Recently, I found a few Windows autopilot devices where the group tag was missing or the incorrect region group tag was assigned.e.g., US instead of EUROPE, due to which devices were not getting added to the correct dynamic group as per device region. So, we cannot update a single device group tag as that will take a long time, and let's use some automation to get it done so we can update the missing group tag or override the incorrect group tag assigned to any device.
The following methods are available to update the group tag for new and existing Windows Autopilot devices:
1. Manually updating the group tag name in a csv file for a specific or list of devices and then uploading in Microsoft Intune.
Also, you can update in the Intune portal directly on the below path:
Go to intune.microsoft.com > Devices > Windows > Windows Enrollment > Devices
2. Bulk update Windows Autopilot group tags using PowerShell with the Graph API.
Let's use the quickest method using Windows PowerShell with the Graph API to update group tags for multiple autopilot devices directly in Intune. There are a few prerequisites for this process:
1. Download the list of all existing autopilot hardware hashes uploaded from Intune in.csv format.
Copy the required serial numbers and create a list of device serial numbers in a.txt file.
2. Azure Enterprise app "Microsoft Intune PowerShell" permission to update information in Intune
Go and check the settings in Entra.microsoft.com > Enterprise apps > Microsoft Intune PowerShell > Users and Groups (your user account should be part of it).
.PNG)
3. A script to perform this automation
Download the script from this link: http://tinyurl.com/linksforintune.
GitHub Link for the script: https://github.com/mrintune/Intune/tree/main
Run this script in PowerShell with admin rights:
# Bulk Update Windows Autopilot Group Tag using PowerShell with Graph API
# MR INTUNE Jan 2025
# Check if PackageProvider is installed
if (-not (Get-PackageProvider -Name Nuget -ListAvailable -ErrorAction Ignore)) {
# Install Microsoft.Graph module
Install-PackageProvider -Name Nuget -confirm:$false -force
}
# Check if Microsoft.Graph module is installed
if ( -not (Get-Module -Name Microsoft.Graph -ListAvailable -ErrorAction Ignore)) {
# Install Microsoft.Graph module
Install-Module -Name Microsoft.Graph -confirm:$false -force
}
# Check if WindowsAutoPilotIntune module is installed
if (-not (Get-Module -Name WindowsAutoPilotIntune -ListAvailable -ErrorAction Ignore)) {
# Install WindowsAutoPilotIntune module
Install-Module -Name WindowsAutoPilotIntune -confirm:$false -force
}
# Permissions Assigned to the User for MgGraph Auth "Group.ReadWrite.All, Device.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, GroupMember.ReadWrite.All"
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
Import-Module -Name Microsoft.Graph -force
Import-Module -Name WindowsAutoPilotIntune -force
Connect-MgGraph
# Enter the serials text filepath location
$FilePathLocation = Read-Host "Enter Serials text file path location"
$serialNumbers = Get-Content -Path $FilePathLocation
# for each serial number, get entra device object id
foreach ($serialNumber in $serialNumbers){
try
{
$id = (Get-AutopilotDevice -serial $serialNumber).id
#Change the NewGroupTag value as per your environment
$NewGrouptag = "US"
Set-AutopilotDevice -id $id -GroupTag $NewGrouptag
Write-Host "Added GroupTag: $($NewGrouptag) to serialNumber: $($serialNumber) "
}
catch
{
$message = $_.Exception.Message
Write-Host "Failed to add GroupTag to SerialNumber $($serialNumber): $message"
}
}
.png)
0 Comments
Leave a comment