Windows Autopilot Group Tags
Windows Autopilot group tag refer to an optional field ( groupTag ) in the Microsoft device manager console (actually maps to the Azure AD device property ) that can be use to help automate deployment and configuration of Windows 10 devices when used with Windows Autopilot process. Currently only one group tag is supported by Microsoft.
With Windows Autopilot, Microsoft provides the ability to add group tag to each device to support automation during device enrollment and deployment.
There are four types of Windows Autopilot deployment:
- Self Deploying Mode for kiosks, digital signage, or a shared device
- White Glove enables partners or IT staff to pre-provision a Windows 10 PC so that it’s fully configured and business-ready
- Autopilot for existing devices enables you to easily deploy the latest version of Windows 10 to your existing devices
- User Driven Mode for traditional users.
Typically a group tag is registered at the same time new devices are registered to Windows Autopilot by the OEM or CSP partner.
However enterprises have still a large number of existing devices that they may want to prep for a time they want to refresh (old term: reimage) by utilizing the Modern Device Management workflow (self -deploy) and tools and the Windows 10 reset capability.
Please note that devices must be registered into Windows Autopilot in order to assign group tag. I have written a blog post on this topic: Gathering Existing Devices Windows Autopilot Device IDs
Windows Autopilot device registration can be done within your organization by manually collecting the hardware identity of devices (hardware hashes) and uploading this information in a comma-separated-value (CSV) file. Capturing the hardware hash for manual registration requires booting the device into Windows 10. Therefore, this process is intended primarily for testing and evaluation scenarios.
https://docs.microsoft.com/en-us/mem/autopilot/add-devices
Prior to version 1911 of Microsoft Intune, the only way to change an existing group tag was to removing the device hash and re-importing the device hash. In the 1911 service release it became possible to change the group tag of Autopilot devices.
Adding / Changing Group Tags to existing Devices.
You can add a group tag to existing devices once they have been registered to the Microsoft console as Windows Autopilot (see blog post ). According to Microsoft documentation, to add group tags to existing devices:
- In the Microsoft Endpoint Manager admin center, select Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program.
- Select the device you want to edit.
- In the pane on the right of the screen, you can edit:
- Device name.
- Group tag.
- User Friendly Name (if you’ve assigned a user).
You can also use PowerShell scripts to bulk update group tags. There is a great blog post explaining this and pointing to the script can be found here
Multiple Group Tags (kind of)
Currently Microsoft supports a single group tag to be added in the field. However I know a couple of very creative customers that have created a single group tag that contains multiple levels so that when deploying a query against a subset of the tag so that branching of the deployment sequence can executed based on its content. (pretty slick!)
Additional blog posts you may find useful:
- • Create device groups for Windows Autopilot | Microsoft Learn
- • Support Tip: Using group tags to import devices into Intune with Autopilot – Microsoft Community Hub
- Intune Group Tags, Scope Tags – What are they and why do I need them? – Andrew Taylor (andrewstaylor.com)
- PS Script To Add Or Modify Group Tag Of Autopilot Devices In Intune HTMD Blog (anoopcnair.com)
- Fun with Windows Autopilot Group Tags by Michael Niehaus
- Autopilot profile assignment using Intune | Microsoft Docs
- Group Tag Automation Reddit
- Microsoft Intune Docs on Github
- Bulk update Windows Autopilot groupTags by Nicola Suter
- Bulk Updating Autopilot enrolled devices with Graph API and assigning a Group Tag based on Purchase OrderID – Systems Management Squad (sysmansquad.com)
- A great Blog to follow: All about Microsoft Endpoint Manager/
