EIn%20order%20for%20us%20to%20deploy%20an%20app%20with%20a%20detection%20script%20attached%2C%20to%20act%20as%20an%20update%2C%20we%20need%20to%20set%20the%20deployment%20as%20REQUIRED.%3C%2FDIV%3E%3CDIV%3EThe%20other%20major%20problem%20is%20that%20if%20we%20set%20REQUIRED%2C%20any%20device%20from%20the%20deployed%20collection%20will%20try%20to%20push%20all%20apps%20during%20Autopilot.%3C%2FDIV%3E%3CDIV%3EMeaning%20that%20we%20have%20a%20scenario%20where%20we%20have%20300%20applications%20trying%20to%20get%20pushed%20to%20the%20Autopilot%20OOBE%20phase%20and%20causing%20the%20process%20to%20fail.%3C%2FDIV%3E%3CDIV%3ECurrently%2C%20there%20is%20no%20option%20to%20flag%20a%20PC%20that%20is%20Autopiloted%2C%20has%20been%20Autopiloted%20or%20has%20been%20issued%20an%20Autopilot%20reset.%3C%2FDIV%3E%3CDIV%3EMeaning%20that%20we%20do%20not%20have%20what%20to%20base%20our%20dynamic%20query%20on%20to%20have%20a%20safe%20solution.%3CBR%20%2F%3E%3CDIV%3EThis%20is%20the%20real%20problem%2C%20we%20cannot%20deploy%20it%20anywhere%20where%20we%20cannot%20filter%20the%20device%20group%20to%20exclude%20Autopilot%20machines%20or%20any%20other%20form%20of%20excluding%20the%20devices.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EIn%20this%20movie%2C%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.youtube.com%252Fwatch%253Fv%253DfYwrLlfdg9A%26amp%3Bdata%3D04%257C01%257Co365sup4%2540microsoft.com%257C5d4783d0857a418895e308d99aa2d90f%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637710846525048588%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DlJhBmH3GeVp%252BO2PYtvO4Ynd4%252FacoAnwoYX4pEkkV7%252FA%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DfYwrLlfdg9A%3C%2FA%3E%20at%20minute%2016%3A00%20you%20can%20see%20he%20started%20to%20place%207Zip%20Update%20on%20all%20devices.%3C%2FDIV%3E%3CDIV%3EI%20have%20spoken%20with%20PMP%20support%20and%20they%20said%20it%20was%20a%20mistake%20because%20now%20it%20will%20appear%20on%20all%20Autopilot%20Devices%20during%20OOBE.%3C%2FDIV%3E%3CDIV%3EFurthermore%20%22%20%3CI%3EThis%20is%20an%20ongoing%20experience%20for%20all%20who%20utilize%20some%20form%20of%20automation%20for%20application%20deployments%20in%20Intune.%20There%20is%20no%20%22native%22%20way%20to%20dynamically%20assign%20policies%20or%20applications%20based%20on%20completion%20of%20Autopilot%2C%20so%20there%20is%20no%20way%20to%20automatically%20handle%20when%20devices%20get%20added%20to%20groups%20that%20the%20software%20is%20targeted%20to.%20%22%3C%2FI%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3ECurrently%2C%20in%20Intune%2C%20we%20have%20no%20native%20way%20of%20creating%20a%20Dynamic%20Device%20Collection%20based%20on%20flags%20like%20Completed%20Autopilot%2C%20Autopilot%20In%20Progress%2C%20or%20even%20Compliance%20States%20of%20a%20PC.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EWe%20have%20Anthony%20from%20Microsoft%20explaining%20a%20potential%20work-around%3A%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.youtube.com%252Fwatch%253Fv%253DOLIA5_YW0Pg%26amp%3Bdata%3D04%257C01%257Co365sup4%2540microsoft.com%257C5d4783d0857a418895e308d99aa2d90f%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637710846525058544%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DeO7TwXAiohzeRoKpjBEb5KQlvsPUyF01VBsHgMnQeac%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DOLIA5_YW0Pg%3C%2FA%3E%20(Minute%209%3A00)%20with%20PowerAutomate%20to%20build%20a%20Dynamic%20Group%20based%20on%20the%20flag%20compliant%2C%20but%20this%20method%20relies%20on%20setting%20up%20Power%20Automate%20with%20a%20connector%20to%20AAD%20that%20asks%20for%20too%20many%20rights%20(and%20its%20not%20customizable%2C%20in%20order%20to%20select%20only%20the%20rights%20you%20need)%20and%20thus%20requests%20like%20these%20do%20not%20pass%20the%20security%20team%20from%20AD.%3CBR%20%2F%3E%3CP%3EI%20feel%20like%20this%20is%20a%20major%20oversight%20and%20one%20that%20can%20be%20fixed%20quite%20easily%20and%20allow%20us%20to%20get%20more%20options%20for%20the%20dynamic%20devices%20groups%20in%20intune%2C%20without%20having%20to%20go%20to%20so%20many%20workarounds.%3C%2FP%3E%3CP%3EI%20understand%20if%20implementing%20a%20flag%20for%20autopilot%20might%20take%20more%20time%2C%20but%20implementing%20dynamic%20rules%20for%20compliance%20state%20(an%20attribute%20that%20is%20already%20present)%20should%20be%20much%20easier%20to%20do%20and%20allow%20us%20to%20get%20a%20workaround.%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hello Azure AD team,

 

What is our end goal?
To be able to deploy 3rd party patches to an application via Company Portal to devices that have passed the Autopilot phase.
 
What do we need to achieve this easily?
We need Dynamic Device Group Queries to include the FLAG Compliance State from Intune in its rules.
The flag is already present there, but accessible only with workarounds like power automate and other connectors that ask for too many rights for organizations that are big to approve.
 
Workflow explained
At this moment our organization does the following: we package an application ( example name update for 7 zip) and we package the latest version with a detection script attached, that will detect if the application is installed or not.
If the application is installed, it will download the payload and push the new version to the end customer via the company portal.
 
The problem detailed
The problem we are experiencing is the lack of functionality in Dynamic Group creation via normal Intune/AAD measures.
In order for us to deploy an app with a detection script attached, to act as an update, we need to set the deployment as REQUIRED.
The other major problem is that if we set REQUIRED, any device from the deployed collection will try to push all apps during Autopilot.
Meaning that we have a scenario where we have 300 applications trying to get pushed to the Autopilot OOBE phase and causing the process to fail.
Currently, there is no option to flag a PC that is Autopiloted, has been Autopiloted or has been issued an Autopilot reset.
Meaning that we do not have what to base our dynamic query on to have a safe solution.
This is the real problem, we cannot deploy it anywhere where we cannot filter the device group to exclude Autopilot machines or any other form of excluding the devices.
 
In this movie, https://www.youtube.com/watch?v=fYwrLlfdg9A at minute 16:00 you can see he started to place 7Zip Update on all devices.
I have spoken with PMP support and they said it was a mistake because now it will appear on all Autopilot Devices during OOBE.
Furthermore " This is an ongoing experience for all who utilize some form of automation for application deployments in Intune. There is no "native" way to dynamically assign policies or applications based on completion of Autopilot, so there is no way to automatically handle when devices get added to groups that the software is targeted to. "
 
Currently, in Intune, we have no native way of creating a Dynamic Device Collection based on flags like Completed Autopilot, Autopilot In Progress, or even Compliance States of a PC.
 
We have Anthony from Microsoft explaining a potential work-around: https://www.youtube.com/watch?v=OLIA5_YW0Pg (Minute 9:00) with PowerAutomate to build a Dynamic Group based on the flag compliant, but this method relies on setting up Power Automate with a connector to AAD that asks for too many rights (and its not customizable, in order to select only the rights you need) and thus requests like these do not pass the security team from AD.

I feel like this is a major oversight and one that can be fixed quite easily and allow us to get more options for the dynamic devices groups in intune, without having to go to so many workarounds.

I understand if implementing a flag for autopilot might take more time, but implementing dynamic rules for compliance state (an attribute that is already present) should be much easier to do and allow us to get a workaround.



0 Replies