Mike's MDM Blog

Automatically set Intune Device Categories based on Inventory data

Today I want to show you, how you can automatically set Intune Device Categories based on data already available in Intune / Entra, like Device Name, Device Model, Enrollment Profile Name, Join Type, etc.

I found a few articles that will try to do similar, but most of what I found did not scale well with many devices. My script will only modify devices where the desired category is different from the currently set category. For around 30k devices the initial run through all devices took me around 6-7h, where all subsequent runs are now only taking around 4-5mins.

Azure Automation Account

Let’s start with creating an Azure Automation Account, which will host and run our PowerShell script. I will start in a fresh Resource group:

In our Resource group, we now can create our Automation Account from the Azure Marketplace:

Search for “automation account” and click on “Create”

Give it a name and set the desired Azure Region:

In the Advanced Tab, make sure the system assigned managed identity is enabled:

Once you finished the wizard, you can review your settings and we can start the deployment:

Once finished, we can got to our newly created resource:

Runbook

In our Automation Account we can now go to the Runbooks section:

And create our Runbook:

In the new Runbook, we can add the script. You can find the script sample on my GitHub: https://github.com/mmeierm/Scripts/blob/main/Device%20Categories/DeviceCategory.ps1

Script

You will have to modify the script to match your needs to read the properties that you want to use as a basis for the categories. The script contains samples that reads device names, models, join type:

It also contains samples to read data from Entra ID, like enrollmentProfileName or Autopilot GroupTag:

The sample script itself follows the this logic:
-> Read in all Intune and active EntraID Devices
-> Loop through all Intune Devices
—>Check for Operating System Windows
—->Check virtual
——>Check DeviceName
——>Check Model
—-> Check phyiscal
——>Check DeviceName
——> Check Model
——> Check join Type
——> Search Entra Device
——–> Check enrollmentProfileName
——–> Check GroupTag
—>Check for Operating System MacOS

Once you are happy with your choice, you can save and publish the Runbook:

Assign Permissions

Next thing, that we need to do, is assigning the needed Graph API permissions to the managed identity. To get the needed object id, we can go to the Identity Tab in our Automation Account:

Copy the Object ID:

And download the assign permissions script from GitHub: https://github.com/mmeierm/Scripts/blob/main/Device%20Categories/Add-Permission.ps1
And paste the object id and run it:

Device Categories

Last thing that we have to do, is the actual creation of the categories in Intune:

Run the Script

Now, we can finally run our script:

Conclusion

Automatically assign categories, can make the life of Intune Admins easier, as it allows them to easily filter for device groups in the portal:

You can also block your end users from changing the category by them self in the Customization settings:

Posted

in

by

mmeierm

Tags:

, ,

Comments

8 responses to “Automatically set Intune Device Categories based on Inventory data”

  1. Eddy

    Did MS change something in the Graph API? We used to have a logic app for this but it has failed. Manually putting the calls in Graph also does not work anymore. We do not know where to look anymore.

    Reply
    1. mmeierm

      Hi, not that I’m aware of, it still works fine for me. What kind of error do you get? An permission error or an “bad request”?

      This function still works fine in my environment

      $CategoryID = ($DeviceCategories | Where-Object -Property displayName -eq $Category).id
      $DevUri = “https://graph.microsoft.com/beta/deviceManagement/deviceCategories/” + $CategoryID
      $id = “@odata.id”
      $JSON = @{ $id=”$DevUri” } | ConvertTo-Json -Compress

      $URI = “https://graph.microsoft.com/beta/deviceManagement/managedDevices(‘$ObjID’)/deviceCategory/`$ref”
      Invoke-RestMethod -Uri $uri -Headers $authToken -Method PUT -Body $JSON -ContentType “application/json”

      Reply
  2. Pedro

    Hello, I`ve an error on this step :

    Assign Permissions

    Error: Get-MgServicePrincipal : One or more errors occurred.

    Reply
    1. mmeierm

      Hi, I just tried it again on my machine, and the script works for me. Can you check if you are using a up to date version of the Microsoft.Graph Module. Also please check that the user that you are using to logon to graph, has the required permissions to read and write to the Applications (e.g. Application Administrator Role)

      Reply
  3. Craig

    Hello, just going through this and when testing the script as is I get the below:

    Export Device Categories
    Response status code does not indicate success: 401 (Unauthorized).
    Cannot bind argument to parameter ‘InputObject’ because it is null.

    Is this because the script hasn’t been customised yet or? We basically want to assign a device category to a device if it has an associated scope tag or is in one of 5 groups, is that possible?

    Thank you

    Reply
    1. mmeierm

      Hi, it sounds to me like the auth is not working as expected. Can you check if the Azure Automation Account has the system managed identity enabled and the required permissions were assigned and granted for that identity (for that step especially the “DeviceManagementManagedDevices.ReadWrite.All” is required to read and assign the categories.
      For the GroupTag detection, you should be able to use the “physicalIds” property of the Entra device. For your group membership, you will need to modify the script, to read in all members of the group and compare it with the current device in the loop

      Reply
  4. Christoph

    Hello Mike,

    I had a little question about device categories auto assign. In our company most devices a default user enrolment profile ( Knox ME). A minor devices have a enrolment profile for dedicated device.

    We would like to add a user’s devices to a category in Intune based on the AD group that a user belongs to. Is it possible to use a runbook to add a device category if the user belongs to a specific Azure AD group?
    For example: user A has a smartphone and tablet and is in an Azure AD user group by default, and user B has a tablet and is in an AD user group called “driver”. User A’s devices should be assigned a device category called “default”, and user B’s device should be assigned a device category called “driver” in Intune.

    Thank you in advance.

    Reply
    1. mmeierm

      Hi, sure this sounds possible, you can query userinfos similar to what I did to assign ScopeTags based on Users location: https://mikemdm.de/2024/08/11/automatically-assign-intune-scope-tags-based-on-user-location-using-entra-id-groups/, you should be able to do similar, by listing the group memberships from your users and use that information to assign your category.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *