Intune Group Tags Dynamic Assignment

Windows Autopilot registered devices is a great way to automate the deployment process without much of technician interaction.

Aside from the device profile you can execute when a registered device is recognized, you can use Group Tags ( See Group Tags Blog post ) to further customized the desktop to the user or role that device will perform

Most Group Tags are assigned at the time of ordering, but they can also be added manually post order by going into your device portal:

• Sign in to the Intune admin center.
• Click on Devices and then click on Enrollment.
• Under the Windows tab, click on Devices under Windows Autopilot category
• Find a device you want to apply a group tag and click on it.
• Search for the Group tag field, type the name of a group tag, and Save.

Group Tag Assignments can also be done dynamically by executing a powershell script. A couple of examples follow:

• IntunePowershell/Autopilot Helper Scripts/bulkGroupTagUpdate.ps1 at main · stevecapacity/IntunePowershell · GitHub
• GitHub – middlewesttech/autopilot-intune: This script automates the process of importing a device into Autopilot, assigning a Group Tag/OrderID, assigning a user to the device, and adding that user to a set MDM User Scope group. It all runs in one PowerShell script.
• Bulk Update Windows Autopilot entities · GitHub
• PS Script To Add Or Modify Group Tag Of Autopilot Devices In Intune HTMD Blog (anoopcnair.com)

How Many Group Tags should I have within my environment?

This is a great question that, frankly there has been no guidance from Microsoft on. I have seen organizations managing thousands of devices with as little as 3 group tags. Other organizations have hundreds of group tags for whatever reason they seemed appropriate.

I think a fantastic explanation of group tags within large organizations was provided by Steve Weiner from Rubix on his multi-part blog posts: Autopilot Group Tags

• Autopilot Group Tags: Part 1 – The Basics
• Autopilot Group Tags: Part 2 – Magic Coffee Co 300 users
• Autopilot Group Tags: Part 3 – Group Tags and Names
• Autopilot Group Tags: Part 4 – Group Tags and Application Deployment – A Balancing Act
• Autopilot Group Tags: Part 5 – Global Operations Inc 75,000 users

After reading this PLUS some of what I have seen, I can provide the following observations/recommendations

• Keep the number of Group Tags LOW
• Keep in mind Modern Device Management is about user access/ user permission and policies. You are not targeting devices like you used to in Config Manager.
• Not a good idea to use Group Tags to name your computers based on location ( Device names are becoming less important than they used to be given the visibility we have in Endpoint Manager to who is using what)

Hopefully this helps!

Additional Resources:

• Intune grouping, targeting, and filtering: recommendations for best performance – Microsoft Community Hub
• Automating group tags for Windows Autopilot registered devices | just another windows noob ? (niallbrady.com)
• Bulk Update Windows Autopilot entities · GitHub
• Automatically Categorize Intune Devices – PowerStacks
• Intune Autopilot Group Tags Automation With Azure Runbooks (nianit.com)
• Resolved – Unable to assign group tags with the WindowsAutopilotIntune PowerShell script – Microsoft Community Hub
• Add A Group Tag To Intune Autopilot Devices Using Powershell (cloudinfra.net)
• Assign-DeviceScopeTags.ps1 | PowerShell Script to automatically assign Intune Device Scope Tags based on Primary SMTP Address of enrolling user. (carygarvin.github.io)
• Intune Group Tags, Scope Tags – What are they and why do I need them? – Andrew Taylor (andrewstaylor.com)
• Use role-based access control (RBAC) and scope tags for distributed IT – Microsoft Intune | Microsoft Learn

Update:

Add A Group Tag To Intune Autopilot Devices Using Powershell (cloudinfra.net)