{"id":520244,"date":"2023-03-21T09:06:00","date_gmt":"2023-03-21T16:06:00","guid":{"rendered":"https:\/\/jorgep.com\/blog\/?p=520244"},"modified":"2026-04-21T09:10:25","modified_gmt":"2026-04-21T16:10:25","slug":"adding-group-tags-to-enrolled-devices-via-powershell","status":"publish","type":"post","link":"https:\/\/jorgep.com\/blog\/adding-group-tags-to-enrolled-devices-via-powershell\/","title":{"rendered":"Adding Group Tags to enrolled devices via PowerShell"},"content":{"rendered":"\n<p>this is a follow-up to my <a href=\"https:\/\/jorgep.com\/blog\/windows-autopilot-group-tags\/\" data-type=\"post\" data-id=\"27001\">Windows Autopilot Group Tags<\/a> blog post<\/p>\n\n\n<style>.kadence-column520244_8748d1-32 > .kt-inside-inner-col,.kadence-column520244_8748d1-32 > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column520244_8748d1-32 > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column520244_8748d1-32 > .kt-inside-inner-col{flex-direction:column;}.kadence-column520244_8748d1-32 > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column520244_8748d1-32 > .kt-inside-inner-col{background-color:var(--global-palette7, #EDF2F7);}.kadence-column520244_8748d1-32 > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column520244_8748d1-32{position:relative;}@media all and (max-width: 1024px){.kadence-column520244_8748d1-32 > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}@media all and (max-width: 767px){.kadence-column520244_8748d1-32 > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column520244_8748d1-32\"><div class=\"kt-inside-inner-col\">\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<p>Side Note: <\/p>\n\n\n<style>.kadence-column520244_679d80-ee > .kt-inside-inner-col,.kadence-column520244_679d80-ee > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column520244_679d80-ee > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column520244_679d80-ee > .kt-inside-inner-col{flex-direction:column;}.kadence-column520244_679d80-ee > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column520244_679d80-ee > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column520244_679d80-ee{position:relative;}@media all and (max-width: 1024px){.kadence-column520244_679d80-ee > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}@media all and (max-width: 767px){.kadence-column520244_679d80-ee > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column520244_679d80-ee\"><div class=\"kt-inside-inner-col\">\n<p>Keeping Intune portal (M365 Device Portal)  clean should be top of mind for administrator out there! &#8212;<br>Please read: <\/p>\n<\/div><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.tbone.se\/2024\/02\/09\/cleaning-up-inactive-intune-and-entra-id-devices\/\">Cleaning up inactive Intune and Entra ID devices &#8211; Mr T-Bone\u00b4s Blog (tbone.se)<\/a><\/li>\n\n\n\n<li> <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/devices\/manage-stale-devices\">How to manage stale devices in Microsoft Entra ID &#8211; Microsoft Entra ID | Microsoft Learn<\/a><\/li>\n<\/ul>\n\n\n\n<p>Let&#8217;s continue&#8230;<\/p>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Master the Automator: Updating Missing Autopilot Group Tags via PowerShell<\/h2>\n\n\n\n<p>If you\u2019ve been managing a large-scale Windows rollout, you know that <strong>Group Tags<\/strong> are the secret sauce of Intune. They drive your Dynamic Groups, which in turn decide which Enrollment Status Page (ESP) a user sees and which apps get pre-installed.<\/p>\n\n\n\n<p>But what happens when a batch of devices is uploaded without a tag? You\u2019re left with &#8220;orphaned&#8221; devices that won&#8217;t trigger the right policies. Manually editing hundreds of entries in the Intune portal is a recipe for a long night.<\/p>\n\n\n\n<p>Here is a streamlined, automated approach to find and fix those missing tags using the <strong>Microsoft Graph PowerShell SDK<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Strategy<\/h3>\n\n\n\n<p>We want a script that is surgical. It shouldn&#8217;t overwrite existing tags; it should only target devices where the Group Tag field is <strong>null or empty<\/strong>.<\/p>\n\n\n\n<p><strong>The Workflow:<\/strong><\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Connect<\/strong> to Microsoft Graph with Device Management permissions.<\/li>\n\n\n\n<li><strong>Inventory<\/strong> all Autopilot registered devices.<\/li>\n\n\n\n<li><strong>Filter<\/strong> the list locally to find the &#8220;blank&#8221; entries.<\/li>\n\n\n\n<li><strong>Patch<\/strong> the specific device identities with your chosen tag.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">The PowerShell Script<\/h3>\n\n\n\n<p>PowerShell<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;#\n.SYNOPSIS\n    Updates Windows Autopilot devices that are missing a Group Tag.\n    \n.DESCRIPTION\n    This script connects to Microsoft Graph, identifies all Autopilot-registered \n    devices that currently have no Group Tag assigned, and updates them to a \n    specified value.\n#&gt;\n\n# 1. Define your new Group Tag\n$NewTag = \"Corporate-Standard-2026\"\n\n# 2. Ensure the Microsoft Graph Enrollment module is available\nif (!(Get-Module -ListAvailable Microsoft.Graph.DeviceManagement.Enrollment)) {\n    Write-Host \"Installing Microsoft Graph Enrollment module...\" -ForegroundColor Cyan\n    Install-Module Microsoft.Graph.DeviceManagement.Enrollment -Scope CurrentUser -Force\n}\n\n# 3. Authenticate to Microsoft Graph\n# Required Permission: DeviceManagementServiceConfig.ReadWrite.All\nConnect-MgGraph -Scopes \"DeviceManagementServiceConfig.ReadWrite.All\"\n\n# 4. Fetch all Autopilot Device Identities\nWrite-Host \"Retrieving Autopilot device list (this may take a moment)...\" -ForegroundColor White\n$AutopilotDevices = Get-MgDeviceManagementWindowsAutopilotDeviceIdentity -All\n\n# 5. Filter for devices where GroupTag is null, empty, or just whitespace\n$TargetDevices = $AutopilotDevices | Where-Object { &#91;string]::IsNullOrWhiteSpace($_.GroupTag) }\n\nif ($TargetDevices.Count -eq 0) {\n    Write-Host \"No devices found missing a Group Tag. Everything looks good!\" -ForegroundColor Green\n    return\n}\n\nWrite-Host \"Found $($TargetDevices.Count) devices to update.\" -ForegroundColor Yellow\n\n# 6. Loop and Update\nforeach ($Device in $TargetDevices) {\n    Write-Host \"Applying tag '$NewTag' to Serial: $($Device.SerialNumber)...\" -ForegroundColor Gray\n    \n    try {\n        Update-MgDeviceManagementWindowsAutopilotDeviceIdentity `\n            -WindowsAutopilotDeviceIdentityId $Device.Id `\n            -GroupTag $NewTag\n    }\n    catch {\n        Write-Error \"Failed to update device $($Device.SerialNumber): $($_.Exception.Message)\"\n    }\n}\n\nWrite-Host \"Update process complete!\" -ForegroundColor Green\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Key Takeaways for Admins<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Permissions Matter:<\/strong> You need more than just &#8220;Read&#8221; access. Ensure your account has <strong>Intune Administrator<\/strong> or <strong>Global Admin<\/strong> rights to execute the <code>Update<\/code> command successfully.<\/li>\n\n\n\n<li><strong>The &#8220;Sync&#8221; Lag:<\/strong> After running the script, you won&#8217;t see the changes in the Intune portal instantly. It usually takes 5\u201310 minutes for the Graph changes to propagate to the UI.<\/li>\n\n\n\n<li><strong>Dynamic Group Updates:<\/strong> If you have an Entra ID Dynamic Group looking for this tag, it will take a bit longer (usually 15\u201330 minutes) to evaluate the new membership and start pushing software.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pro-Tip: Verification<\/h3>\n\n\n\n<p>Once the script finishes, you can verify the results by running:<\/p>\n\n\n\n<p>PowerShell<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Get-MgDeviceManagementWindowsAutopilotDeviceIdentity -All | Where-Object { $_.GroupTag -eq \"Your-New-Tag\" }\n<\/code><\/pre>\n\n\n\n<p>By automating this &#8220;cleanup&#8221; task, you ensure that no device is left behind during the deployment phase, keeping your environment consistent and your users productive.<\/p>\n\n\n\n<p>As always, hopefully this helps!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Additional Resources:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/techcommunity.microsoft.com\/t5\/intune-customer-success\/intune-grouping-targeting-and-filtering-recommendations-for-best\/ba-p\/2983058\">Intune grouping, targeting, and filtering: recommendations for best performance &#8211; Microsoft Community Hub<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.niallbrady.com\/2023\/03\/22\/automating-group-tags-for-windows-autopilot-registered-devices\/\">Automating group tags for Windows Autopilot registered devices | just another windows noob ? (niallbrady.com)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/gist.github.com\/nicolonsky\/29568077bcad7135ea7a6182742f4a55\">Bulk Update Windows Autopilot entities \u00b7 GitHub<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/powerstacks.com\/automatically-categorize-intune-devices\/\">Automatically Categorize Intune Devices &#8211; PowerStacks<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.nianit.com\/automating-windows-autopilot-group-tags\/\">Intune Autopilot Group Tags Automation With Azure Runbooks (nianit.com)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/techcommunity.microsoft.com\/t5\/intune-customer-success\/resolved-unable-to-assign-group-tags-with-the\/ba-p\/2233247\">Resolved &#8211; Unable to assign group tags with the WindowsAutopilotIntune PowerShell script &#8211; Microsoft Community Hub<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/cloudinfra.net\/add-a-group-tag-to-intune-autopilot-devices-using-powershell\/\">Add A Group Tag To Intune Autopilot Devices Using Powershell (cloudinfra.net)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/carygarvin.github.io\/Assign-DeviceScopeTags.ps1\/\">Assign-DeviceScopeTags.ps1 | PowerShell Script to automatically assign Intune Device Scope Tags based on Primary SMTP Address of enrolling user. (carygarvin.github.io)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/andrewstaylor.com\/2022\/04\/26\/intune-group-tags-scope-tags-what-are-they-and-why-do-i-need-them\/\">Intune Group Tags, Scope Tags &#8211; What are they and why do I need them? &#8211; Andrew Taylor (andrewstaylor.com)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/mem\/intune\/fundamentals\/scope-tags\">Use role-based access control (RBAC) and scope tags for distributed IT &#8211; Microsoft Intune | Microsoft Learn<\/a><\/li>\n<\/ul>\n\n\n\n<p>Update: <\/p>\n\n\n\n<p><a href=\"https:\/\/cloudinfra.net\/add-a-group-tag-to-intune-autopilot-devices-using-powershell\/\">Add A Group Tag To Intune Autopilot Devices Using Powershell (cloudinfra.net)<\/a><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>this is a follow-up to my Windows Autopilot Group Tags blog post Side Note: Keeping Intune portal (M365 Device Portal) clean should be top of mind for administrator out there! &#8212;Please read: Let&#8217;s continue&#8230; Master the Automator: Updating Missing Autopilot Group Tags via PowerShell If you\u2019ve been managing a large-scale Windows rollout, you know that&#8230;<\/p>\n","protected":false},"author":2,"featured_media":368607,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","ngg_post_thumbnail":0,"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[17],"tags":[539,742,782],"class_list":["post-520244","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-journey","tag-intune","tag-moderneuc1","tag-windows-autopilot"],"taxonomy_info":{"category":[{"value":17,"label":"Journey"}],"post_tag":[{"value":539,"label":"Intune"},{"value":742,"label":"ModernEUC"},{"value":782,"label":"Windows Autopilot"}]},"featured_image_src_large":["https:\/\/jorgep.com\/blog\/wp-content\/uploads\/GroupTags-Featured.jpg",730,430,false],"author_info":{"display_name":"Jorge Pereira","author_link":"https:\/\/jorgep.com\/blog\/author\/jorge\/"},"comment_info":0,"category_info":[{"term_id":17,"name":"Journey","slug":"journey","term_group":0,"term_taxonomy_id":18,"taxonomy":"category","description":"","parent":0,"count":318,"filter":"raw","cat_ID":17,"category_count":318,"category_description":"","cat_name":"Journey","category_nicename":"journey","category_parent":0}],"tag_info":[{"term_id":539,"name":"Intune","slug":"intune","term_group":0,"term_taxonomy_id":549,"taxonomy":"post_tag","description":"","parent":0,"count":25,"filter":"raw"},{"term_id":742,"name":"ModernEUC","slug":"moderneuc1","term_group":0,"term_taxonomy_id":752,"taxonomy":"post_tag","description":"","parent":0,"count":285,"filter":"raw"},{"term_id":782,"name":"Windows Autopilot","slug":"windows-autopilot","term_group":0,"term_taxonomy_id":792,"taxonomy":"post_tag","description":"","parent":0,"count":23,"filter":"raw"}],"_links":{"self":[{"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/posts\/520244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/comments?post=520244"}],"version-history":[{"count":1,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/posts\/520244\/revisions"}],"predecessor-version":[{"id":520245,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/posts\/520244\/revisions\/520245"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/media\/368607"}],"wp:attachment":[{"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/media?parent=520244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/categories?post=520244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jorgep.com\/blog\/wp-json\/wp\/v2\/tags?post=520244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}