Adding Group Tags to enrolled devices via PowerShell
this is a follow-up to my Windows Autopilot Group Tags blog post
Side Note:
Keeping Intune portal (M365 Device Portal) clean should be top of mind for administrator out there! —
Please read:
- Cleaning up inactive Intune and Entra ID devices – Mr T-Bone´s Blog (tbone.se)
- How to manage stale devices in Microsoft Entra ID – Microsoft Entra ID | Microsoft Learn
Let’s continue…
Master the Automator: Updating Missing Autopilot Group Tags via PowerShell
If you’ve been managing a large-scale Windows rollout, you know that Group Tags are the secret sauce of Intune. They drive your Dynamic Groups, which in turn decide which Enrollment Status Page (ESP) a user sees and which apps get pre-installed.
But what happens when a batch of devices is uploaded without a tag? You’re left with “orphaned” devices that won’t trigger the right policies. Manually editing hundreds of entries in the Intune portal is a recipe for a long night.
Here is a streamlined, automated approach to find and fix those missing tags using the Microsoft Graph PowerShell SDK.
The Strategy
We want a script that is surgical. It shouldn’t overwrite existing tags; it should only target devices where the Group Tag field is null or empty.
The Workflow:
- Connect to Microsoft Graph with Device Management permissions.
- Inventory all Autopilot registered devices.
- Filter the list locally to find the “blank” entries.
- Patch the specific device identities with your chosen tag.
The PowerShell Script
PowerShell
<#
.SYNOPSIS
Updates Windows Autopilot devices that are missing a Group Tag.
.DESCRIPTION
This script connects to Microsoft Graph, identifies all Autopilot-registered
devices that currently have no Group Tag assigned, and updates them to a
specified value.
#>
# 1. Define your new Group Tag
$NewTag = "Corporate-Standard-2026"
# 2. Ensure the Microsoft Graph Enrollment module is available
if (!(Get-Module -ListAvailable Microsoft.Graph.DeviceManagement.Enrollment)) {
Write-Host "Installing Microsoft Graph Enrollment module..." -ForegroundColor Cyan
Install-Module Microsoft.Graph.DeviceManagement.Enrollment -Scope CurrentUser -Force
}
# 3. Authenticate to Microsoft Graph
# Required Permission: DeviceManagementServiceConfig.ReadWrite.All
Connect-MgGraph -Scopes "DeviceManagementServiceConfig.ReadWrite.All"
# 4. Fetch all Autopilot Device Identities
Write-Host "Retrieving Autopilot device list (this may take a moment)..." -ForegroundColor White
$AutopilotDevices = Get-MgDeviceManagementWindowsAutopilotDeviceIdentity -All
# 5. Filter for devices where GroupTag is null, empty, or just whitespace
$TargetDevices = $AutopilotDevices | Where-Object { [string]::IsNullOrWhiteSpace($_.GroupTag) }
if ($TargetDevices.Count -eq 0) {
Write-Host "No devices found missing a Group Tag. Everything looks good!" -ForegroundColor Green
return
}
Write-Host "Found $($TargetDevices.Count) devices to update." -ForegroundColor Yellow
# 6. Loop and Update
foreach ($Device in $TargetDevices) {
Write-Host "Applying tag '$NewTag' to Serial: $($Device.SerialNumber)..." -ForegroundColor Gray
try {
Update-MgDeviceManagementWindowsAutopilotDeviceIdentity `
-WindowsAutopilotDeviceIdentityId $Device.Id `
-GroupTag $NewTag
}
catch {
Write-Error "Failed to update device $($Device.SerialNumber): $($_.Exception.Message)"
}
}
Write-Host "Update process complete!" -ForegroundColor Green
Key Takeaways for Admins
- Permissions Matter: You need more than just “Read” access. Ensure your account has Intune Administrator or Global Admin rights to execute the
Updatecommand successfully. - The “Sync” Lag: After running the script, you won’t see the changes in the Intune portal instantly. It usually takes 5–10 minutes for the Graph changes to propagate to the UI.
- Dynamic Group Updates: If you have an Entra ID Dynamic Group looking for this tag, it will take a bit longer (usually 15–30 minutes) to evaluate the new membership and start pushing software.
Pro-Tip: Verification
Once the script finishes, you can verify the results by running:
PowerShell
Get-MgDeviceManagementWindowsAutopilotDeviceIdentity -All | Where-Object { $_.GroupTag -eq "Your-New-Tag" }
By automating this “cleanup” task, you ensure that no device is left behind during the deployment phase, keeping your environment consistent and your users productive.
As always, hopefully this helps!
Additional Resources:
- Intune grouping, targeting, and filtering: recommendations for best performance – Microsoft Community Hub
- Automating group tags for Windows Autopilot registered devices | just another windows noob ? (niallbrady.com)
- Bulk Update Windows Autopilot entities · GitHub
- Automatically Categorize Intune Devices – PowerStacks
- Intune Autopilot Group Tags Automation With Azure Runbooks (nianit.com)
- Resolved – Unable to assign group tags with the WindowsAutopilotIntune PowerShell script – Microsoft Community Hub
- Add A Group Tag To Intune Autopilot Devices Using Powershell (cloudinfra.net)
- Assign-DeviceScopeTags.ps1 | PowerShell Script to automatically assign Intune Device Scope Tags based on Primary SMTP Address of enrolling user. (carygarvin.github.io)
- Intune Group Tags, Scope Tags – What are they and why do I need them? – Andrew Taylor (andrewstaylor.com)
- Use role-based access control (RBAC) and scope tags for distributed IT – Microsoft Intune | Microsoft Learn
Update:
Add A Group Tag To Intune Autopilot Devices Using Powershell (cloudinfra.net)