You can create a dynamic Entra security group to include all autopilot devices using a Dynamic device membership query (device.devicePhysicalIDs -any (_ -contains “[ZTDID]”)).
By utilizing a single dynamic Entra security group that covers all your devices, you can streamline the distribution of Autopilot profiles, app deployments, and device configurations. However, the question arises: Why should you consider using a group tag for Autopilot devices?
To answer that, let’s first explore what a group tag is and then delve into the scenarios where adding one to your Autopilot device can be useful.
Table of Contents
What is a Group tag for an Autopilot device?
A group tag is a property or attribute assigned to a device that enables you to categorize devices based on this tag. During the autopilot registration or hash import, you can assign a group tag to a device using the Get-WindowsAutoPilotInfo -GroupTag “<>” -Online command.
“A string attribute that can be used to identify a group of devices. Intune’s group tag field maps to the OrderID attribute on Entra ID devices.“
About group tag
Using a dynamic device membership query, you can create groups of all Autopilot devices with a specific group tag or order ID. For instance, you can use a query like this: (device.devicePhysicalIds -any (_ –eq “[OrderID]:cloudinfra-device”)). Here, cloudinfra-device represents the group tag you want to target.
AutoPilot Group Tag Use Case
Several challenges and considerations must be addressed when multiple partner companies or organizations share a single Microsoft 365 tenant to manage users, groups, app deployment, app configuration, and device configuration.
For instance, a Microsoft 365 tenant named cloudinfra-m365-tenant is shared among multiple partner organizations, such as partner1, partner2, partner3, and others. These partner companies use the same Intune Admin Center to manage their respective company devices.
All partners, including cloudinfra-m365-tenant, enroll their devices into Intune using Autopilot and place them in a group called Win-Org-All-Autopilot-Devices using dynamic device membership rules (device.devicePhysicalIDs -any (_ -contains “[ZTDID]”)).
This approach allows the Win-Org-All-Autopilot-Devices Entra security group to include Autopilot devices from all partners. As a result, any policies, apps, or configurations deployed to this group will also impact devices from all partner organizations.
To segregate the list of devices used by different partners, You must decide on the group tag used for each company. For example, Cloudinfra tenant can use cloudinfra-device, Partner1 can use partner1-device, and so on.
| Organization Name | Group Tag |
|---|---|
| cloudinfra-m365-tenant | cloudinfra-device |
| Partner1 | partner1-device |
| Partner2 | partner2-device |
| Partner3 | partner3-device |
- Create Entra dynamic security groups. One for each partner organization.
| Organization Name | Dynamic Group Membership Query | Dynamic Group Membership Query |
|---|---|---|
| cloudinfra-m365-tenant | cloudinfra-autopilot-devices | (device.devicePhysicalIds -any (_ -eq “[OrderID]:cloudinfra-device”)) |
| Partner1 | partner1-autopilot-devices | (device.devicePhysicalIds -any (_ -eq “[OrderID]:partner1-device”)) |
| Partner2 | partner2-autopilot-devices | (device.devicePhysicalIds -any (_ -eq “[OrderID]:partner2-device”)) |
| Partner3 | partner3-autopilot-devices | (device.devicePhysicalIds -any (_ -eq “[OrderID]:partner3-device”)) |
1. Add a Group tag to an Autopilot device Manually
First let’s check how to add a group tag to an Autopilot device manually.
- Sign in to the Intune admin center > Devices > Enrollment.
- Under the Windows tab, click on Devices under Windows Autopilot category
- Find a device you want to apply a group tag and click on it.
- Search for the Group tag field, type the name of a group tag, and Save.
- Repeat the process to add a Group tag for the rest of the devices.
If you have created a dynamic Entra security group based on the group tag, it may take some time to refresh the Entra ID dynamic group membership. You can check back later and refresh the Entra group to see if the device has been added to the appropriate dynamic group.
2. Add a Group tag to All Autopilot devices using Powershell
Using a PowerShell command, you can also add a group tag to an Autopilot device. We’ll use the Set-AutopilotDevice cmdlet, which is part of the PowerShell module WindowsAutopilotIntune.
When you install the WindowsAutopilotIntune PowerShell module, it also installs other dependent modules like AzureAD and Microsoft.Graph.Intune. If you already have the AzureAD module installed on your device, you might receive an error message indicating that the module has already been installed.
To overcome the warning and proceed with the installation of this module successfully, you can use two switches/parameters with this command: -Force and -AllowClobber.
You can use the following command to install the WindowsAutopilotIntune Powershell module:
1. Install the WindowsAutopilotIntune Powershell module
Install-module WindowsAutopilotIntune -force -AllowClobber
The next step is to connect to MSGraph using the following command. If you encounter any issues with this command, refer to the Microsoft Intune Powershell Approval Required. The App Requires Your Admin Approval. post.
2. Connect to Microsoft Graph
Connect-msgraph -Adminconsent
Now, fetch all autopilot device IDs and save them in a text file. If you don’t want to set a group tag on all your organization’s devices simultaneously, you can modify the text file to include only the devices you want to test.
Once you’re confident that the PowerShell command for applying the group tag works, you can update the text file to include the rest of the device IDs.
3. Fetch All Autopilot Device’s ID in a txt file
Get-AutopilotDevice | Select -ExpandProperty Id | Out-File C:\temp\AutopilotDeviceIDlist.txt
You can add or update a group tag on all autopilot devices in the AutopilotDeviceIDlist.txt file using the following PowerShell script. If a group tag is already applied to a device, the script will overwrite or update it.
4. Add or Update a group tag on all Autopilot devices using Powershell
#Provide a Group Tag
$Grouptag = Read-Host -Prompt "Please provide a group tag"
#Get the IDs in a variable $DeviceIDs
$DeviceIDs = Get-Content "c:\temp\AutopilotDeviceIDlist.txt"
foreach ($deviceID in $DeviceIDs)
{
#Get current device information.
$currentdevice = Get-AutopilotDevice -id $deviceID
Write-host "Working on device $deviceID of $($currentdevice.addressableUserName)"
#Apply Group Tag on all devices which are in AutopilotDeviceIDlist.txt
Get-AutopilotDevice -id $id | Set-AutopilotDevice -groupTag $Grouptag
}
5. Get the list of all Autopilot devices with Group tag information
Get-AutopilotDevice | Select ID, serialnumber, Grouptag
6. Export the list of all Autopilot devices with Group tag information to a CSV file.
Get-AutopilotDevice | Select ID, serialnumber, Grouptag | Export-CSV C:\temp\AutopilotDeviceInfo_Grouptag.csv -NoTypeInformation
Powershell Script Output
Once the group tag has been added to all devices using the PowerShell script, you can verify it from the Intune admin center to confirm that it has been successfully applied to the devices.
3. Remove a Group tag from Autopilot devices using Powershell
If you’ve mistakenly assigned a group tag to a device or a group of devices, don’t worry. You can remove it using the following steps:
Manual Method
- Sign in to the Intune admin center.
- Click on Devices > Enrollment > On Windows Tab, Under Windows Autopilot > Devices.
- Click on a Device and then Delete the Group tag manually.
Using Powershell [Remove Group tag of One Device]
You can also use the below PowerShell commands to remove a group tag:
1. Identify the Device ID of a device
Get-AutopilotDevice | Select ID, serialnumber, Grouptag
2. Remove the Group tag of One Device using the below Powershell Code
#Provide the value of Device Identified (ID) between the quotes $id = "xxxxx-xxx-x-x-x-x-x-x" #Set Grouptag variable to Empty $Grouptag = "" #Run below command to Set / Update Autopilot Device group tag to blank Get-AutopilotDevice -id $id | Set-AutopilotDevice -groupTag $Grouptag
Using Powershell [Remove Group tag of All Autopilot Devices]
You might need to remove a group tag from all autopilot devices. The following Powershell script can clear the group tag information or set the group tag field to blank for all autopilot devices.
1. Fetch All Autopilot Device’s ID in a txt file
Get-AutopilotDevice | Select -ExpandProperty Id | Out-File C:\temp\AutopilotDeviceIDlist.txt
2. Use the PowerShell script below to Remove Group Tag from all Autopilot devices
#Set Group Tag variable to Blank / Empty
$Grouptag = ""
#Get the IDs in a variable $DeviceIDs
$DeviceIDs = Get-Content "c:\temp\AutopilotDeviceIDlist.txt"
foreach ($deviceID in $DeviceIDs)
{
#Get current device information.
$currentdevice = Get-AutopilotDevice -id $deviceID
Write-host "Adding $Grouptag grouptag to $deviceID for $($currentdevice.addressableUserName) user"
#Apply Group Tag on all devices which are in AutopilotDeviceIDlist.txt
Get-AutopilotDevice -id $id | Set-AutopilotDevice -groupTag $Grouptag
}
how to upload hardware hash vai Microsoft graph and without entering intune administrator credentials
Two questions:
1) Is there a limit to the number of group tags per Device?
2) Is there any best practice to the total number of Intune group tags an organization may have?
An important question is, how does one limit Partner1 from updating the group tag on Autopilot devices belonging to Partner2 and Partner3? Autopilot devices appear to not utilize scope tags in Intune.