Retrofitting Windows Autopilot Group Tags

Table of Contents

Now I don’t think I promised that I’d cover off bulk tagging Autopilot devices in a previous post, but you know, I was running low on things to write about. So here we are.

As I like to practice what I preach, I’d left myself the task of updating 1000’s of Autopilot devices with a new Group Tag after a successful Proof-of-Concept implementation of a suitable convention and syntax. Thanks past me.

So what does any good consultant do? ~~Run away?~~ ~~Come up with a janky script that you’ll only ever run once, that contains nested ‘foreach’ loops?~~ Write a perfectly reusable and digestible PowerShell script using Graph API to update existing Autopilot devices…

The Approach
#

Now I needed an easy way to tag specific devices with Group Tags, and then anything that didn’t have a specific Group Tag to get a default one…so we’re working with two distinct use cases here.

Ready, Aim
#

For the first, we’ll start with exporting the Autopilot Devices from the tenant, as this CSV file will contain the Serial Numbers we need further down the line.

Now with the CSV file, we really only need two headings, Serial Number and Group Tag. So open up your favourite editor and bin off every other heading.

Whilst you’re there, be a darling and rename ‘Serial Number’ to ‘SerialNumber’ and ‘Group Tag’ to ‘GroupTag’, like so:

SerialNumber,GroupTag
VMware-56 4d 71 00 31 a9 92 c6-ca 79 52 44 c0 3a 83 22,AJ-LT-U-ADM-IT-UK

Now that you’ve got all the Autopilot devices, go ahead and laboriously update the CSV file with Group Tags and remove any devices that you want tagging with the default one.

Repeat Offenders
#

We need a way to not only set the Group Tag, but fetch the ID of the Autopilot device, and as we’re doing this potentially 100’s of times, and I did say this was a repeatable and reusable script, we should create a PowerShell function or two.

Handshake Time
#

~~Lets steal the PowerShell Authentication Function from the Intune PowerShell Samples GitHub repo to allow us to connect to Graph.~~

Connect to Graph using the latest module and Connect-MgGraph -Scopes 'DeviceManagementManagedDevices.ReadWrite.All'.

If you haven’t authenticated to Graph in your tenant previously, you’ll probably be asked to grant Admin Consent, you want to do this, consent is important.

Autopilot Functions
#

Now we can have a nice authenticated chat to Graph, we need to talk to the Autopilot section, deviceManagement/windowsAutopilotDeviceIdentities in fact.

So let’s get all Autopilot devices, as we’ll need this to:

Get all Autopilot devices without a Group Tag set
Get the Autopilot device Id for the entries in the CSV file we created

Getting Autopilot Devices
#

Function Get-AutopilotDevices() {

    $graphApiVersion = "Beta"
    $Resource = "deviceManagement/windowsAutopilotDeviceIdentities"

    try {
        $uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
            (Invoke-MgGraphRequest -Uri $uri -Method Get).Value
    }
    catch {
        Write-Error $Error[0].ErrorDetails.Message
        break
    }
}

Update Autopilot Device Attributes
#

Now we can use the below function to set the Autopilot Group Tag (I ~~should~~ could probably update this to set other device attributes).

Function Set-AutopilotDevice() {

    [CmdletBinding()]
    param(
        $Id,
        $GroupTag
    )

    $graphApiVersion = "Beta"
    $Resource = "deviceManagement/windowsAutopilotDeviceIdentities/$Id/updateDeviceProperties"

    try {
        if (!$id) {
            write-host "No Autopilot device Id specified, specify a valid Autopilot device Id" -f Red
            break
        }

        if (!$GroupTag) {
            $GroupTag = Read-host "No Group Tag specified, specify a Group Tag"
        }

        $Autopilot = New-Object -TypeName psobject
        $Autopilot | Add-Member -MemberType NoteProperty -Name 'groupTag' -Value $GroupTag
        $JSON = $Autopilot | ConvertTo-Json -Depth 3
        $uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
        Invoke-MgGraphRequest -Uri $uri -Method Post -Body $JSON -ContentType "application/json"
        write-host "Successfully added '$GroupTag' to device" -ForegroundColor Green
    }
    catch {
        Write-Error $Error[0].ErrorDetails.Message
        break
    }
}

Scary Stuff Lies Ahead
#

So we now have the functions in order to connect, get and set all the things we need. Here comes the fun part, PowerShell logic driven by four cups of coffee.

Script Parameters
#

Before that, some lovely parameters to ensure you can’t really mess things up.

Method: Set to be either ‘CSV’ or ‘Online’, used for loading that beautiful CSV created earlier, or to just grab all the Autopilot devices in the tenant with a blank Group Tag
DefaultGroupTag: The ‘Catch All’ Group Tag for those devices that don’t have one set already

The Logic?
#

Here we have the guts of the script, designed so that you run it through once with the CSV option, then a second time using the Online option. Don’t ask me why I did it this way, four coffees remember.

I was also kind enough to capture any of the devices in the CSV file missing a Group Tag and prompt to enter one in. Very kind.

# Script Start
# Get Devices
if ($Method -eq 'CSV') {
    $CSVPath = Read-host "Please provide the path to the CSV file containing a list of device serial numbers and new Group Tag  e.g. C:\temp\devices.csv"

    if (!(Test-Path "$CSVPath")) {
        Write-Host "Import Path for CSV file doesn't exist" -ForegroundColor Red
        Write-Host "Script can't continue" -ForegroundColor Red
        Write-Host
        break
    }
    else {
        $AutopilotDevices = Import-Csv -Path $CSVPath
    }
}
elseif ($Method -eq 'Online') {
    Write-Host "Getting all Autopilot devices without a Group Tag" -ForegroundColor Cyan
    $AutopilotDevices = Get-AutopilotDevices | Where-Object { ($null -eq $_.groupTag) -or ($_.groupTag) -eq ''  }
}

# Sets Group Tag
foreach ($AutopilotDevice in $AutopilotDevices) {
    $id = $AutopilotDevice.id
    if (!$id) {
        Write-host "No Autopilot Device Id, getting Id from Graph" -ForegroundColor Cyan
        $id = (Get-AutopilotDevices | Where-Object { ($_.serialNumber -eq $AutopilotDevice.serialNumber) }).id
        Write-Host "ID:'$Id' found for device with serial '$($AutopilotDevice.Serialnumber)'" -ForegroundColor Green
    }

    if ($Method -eq 'CSV') {
        $GroupTag = $AutopilotDevice.groupTag
        if (!$GroupTag) {
            Write-host "No Autopilot Device Group Tag found in CSV" -ForegroundColor Cyan
            $GroupTag = Read-Host 'Please enter the group tag for device with serial '$AutopilotDevice.serialNumber' now:'
        }
    }
    elseif ($Method -eq 'Online') {
        $GroupTag = $DefaultGroupTag
    }

    try {
        Set-AutopilotDevice -Id $id -GroupTag $GroupTag
        write-host "Group tag: '$GroupTag' set for device with serial '$($AutopilotDevice.Serialnumber)'" -ForegroundColor Green
    }
    catch {
        write-host "Group tag: '$GroupTag' not set for device with serial '$($AutopilotDevice.Serialnumber)'" -ForegroundColor Red
    }
}

Fire
#

So bring it all together into a mega-script we now have a way to update the Autopilot Group Tags. So let’s give it a go.

P.S. There is no -whatif command, so I’d start with the CSV of a couple of test devices.

Sniper Time
#

Running the script with the CSV option:

.\Set-AutopilotGroupTag.ps1 -Method CSV

We first have to Authenticate, so enter in your username and the find the Azure AD login window:

Now we need to provide the path to the CSV file:

Please provide the path to the CSV file containing a list of device serial numbers and new Group Tag  e.g. C:\temp\devices.csv:

Now the script will run and update all the devices in the CSV file with their corresponding Group Tags:

And if we check in Intune:

Which amazingly, the Group Tag matches the data in the CSV file we created earlier. Too early to call this a win outright, but we’re on the way.

Shotgun Approach
#

We need to now clear up the remaining devices without Group Tags, this one we can’t really test, unless you fancy improving the script.

Similar setup to the CSV run, but this time the arguments look like the below:

.\Set-AutopilotGroupTag.ps1 -Method Online -DefaultGroupTag 'AJ-LT-U-STD-ALL-UK'

We’re already authenticated, so we can skip that bit, and we’re not using the CSV option so it will get straight to the good stuff:

And if we check in Intune:

This Group Tag matches the DefaultGroupTag parameter we set when running the script. I’d call this one a win.

Summary
#

There might be easier ways of doing this, or a little less caffeine fuelled at least, but if you want to bulk set Group Tags to your existing Autopilot devices, this does seem like a half decent approach.

For new devices, I recommend that you work with your supplier/OEM and get them to tag them as part of the on-boarding.

Also, you can run this many times, so if you do want to re-tag devices, you can use the CSV method to do so.

Also also, you should look at this post about using dynamic groups to ring fence your newly tagged devices.