Automatically set Intune Device Categories based on Inventory data

Today I want to show you, how you can automatically set Intune Device Categories based on data already available in Intune / Entra, like Device Name, Device Model, Enrollment Profile Name, Join Type, etc.

I found a few articles that will try to do similar, but most of what I found did not scale well with many devices. My script will only modify devices where the desired category is different from the currently set category. For around 30k devices the initial run through all devices took me around 6-7h, where all subsequent runs are now only taking around 4-5mins.

Azure Automation Account

Let’s start with creating an Azure Automation Account, which will host and run our PowerShell script. I will start in a fresh Resource group:

In our Resource group, we now can create our Automation Account from the Azure Marketplace:

Search for “automation account” and click on “Create”

Give it a name and set the desired Azure Region:

In the Advanced Tab, make sure the system assigned managed identity is enabled:

Once you finished the wizard, you can review your settings and we can start the deployment:

Once finished, we can got to our newly created resource:

Runbook

In our Automation Account we can now go to the Runbooks section:

And create our Runbook:

In the new Runbook, we can add the script. You can find the script sample on my GitHub: https://github.com/mmeierm/Scripts/blob/main/Device%20Categories/DeviceCategory.ps1

Script

You will have to modify the script to match your needs to read the properties that you want to use as a basis for the categories. The script contains samples that reads device names, models, join type:

It also contains samples to read data from Entra ID, like enrollmentProfileName or Autopilot GroupTag:

The sample script itself follows the this logic:
-> Read in all Intune and active EntraID Devices
-> Loop through all Intune Devices
—>Check for Operating System Windows
—->Check virtual
——>Check DeviceName
——>Check Model
—-> Check phyiscal
——>Check DeviceName
——> Check Model
——> Check join Type
——> Search Entra Device
——–> Check enrollmentProfileName
——–> Check GroupTag
—>Check for Operating System MacOS
…

Once you are happy with your choice, you can save and publish the Runbook:

Assign Permissions

Next thing, that we need to do, is assigning the needed Graph API permissions to the managed identity. To get the needed object id, we can go to the Identity Tab in our Automation Account:

Copy the Object ID:

And download the assign permissions script from GitHub: https://github.com/mmeierm/Scripts/blob/main/Device%20Categories/Add-Permission.ps1
And paste the object id and run it:

Device Categories

Last thing that we have to do, is the actual creation of the categories in Intune:

Run the Script

Now, we can finally run our script:

Conclusion

Automatically assign categories, can make the life of Intune Admins easier, as it allows them to easily filter for device groups in the portal:

You can also block your end users from changing the category by them self in the Customization settings: