Group tags are a great way to break up your autopilot profile assignments based on the device’s needs. Since I work primarily with smaller businesses, I often see that no group tags are in use, and a blanket autopilot profile is assigned to all devices. While this works for some smaller organizations, as they grow or as their needs change, they may need to start using different autopilot profiles. Group tags are simply metadata that is attached to the device object. We can use group tags to include or exclude certain devices from a dynamic group.
Updating the group tag for an autopilot device is simple if you only need to do a few of them. This can be accomplished in the Autopilot dashboard:
However, if you have hundreds (or even thousands) of devices to change, you won’t want to do this manually. In this case, hopefully, all the devices you need to edit have something in common, such as make/model. In my situation, this was an organization that already had 100+ devices registered with Autopilot. However, only about half of them needed to be separated into Kiosk devices. Luckily, they were all the same model. So I started exploring the graph API and how we can quickly edit the group tag.
You can see the Group tag on a device in two places in the Graph API – On the Entra Object and on the Autopilot Object. On the Entra Object, this displays as the OrderID, which is also what is used when making your dynamic device groups based on the grouptag.
You cannot update the Group tag using the Entra https://graph.microsoft.com/beta/devices/{deviceid} endpoint because those values are referenced from the device autopilot object. If we look at the autopilot device object with the authpilot endpoint, https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities, we can see where it uses groupTag as the field:
However, we still can’t update the groupTag using the https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities endpoint. It does not support the patch or post methods. In doing some searching, I came across this endpoint, https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities/$id/updateDeviceProperties, and after some testing on a single device, I confirmed it allows us to update the Autopilot device properties.
Now that we have a way to change the group tag through the Graph API, we need to create our script. In this case, I need every Lenovo device with the model of “12RQ000KUS” to have the group tag changed to “Kiosk”. If you don’t know your model, you can find it in the Autopilot devices page in Intune:
This script is available on GitHub. Edit the model number and grouptag variables, and all your autopilot devices with that model will be changed after running the script. You’ll also get success/failure output based on the device serial number, and a log of the output in c:\temp.
When you’re all done, if you need to exclude that group tag from an “all autopilot devices” group, see my post here – https://smbtothecloud.com/exclude-devices-with-grouptags-from-the-all-autopilot-devices-dynamic-group/