A very short post to share here based on something I was asked recently. The query below will present you ALL devices which ARE registered for Windows Autopilot, but excluding ones with a specific group tag. I’m sharing this one as it’s not quite as obvious as you may immediately think and it might save someone 30 mins clicking, testing and head scratching.
For example, I want to see all my Autopilot devices but excluding my VIP users who are group tagged as VIP.
(device.devicePhysicalIDs -any (_ -contains "[ZTDId]")) -and -not (device.devicePhysicalIDs -any (_ -eq "[OrderID]:VIP"))
Don’t forget to include all the brackets and quotes. This will not be displayed in the rule builder as the combination of conditions being used is not possible in the UI.
DON’T FORGET to use the Validate Rules feature to make a quick check against some sample device records that you know do and do not meet your requirements. In the example below I used the word “whiteglove” as my group tag, you should switch it for whatever you want to exclude.
Hopefully that saves someone a little bit of time.
/Peter
More than patches 
Definitely saved me time thanks. I have a number of personal devices registered in a customers Autopilot which I need to remove before the engagement concludes.
LikeLiked by 1 person
Hi, How would you create a collection of all devices that were Autopiloted (completed by Autopilot process)?
LikeLike
Sorry for the delayed response. I’m not aware of tracking within the device record attributes to show completed. Potentially using a valid domain join could work or even amend a group tag during your provisioning.
LikeLike
Pingback: Intune RBAC Roles for Multi-Region IT Departments Explained
You saved my day! Thanks!
LikeLike
you sir, are a true hero!
LikeLike
Kind person on the internet, you have saved me so much headache, friday is coming up, I will take a beer for you <3
LikeLike