You already know that Autopilot is a great way to streamline your deployments for new computers. Utilizing the Out-of-box experience of Windows 10 or 11, you can ultimately do away with the more cumbersome computer imaging solutions. You do give up some of the customizability and granularity of control that you get with those systems, but the ease of use, both on the backend and the front end, is a decent trade.
Even though it is “easy” there are still some items to be configured and tested. Probably the most challenging and time-intensive are your applications. But those are not for this article.
One of the lesser known but extremely beneficial items that can be configured for Autopilot is the Group Tag. This Group Tag can be used to target Autopilot Profiles (and other policies and applications) to certain sets of machines. The “tag” can be used as a parameter for dynamic group membership and once you have this set of tagged devices into a group, that group is used for targeting policies, profiles and applications. It looks like this:
All Autopilot devices >> Group Tag on certain devices >> Tag used as parameter for group membership >> Group used to target policies and applications.
Group Tagging Machines
In the Intune portal, you will find the Group Tag in the list of Autopilot devices found at:
Devices >> Enroll Devices >> Windows Enrollment >> Devices (under the Windows Autopilot Deployment Program heading)
Once you are in the list of devices, you will see the following with the “Group Tag” as the 4th column. Every time you enter a new device hardware hash, you can enter a Group Tag either along with it or afterwards by editing the device. (https://learn.microsoft.com/en-us/mem/autopilot/add-devices)
A group tag can be any text you choose it to be. In this screenshot I chose the word HYBRID. The intention is that all machines I plan to deploy using a Hybrid domain join Autopilot profile will get tagged with that word. But the word could be based on a location, business unit, device type…whatever works for categorizing your machines.
The Important Ingredient – The Dynamic Membership Rule
It is important to note that profiles, policies and applications are not targeted at tags or individual device names. Instead, they are “assigned” to groups. Therefore, you need a group with a dynamic membership rule that captures all devices that have the same Group Tag.
This is well documented here: https://learn.microsoft.com/en-us/mem/autopilot/enrollment-autopilot
The short of it is that if you want a group with all devices that have the Group Tag “Hybrid” like in my screenshot, then here is the membership rule:
(device.devicePhysicalIds -any (_ -eq “[OrderID]:HYBRID”))
The “OrderID” attribute is the Group Tag we have been discussing. They map as one and the same.
One last thought on this. If you partner with a reseller that uploads all your serial numbers and hardware hashes for you, you can give them Group Tags to include. The portal they have on their end includes the ability to add the Group Tag. So, if you were buying 50 laptops and you needed 10 of them tagged with “Accounting” and 20 tagged with “Sales” and so on, simply tell them before they upload. Otherwise, you can always tag them on your end.