You can create a dynamic Azure AD group to include all autopilot devices using a Dynamic device membership query (device.devicePhysicalIDs -any (_ -contains "[ZTDID]")).
This way you can automate the deployment of Autopilot profile, app deployment, Device configuration etc. to all devices using just one Dynamic Azure AD group. Then why would you need to use a group tag for a autopilot device ? Let’s see first what is a Group tag and then we will discuss on why you would need to add one to your autopilot device.
What is a Group tag for a autopilot device in Intune
As the name says, its a property / attribute of a device which can be used to group devices based on its tag. A group tag for a device can be added during the autopilot registration / hash import using Get-WindowsAutoPilotInfo -GroupTag "<>" -Online.
“A string attribute that can be used to identify a group of devices. Intune’s group tag field maps to the OrderID attribute on Azure AD devices.“
You can group the devices which includes all Autopilot devices with a specific group tag / orderID using a Dynamic device membership query. For Example: (device.devicePhysicalIds -any (_ -eq "[OrderID]:cloudinfra-device")). Where cloudinfra-device signifies a group tag.
Why you may need to add a Group tag to an autopilot Device
There could be a scenario when you have a single Microsoft 365 tenant and multiple partner companies / organizations using the same tenant to manage their users, groups, app deployment, app configuration, device configuration etc.
For example: A Microsoft 365 tenant name cloudinfra-m365-tenant is being used by other partner organizations like partner1, partner2, partner3 and so on. These partner companies are managing their respective company devices using the same Microsoft Endpoint manager admin center as well.
All partners including cloudinfra-m365-tenant enrolls their devices into Intune using Autopilot and using a group called Win-Org-All-Autopilot-Devices using a dynamic device membership (device.devicePhysicalIDs -any (_ -contains "[ZTDID]")).
This way Win-Org-All-Autopilot-Devices Azure AD group will contains autopilot devices from all partners and therefore any policies, apps or configuration deployed to this group will also affect all partner devices.
In order to separate the list of devices which are in use by different partners, We need to take below actions:
- Decide on which group tag will be used for each company.
- For example: Cloudinfra tenant can use cloudinfra-device, Partner1 can use partner1-device and so on.
| Organization Name | Group Tag |
|---|---|
| cloudinfra-m365-tenant | cloudinfra-device |
| Partner1 | partner1-device |
| Partner2 | partner2-device |
| Partner3 | partner3-device |
- Create Azure AD dynamic security groups. One for each partner organization.
| Organization Name | Azure AD group Name | Dynamic Group membership Query |
|---|---|---|
| cloudinfra-m365-tenant | cloudinfra-autopilot-devices | (device.devicePhysicalIds -any (_ -eq “[OrderID]:cloudinfra-device”)) |
| Partner1 | partner1-autopilot-devices | (device.devicePhysicalIds -any (_ -eq “[OrderID]:partner1-device”)) |
| Partner2 | partner2-autopilot-devices | (device.devicePhysicalIds -any (_ -eq “[OrderID]:partner2-device”)) |
| Partner3 | partner3-autopilot-devices | (device.devicePhysicalIds -any (_ -eq “[OrderID]:partner3-device”)) |
How to add a Group tag to an autopilot device manually
You can add a group tag to an autopilot device either using powershell or by using Microsoft Endpoint manager admin center. Let’s first check where do you find this group tag on the admin center and how to add it to a device.
- Login on Microsoft Endpoint manager admin center.
- Click on Devices and then click on Enroll devices.
- Click on Windows enrollment.
- Then click on Devices under Windows Autopilot Deployment Program.
- Find a device on which you want to apply a group tag and click on it.
- Search for Group tag field and type the name of a group tag and Save.
- Repeat the process to add a Group tag for rest of the devices.
After you add a group tag to an autopilot device. This may take some time to refresh in the Azure AD dynamic group membership. You can check back later and refresh the Azure AD group to see if this device has been added.
How to add a Group tag to all autopilot devices using Powershell
You can also add a group tag to an autopilot device using a powershell command. The cmdlet which we will be using to acheive our goal is Set-AutopilotDevice which is a part of Powershell module WindowsAutopilotIntune.
When you Install WindowsAutopilotIntune Powershell module, it installs other dependent modules like AzureAD, Microsoft.Graph.Intune. If you already have AzureAD module Installed on your device then you may get an error message that the module is already installed.
Therefore, to overcome the warning and proceed with the Installation of this module successfully, I would be using two switches / parametes with this command -force and -allowclobber.
Please use below command to install WindowsAutopilotIntune Powershell module.
STEP 1: Install WindowsAutopilotIntune Powershell module
Install-module WindowsAutopilotIntune -force -AllowClobber
Next step is to Connect to MSGraph using below command. If you are facing any issues using this command, you can check the post: Microsoft Intune Powershell Approval Required. The App Requires Your Admin Approval
STEP 2: Connect to Microsoft Graph
Connect-msgraph -Adminconsent
Now, fetch all autopilot device’s ID into a text file. If you do not want to set a group tag on all your organization devices at once, then you can modify the text file and keep only the one’s you want to test with. Once you are confident that the powershell command to apply the group tag is working. You can update the text file and add rest of the device IDs.
STEP 3: Fetch All Autopilot Device’s ID in a txt file
Get-AutopilotDevice | Select -ExpandProperty Id | Out-File C:\temp\AutopilotDeviceIDlist.txt
Add or update a group tag on all autopilot devices which are in AutopilotDeviceIDlist.txt file. You can use below powershell script to apply a group tag. If there is a group tag already applied on a device, Script will overwrite or update the group tag.
STEP 4: Add or Update a group tag on all Autopilot devices using Powershell
#Provide a Group Tag
$Grouptag = Read-Host -Prompt "Please provide a group tag"
#Get the IDs in a variable $DeviceIDs
$DeviceIDs = Get-Content "c:\temp\AutopilotDeviceIDlist.txt"
foreach ($deviceID in $DeviceIDs)
{
#Get current device information.
$currentdevice = Get-AutopilotDevice -id $deviceID
Write-host "Working on device $deviceID of $($currentdevice.addressableUserName)"
#Apply Group Tag on all devices which are in AutopilotDeviceIDlist.txt
Get-AutopilotDevice -id $id | Set-AutopilotDevice -groupTag $Grouptag
}
Get the list of all autopilot devices with group tag information
Get-AutopilotDevice | Select ID, serialnumber, Grouptag
Export the list of all autopilot devices with group tag information to a CSV file.
Get-AutopilotDevice | Select ID, serialnumber, Grouptag | Export-CSV C:\temp\AutopilotDeviceInfo_Grouptag.csv -NoTypeInformation
Powershell Script Output
After the Group tag has been added to all devices using the powershell script, you can verify it from Microsoft Endpoint Manager admin center to confirm the same.
How to remove a Group tag from an autopilot device using Powershell
If you have accidently added a group tag to a device or group of devices. You can easily remove the group tag. Login on Microsoft Endpoint manager admin portal > Devices > Enroll Devices > Windows enrollment > Devices > from the list of autopilot devices, click on the device and then clear the Group tag field to remove a group tag manually.
You can also use below powershell commands to remove a group tag:
STEP 1: Find the Device ID for which you want to remove the group tag
Get-AutopilotDevice | Select ID, serialnumber, Grouptag
STEP 2: Remove the Group tag from the device using below powershell command:
#Provide the value of Device Identified (ID) between the quotes $id = "xxxxx-xxx-x-x-x-x-x-x" #Set Grouptag variable to Empty $Grouptag = "" #Run below command to Set / Update Autopilot Device group tag to blank Get-AutopilotDevice -id $id | Set-AutopilotDevice -groupTag $Grouptag
How to remove Group tag from all autopilot device using Powershell
You may have a requirement to remove a group tag from all autopilot devices. You can use below Powershell script to remove the group tag information / set group tag field to blank from all autopilot devices.
STEP 1: Fetch All Autopilot Device’s ID in a txt file
Get-AutopilotDevice | Select -ExpandProperty Id | Out-File C:\temp\AutopilotDeviceIDlist.txt
STEP 2: Use below powershell script to remove group tag from all autopilot devices
#Set Group Tag variable to Blank / Empty
$Grouptag = ""
#Get the IDs in a variable $DeviceIDs
$DeviceIDs = Get-Content "c:\temp\AutopilotDeviceIDlist.txt"
foreach ($deviceID in $DeviceIDs)
{
#Get current device information.
$currentdevice = Get-AutopilotDevice -id $deviceID
Write-host "Adding $Grouptag grouptag to $deviceID for $($currentdevice.addressableUserName) user"
#Apply Group Tag on all devices which are in AutopilotDeviceIDlist.txt
Get-AutopilotDevice -id $id | Set-AutopilotDevice -groupTag $Grouptag
}
Conclusion
As we have seen in this blog post about why you would require a group tag for an autopilot device and how to add / update it using Microsoft Endpoint manager admin center and by using powershell. When you have thousand’s of devices to add a group tag to, best way is to use the powershell script. If you have an Azure AD dynamic group based on Order ID:<value> then the devices will automatically be added to that group in some time.