Windows Autopilot Group Tags

Windows Autopilot group tag refer to an optional field ( groupTag ) in the Microsoft device manager console (actually maps to the Azure AD device property  ) that can be use to help automate deployment and configuration of Windows 10 devices when used with Windows Autopilot process. Currently only one group tag is supported by Microsoft.

With Windows Autopilot, Microsoft provides the ability to add group tag to each device to support automation during device enrollment and deployment.

There are four types of Windows Autopilot deployment:

Typically a group tag is registered at the same time new devices are registered to Windows Autopilot by the OEM or CSP partner.

However enterprises have still a large number of existing devices that they may want to prep for a time they want to refresh (old term: reimage) by utilizing the Modern Device Management workflow (self -deploy) and tools and the Windows 10 reset capability.

Please note that devices must be registered into Windows Autopilot in order to assign group tag. I have written a blog post on this topic: Gathering Existing Devices Windows Autopilot Device IDs

Windows Autopilot device registration can be done within your organization by manually collecting the hardware identity of devices (hardware hashes) and uploading this information in a comma-separated-value (CSV) file. Capturing the hardware hash for manual registration requires booting the device into Windows 10. Therefore, this process is intended primarily for testing and evaluation scenarios.


Prior to version 1911 of Microsoft Intune, the only way to change an existing group tag was to removing the device hash and re-importing the device hash. In the 1911 service release it became possible to change the group tag of Autopilot devices.


Adding / Changing Group Tags to existing Devices.

You can add a group tag to existing devices once they have been registered to the Microsoft console as Windows Autopilot (see blog post ). According to Microsoft documentation, to add group tags to existing devices:

  1. In the Microsoft Endpoint Manager admin center, select Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program.
  2. Select the device you want to edit.
  3. In the pane on the right of the screen, you can edit:
    • Device name.
    • Group tag.
    • User Friendly Name (if you’ve assigned a user).

You can also use PowerShell scripts to bulk update group tags. There is a great blog post explaining this and pointing to the script can be found here

Multiple Group Tags (kind of)

Currently Microsoft supports a single group tag to be added in the field. However I know a couple of very creative customers that have created a single group tag that contains multiple levels so that when deploying a query against a subset of the tag so that branching of the deployment sequence can executed based on its content. (pretty slick!)

Additional blog posts you may find useful:

Similar Posts