I mentioned in my previous blog that I typically use an “All Autopilot Devices” dynamic group to assign an Autopilot profile automatically to most devices, while using two additional groups to let me manually assign devices that I want to deploy differently. Given that there were several questions around that, I though it would be useful to provide some more details on how to do that. So let’s recap the basic setup:
As for assignments, the last two are obvious:
So that brings us back to the primary Autopilot profile, the User Driven Azure AD Admin profile. It should be assigned to the All Autopilot Devices dynamic group:
But then you need to exclude the other two groups, so click on the “Exclude” tab and specify those:
Now, if you manually add a device to one of those groups, it will then be excluded from this assignment. Great, but what if the device had already been assigned the User Driven Azure AD Admin profile (because it had been in the All Autopilot Devices group for a while)? Intune would notice that the device is no longer assigned to that profile and would then re-assign the profile corresponding to the group that it is in, so it automatically fixes things up (after a short while).
Notice the information bar in the above screenshot (which for some reason has no text in it)? Click on it to go to the documentation page that talks more about this include/exclude logic .