So one critical part of any successful Autopilot process is targeting, we need a way of pointing our Autopilot Devices to  the correct profiles. Now I always try to keep these down to a single profile for traditional AAD or even Hybrid if you have no choice, but you may want to dabble in auto deploy scenarios which will require another profile, and well we can't just do a one size fits all.. So Dynamic Device AAD Groups and Grout Tags are our focus on this blog article.

I typically try and have the personas conversation with my customers to understand the use cases and workloads we will be targeting, and from there drive the conversation to a single Autopilot profile to keep things simple. Autopilot itself is pretty simple we are just delivery a config to the OOBE experience that defines the behavior, the real heavy lifting is handled with the MDM. So with that said Keep it simple try and get to one, but if one can't be done move onto Group tags.

Create device groups for Windows Autopilot - Microsoft Intune - Microsoft Intune | Microsoft Docs

Now Michael Niehaus has some great articles on this is you would like to go deeper into dynamic group no need to rehash.

https://oofhours.com/2020/04/08/fun-with-windows-autopilot-group-tags/

https://oofhours.com/2020/03/30/group-tags-with-spaces-fun-with-azure-ad-dynamic-groups/

1. In the Microsoft Endpoint Manager Admin Center, choose Groups > New group.

2. In the Group blade:

3. For Group type, choose Security.

4. Type a Group name and Group description.

5. Choose a Membership type Dynamic Devices.

6. Choose Dynamic Device

7. Select Add dynamic query

8. Use one of the following:

To capture all device in Azure AD with ZTIds use the query below this will be a catch all.

(device.devicePhysicalIDs -any _ -contains "[ZTDId]")

To capture only devices with a defined group Tag use the below.

(device.devicePhysicalIds -any _ -eq "[OrderID]:AADJoin")

9. After adding the dynamic query, choose Save.

10. Choose Create