PS Script to Add or Modify Group Tag of Autopilot Devices in Intune

Let’s check the details of a PowerShell Script to Add or Modify Group Tag of Autopilot Devices in Intune. In this post, I’ll share my experience about how we can add a group tag if you forgot while importing the autopilot device hash into Intune.

We can manually add or modify the group tag for Autopilot devices in the Endpoint Manager Portal. Also, we can use the PowerShell script to perform this same activity. Using the PowerShell script, we can save time and free ourselves to look into some other stuff.

For example, if you have 100+ Autopilot devices and have already imported the hardware hash where you forgot to add the group tag if you follow the manual process, it will take lots of time to complete the task. Instead of adding manually, you can use the PowerShell script, saving lots of your time.

You can use Graph Explorer to create Intune policies. You also have browser extensions such as Graph X-Ray to easily understand the PowerShell commands for each section of the MEM Admin center portal.

• Windows Autopilot Behind The Scenes Secrets – Admin Side – Part 2
• Set Computer Name During Windows Autopilot Hybrid Azure AD Join using Intune
• How to Decide Windows Autopilot Profile Types | Intune Architecture

What is Autopilot Group Tag?

In Microsoft Intune, the Windows Autopilot group tag is a field that can be added to the device during the hash import. Autopilot Group Tag helps to automate the deployment and configurations of Windows 10 devices. Using the Group Tags device can be easily added to the Dynamic AAD groups.

We recently published a post about the Windows AutoPilot Devices Azure AD Dynamic Groups Intune. Let’s first check the manual process to how to update the autopilot group tag.

Manual Step to Add or modify Group Tag for Autopilot Devices in Intune

Follow the steps below to manually add or change the Group Tag for the autopilot device. Where you can easily add the Group Tag, or you can modify the group tag if you mistakenly tagged into some other group in the first place.

• Login to the Endpoint Manager Intune portal https://endpoint.microsoft.com/
• Go to Devices > Windows.

Go to Windows Enrollment > Click on Devices.

Once you click on the Devices, you will be able to see the list of Windows Autopilot Devices is imported into the Microsoft Endpoint Manager Admin Center portal. You can find the device where you want to change or modify the Group Tag by using the device serial number.

• Select the device and click on it.
• Add the Group Tag > Click on Save.

Once you update the Group Tag, wait for some time. It will be corrected, and you can start the Autopilot deployment for the devices. So this is the manual step we followed to update the Group Tag. See below how we can achieve this through the PowerShell script if we have multiple devices.

• How to Use Enterprise State Roaming ESR Feature for Windows Autopilot Deployment
• Windows Autopilot Updates Timelines Microsoft Endpoint Manager MEM

PowerShell Script to Add or Modify Group Tag of Autopilot Devices in Intune

Let’s find out the PowerShell script here. Using PowerShell, we can modify the group tag existing autopilot device in Intune if we have already imported it. Even if we use the same script, we can newly add the group tag if we missed it at the beginning.

In the below script, I used the Graph API Method to connect to the Intune tenant. It would be best if you imported the Graph API module in Powershell. Pass all your information like Tenant ID, Client ID, ClientSecret, etc. For more information, check the Intune Graph Starters Guide Query Samples post.

Before running the PowerShell script to add or modify Autopilot Group Tags, you will need to collect the following details. These are the inputs needed to run the script to run:

• ClientID
• Client Secret
• TenantId

Make sure you created an app and give appropriate permissions to run Graph API automation tasks before proceeding further. Check for the App-based authentication file where you allowed the Azure AD to access the Intune APIs in Microsoft Graph.

• To get the above information, you need to log in to https://portal.azure.com/.
• Click on Azure Active Directory
• Go to App registrations > Owned applications

You can Click the particular App-based authentication (Graph API app that you created using the Microsoft doc link above) where you have given access to use the Microsoft Graph API. From the Overview tab, you will get all information about your tenant, client ID, secret, etc.

• Windows Autopilot WhiteGlove Provisioning Backend Process- Deep Dive – Post 4
• Windows Autopilot In-Depth Processes from Device Side – Part 3

Before running the script, save the system serial number of the devices in one text file and save the text file with the name mentioned in the script Serialnumber.txt. Save the scripts in the folder where you kept the .txt file before running.

As mentioned above, you must import the PowerShell module first and then run the script. These PowerShell modules are required:

• Microsoft.Graph.Intune
• WindowsAutoPilotIntune

Get GroupTag details using Device Serial Number:

$clientId = "--" #Provide the Client ID
$clientSecret = "--" # Provide the ClientSecret
$ourTenantId = "--" #Specify the TenatID

$Resource = "deviceManagement/windowsAutopilotDeviceIdentities"
$Resource = "deviceManagement/managedDevices"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($resource)"
$authority = "https://login.microsoftonline.com/$ourTenantId"
Update-MSGraphEnvironment -AppId $clientId -Quiet
Update-MSGraphEnvironment -AuthUrl $authority -Quiet
Connect-MSGraph -ClientSecret $clientSecret

$SerialNumbers = Get-Content -Path "SerialNumber.txt" #Provide the list of device you want to check the GroupTag
$table = foreach ($Serial in $SerialNumbers)
{
Get-AutopilotDevice -serial $Serial | select serialnumber, GroupTag
}
$table | Out-GridView

Using the PowerShell script, you can get the group details of the Autopilot devices imported into Intune. The output will be shown in the PowerShell Grid view. You can easily copy-paste in excel.

Add or Modify GroupTag Using Serial Number

$clientId = "--" #Provide the Client ID
$clientSecret = "--" # Provide the ClientSecret
$ourTenantId = "--" #Specify the TenatID

$Resource = "deviceManagement/windowsAutopilotDeviceIdentities"
$Resource = "deviceManagement/managedDevices"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($resource)"
$authority = "https://login.microsoftonline.com/$ourTenantId"
Update-MSGraphEnvironment -AppId $clientId -Quiet
Update-MSGraphEnvironment -AuthUrl $authority -Quiet
Connect-MSGraph -ClientSecret $clientSecret

$Grouptag = "--" #Specify the GroupTag Here
$SerialNumbers = Get-Content -Path "SerialNumber.txt" #Provide the list of devices you want to check the GroupTag
foreach ($Serial in $SerialNumbers)
{
Get-AutopilotDevice -serial $Serial | Set-AutopilotDevice -groupTag $Grouptag
}

Using the above PowerShell script, you can modify the group tag for existing Autopilot devices and update the group tag if it does not exist on any devices.

Results of PowerShell

Let’s check the result of the PowerShell that we used to change and update the Windows Autopilot Group Tag. In the below screenshot, I used the first script to get the Autopilot Device Group Tag details, and Group Tag is showing empty.

In the second script, I updated the Group Tag details and ran the script from the PowerShell, and the script was run successfully. Let’s verify the group tag that we passed in the second script if we are getting the same results or not.

You must see in the results group tag is updated what I passed in the second script. You cannot see the result because I removed it from the screenshot, but I’m sure it will work if you use the above script.

I appreciate your patience in reading this post. See you in the next blog.

Author

Debabrata Pati has more than 7+ years of experience in IT. Skilled in MEMCM, Azure, and Powershell. More than five (5) years of experience in MEMCM (SCCM) administration, OSD, and Troubleshooting for the environment with more than 100K client devices.