In the 1911 service release of Intune it became possible to change the group tag of Autopilot devices. In the past this was only possible by removing the device hash and re-importing the device hash. This change makes it possible to change the deployment profile by just changing the group tag and resetting the device. In this blog I will demonstrate how this works.
In the following flowchart you can see how it works. A Device hash is uploaded and a Group tag is added to this device in Intune. The dynamic group is filled by a rule on Group tag and A Deployment policy is assigned to this dynamic group. The device is now ready to be deployed with Autopilot. To change the deployment profile first change the Group Tag and reset the device. The process will now start all over again.
Create Dynamic Group
1. Go to “Azure Active Directory” and select “Groups”
2. Press “New Group”
3. Enter a Group name, description and select “Dynamic Device”. Press “Add Dynamic query” to create the query to fill the group.
4.Now we need to enter the rule syntax to add all devices with the group tag “Profile 1”.
(device.devicePhysicalIds -any _ -eq "[OrderID]:Profile 1")
press “Ok to close the syntax edit screen and press “Save” to go back to the new group blade.
5. Press “Create” to create the new group. Wait for the group to be created.
Create Enrollment Profile
6. Go to Microsoft Endpoint Manager admin center and go to “Devices” -> “Windows” -> “Windows enrollment” -> “Deployment Profiles”
7. Select “Create profile”
8. Enter a name, select “Convert all targeted devices to Autopilot -> Yes” and press “Next” to continue.
9. For demonstration purposes I will enable White Glove and change the default name template, but this is not necessary to enable. Press “Next” to continue.
10. Assign the enrollment profile to the created dynamic device group and press “Next”
11. Press “Create” to finish the creation process of the deployment profile.
Upload Hash file
12. To harvest the device hash you can use the following Powershell script which you need to run on the device as administrator.
md c:\HWID Set-Location c:\HWID Set-ExecutionPolicy Unrestricted Install-Script -Name Get-WindowsAutopilotInfo Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
13. After a few seconds the hash will be created as a CSV file in the following folder.
14. Now we need to upload this hash to Intune. Go to Microsoft Endpoint Manager admin center and go to “Devices” -> “Windows” -> “Windows enrollment” -> “Devices”
15. Press the “Import” button.
16. Select the HASH file and press “Import”.
17. The import process may take some minutes for the device to appear. Select the device and enter the TAG. Press “Save” to save and Sync to sync the settings.
18. Press “Sync” and “Refresh” to update the page.
19. It will take a few minutes for the dynamic group to be updated. The device has now been added to the dynamic group. Because the enrollment profile is assigned to this group, the device will be enrolled with the enrollment profile “Devices Profile 1”
20. The device is now ready to be configured with Autopilot.
Change Deployment Profile
I’ve repeated the steps of creating a dynamic device group (devices profile 2) and enrollment profile (devices Profile 2). Now we are going to change Group Tag to assign a different enrollment profile named “devices profile 2”.
21. Go to Microsoft Endpoint Manager admin center and go to “Devices” -> “Windows” -> “Windows enrollment” -> “Devices”.
22. Select the device and change the Group Tag “Profile 1” to “Profile 2” and press “Save”.
23. Press “Sync” wait some time and press “Refresh”. The Group Tag is will be updated to “Profile 2”.
24. Reset the Virtual Machine by using either the intune portal or on the machine itself.
25. After the reset the new new deployment profile “devices profile 2” will be used instead of “devices profile 1”
I hope you’ve enjoyed this post. If you’ve got any questions just leave a reply.