Use Group Tag to change Autopilot Deployment Profile

Buy Me a Coffee

In the 1911 service release of Intune it became possible to change the group tag of Autopilot devices. In the past this was only possible by removing the device hash and re-importing the device hash. This change makes it possible to change the deployment profile by just changing the group tag and resetting the device. In this blog I will demonstrate how this works.

In the following flowchart you can see how it works. A Device hash is uploaded and a Group tag is added to this device in Intune. The dynamic group is filled by a rule on Group tag and A Deployment policy is assigned to this dynamic group. The device is now ready to be deployed with Autopilot. To change the deployment profile first change the Group Tag and reset the device. The process will now start all over again.

Create Dynamic Group

 

1. Go to “Azure Active Directory” and select “Groups”

 

2. Press “New Group”

 

3. Enter a Group name, description and select “Dynamic Device”. Press “Add Dynamic query” to create the query to fill the group.

 

4.Now we need to enter the rule syntax to add all devices with the group tag “Profile 1”.

(device.devicePhysicalIds -any _ -eq "[OrderID]:Profile 1")

press “Ok to close the syntax edit screen and press “Save” to go back to the new group blade.

5. Press “Create” to create the new group. Wait for the group to be created.

 

Create Enrollment Profile

 

6. Go to Microsoft Endpoint Manager admin center and go to “Devices” -> “Windows” -> “Windows enrollment” -> “Deployment Profiles”

 

7. Select “Create profile”

 

8. Enter a name, select “Convert all targeted devices to Autopilot -> Yes” and press “Next” to continue.

 

9.  For demonstration purposes I will enable White Glove and change the default name template, but this is not necessary to enable. Press “Next” to continue.

 

10. Assign the enrollment profile to the created dynamic device group and press “Next”

 

11. Press “Create” to finish the creation process of the deployment profile.

 

Upload Hash file

 

12.  To harvest the device hash you can use the following Powershell script which you need to run on the device as administrator.

md c:\HWID
Set-Location c:\HWID
Set-ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv

 

13. After a few seconds the hash will be created as a CSV file in the following folder.

"c:\HWID\AutopilotHWID.csv"

 

14. Now we need to upload this hash to Intune. Go to Microsoft Endpoint Manager admin center and go to “Devices” -> “Windows” -> “Windows enrollment” -> “Devices”

 

15. Press the “Import” button.

 

16. Select the HASH file and press “Import”.

 

17. The import process may take some minutes for the device to appear. Select the device and enter the TAG. Press “Save” to save and Sync to sync the settings.

 

18. Press “Sync” and “Refresh” to update the page.

 

19. It will take a few minutes for the dynamic group to be updated. The device has now been added to the dynamic group. Because the enrollment profile is assigned to this group, the device will be enrolled with the enrollment profile “Devices Profile 1”

 

20. The device is now ready to be configured with Autopilot.

 

Change Deployment Profile

 

I’ve repeated the steps of creating a dynamic device group (devices profile 2) and enrollment profile (devices Profile 2). Now we are going to change Group Tag to assign a different enrollment profile named “devices profile 2”.

21.  Go to Microsoft Endpoint Manager admin center and go to “Devices” -> “Windows” -> “Windows enrollment” -> “Devices”.

 

22. Select the device and change the Group Tag “Profile 1” to “Profile 2” and press “Save”.

 

23. Press “Sync” wait some time and press “Refresh”. The Group Tag is will be updated to “Profile 2”.

 

24. Reset the Virtual Machine by using either the intune portal or on the machine itself.

 

25. After the reset the new new deployment profile “devices profile 2” will be used instead of “devices profile 1”

 

I hope you’ve enjoyed this post. If you’ve got any questions just leave a reply.

 

9 thoughts on “Use Group Tag to change Autopilot Deployment Profile

  1. Aad Lutgert Post author

    Thanks for your response.

    I would suggest to use at least 1903. This version has many improvements and also support White Glove. But you should be able to use any current supported version version of windows 10 (Pro, Education or Enterprise).

    Check the link page for the Autopilot Requirements and Windows Lifecycle fact sheet

    Reply
  2. SB

    Hi,
    When you change the group tag Group Tag “Profile 1” to “Profile 2” and press “Save”. Does the “Assigned profile”(the option below the group tag in UI) also changes to the “device profile 2” for you immediately or does it only changes when you reset and re-provision the device with Windows Autopilot.

    Reply
    1. Aad Lutgert Post author

      Hi,

      When you change the Group Tag and press “Save” you first need to press “Sync” and “Refresh”. First the Group Tag changes, this will will then change the Dynamic Group and finally the Assignment will change (see flowchart). This process may take about 20 minutes so you have to be patient like with most changes performed in the cloud. You have to wait till this process has finished before you start Autopilot.

      Reply
      1. Tim

        I’m trying to do this with a device that is hybrid ad joined by a hybrid ad profile. I changed the tag and I see the device in the azure ad join group associated with the azure ad join profile but the assigned profile doesn’t change. It is stuck on the hybrid ad join profile. Do I need to delete the intune and azure ad devices for the profile to change?

        Reply
  3. Mike

    Hi Aad is there any way to change the group tags of already enrolled devices using a csv with multiple serial numbers only? We have many enrolled and assigned to a group tag but we need to change hundreds of them. It will be too time consuming to change the group tags 1 by 1. Thank you so much

    Reply
    1. Aad Lutgert Post author

      Hi Mike,

      You can use the windowsautopilotintune module to change the Group Tag with Powershell. With get-autopilotdevice you can list all registered serials and with set-autopilotdevice you can change the group tag of a serial. With Powershell you can import a csv and change the group tag using the get and set-autopilotdevice. You could also use the Graph API to perform such changes, but i would suggest to try the Powershell module first.

      regards, Aad

      Reply
  4. Mike

    Hi Aad im just a little confused and wondering if you can guide me the correct way to do this. My situation is I created dynamic groups for all grade levels. Currently i have already imported Grade 9, Grade 10 etc. As the students move up I would like to move Grade 9 to Grade 10, Grade 10 to Grade 11 etc … I do not want to do it manually for each device. I know you stated the get-autopilotdevice but is a correct way to get this done without a headache as i do not have access to these devices? there are about 4000 devices. Thank you so much. im sorry to bother you.

    Reply
  5. TRR

    Hi @Aad Lutgert

    Normally Intune admins as well as Global admins can able to edit the Group tags for the enrolled device.

    Is there any way to assign a role to particular user to edit the Group tag for the enrolled devices

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *