Group tags serve as an effective method to categorize your autopilot profile assignments according to the specific needs of devices. In my experience with small businesses, I often notice the absence of group tags, resulting in a generic autopilot profile applied to all devices. While this strategy might work for some smaller entities, as they expand or their requirements evolve, they may find it necessary to implement different autopilot profiles. Group tags act as metadata attached to device objects, allowing us to include or exclude certain devices from a dynamic group.
Changing the group tag for an autopilot device is straightforward if you’re only dealing with a handful of devices. This can be easily done within the Autopilot dashboard:
However, if you have hundreds or thousands of devices to modify, doing so manually isn’t practical. Ideally, all the devices that require changes will share a common characteristic such as make or model. In my case, I was assisting an organization with over 100 devices already registered with Autopilot, although only about half needed to be designated as Kiosk devices. Fortunately, they were all the same model, which led me to explore the Graph API for efficiently modifying the group tag.
The Group tag can be found on a device in two locations within the Graph API – the Entra Object and the Autopilot Object. For the Entra Object, this shows up as the OrderID, which is what you’ll utilize to create your dynamic device groups based on the group tag.
It is important to note that you cannot modify the Group tag via the Entra https://graph.microsoft.com/beta/devices/{deviceid} endpoint, as those values are referenced from the device autopilot object. By examining the autopilot device object with the authpilot endpoint, https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities, we can observe the use of groupTag as one of the fields:
Unfortunately, it is still impossible to update the groupTag using the https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities endpoint as it does not support patch or post methods. Fortunately, I discovered this endpoint, https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities/$id/updateDeviceProperties. After testing it on a single device, I confirmed that it allows for updates to Autopilot device properties.
With a method to change the group tag via the Graph API established, it’s time to create our script. In this instance, I aim to modify every Lenovo device of model “12RQ000KUS” to have the group tag set as “Kiosk.” If you’re not sure of your model, you can find it on the Autopilot devices page within Intune:
You can find this script on GitHub. Simply edit the model number and group tag variables, and upon running the script, all autopilot devices of that model will be updated. You’ll receive success or failure notifications based on device serial numbers, along with a log of the output saved in c:\temp.
Once you have completed this process, if you need to exclude that group tag from an “all autopilot devices” group, refer to my post here – https://smbtothecloud.com/exclude-devices-with-grouptags-from-the-all-autopilot-devices-dynamic-group/
