We have too many PCs being deployed without a valid Group Tag or before its Autopilot Enrollment Profile has been assigned. To catch these situations, and make them VERY obvious, I would like to create a default Enrollment Profile and Intune configuration. How does one create a default Intune Autopilot Enrollment Profile and assign an intentionally "broken" configuration to it?
My present attempt was to create a "Default" Autopilot Enrollment profile and assign it to ALL devices, exempting those in the Group Tag based Azure AD Dynamic Groups which explicitly assign the other Enrollment Profiles. This seems to only work once, when the PC does not have an Enrollment Profile assigned. After the PC has an explicitly assigned Enrollment Profile, it keeps that Profile, even though it is no longer a member of a group assigned to a Profile.
For the post-OOBE configuration, I created an Azure AD group based on the "Default" Enrollment Profile being assigned during the OOBE. I am finding this to be unreliable. First, the assigned profile sometimes does not update during the OOBE. It will keep the last Profile, requiring the PC to be reset and re-ran through the OOBE to fix it. Second, even once it does update, it takes a while (right now, 7 hours) for the AAD group to update and affect the change to the Intune configuration assignments.
Also, I would not recommend using a single-app kiosk configuration (mine was Edge pointed at your website) for the "broken" state, because those kiosk configurations do not get cleaned up after the configuration is no longer assigned to the PC.
