Discover method for identifying active managed devices

Hi

We currently rolling out AVD to a select number of users and have physical Windows 10 which are modern managed (AADJ only and MMD enrolled) but have run into an issue from using the full Windows 10 RDC app from an MMD/AADJ physical device to access an AVD session host which is also MMD/AADJ joined. The issue is related to PKU2U

So by design PKU2U  Network security Allow PKU2U authentication requests to this computer to use online identities (Windows 10) – Windows security | Microsoft Docs

As MMD is a managed service the core baseline security mandates that this setting is disabled on all MMD devices however it’s required to facilitate access to AVD via the RDC app.

In a huge enterprise changing this security setting is risky and challenging and so I want to enable the setting at the moment for the pilot AVD users. To help this I want to scope which devices we want to allow in a AAD group however when running the various PS commands to identify a user and there device, in some cases if a user like an IT admin has performed many deployements via the likes of AutoPilot, there will be one user to many devices.

Is there an option to only identify the most used active device assigned to a user and then build a rule based group or via another method?

Any help on this is appreciated?

Thanks