I tried to find a way to be able to change the category assigned to an Intune device without having to use the Intune portal. I found a lot of information about it and even working scripts. But these scripts didn’t do exactly what I wanted. So I used some scripts and information about PowerShell and the MS Graph Intune module and merged them into my script. Some results I wanted to accomplish were to change an Intune device category by using the device name and the category name not the device ID or category ID. I also build in some checks. I wrote this post about it and I hope you find it useful.
Requirements
In order to use this script and change a device category you need an Entra ID account with the correct permissions. You can change permissions on default Roles or create a custom role by going to:
Tenant Administration – Roles
The minimum permissions required to add or change a device category is: Managed devices – Update – Yes
And Organization – Read – Yes
The build in Help Desk Operator role has got the required permissions to do this or the Intune Administrator Role. But you can also create a custom role if you want.
The script
In my search to learn about PowerShell and MS Graph and device categories I found a great script created by JANNIK REINHARD. Thanks a lot! This script did just the thing, change a device category and there are a lot more useful Intune scripts created by Jannik!
But the change category script was based on device ID and category ID. I wanted the script to be a bit more fool proof?
So I added some things to it like:
- Find intune device by entering devicename and return device ID.
- Find categories based on name and return category ID.
- Check if device exists if not loop enter devicename.
- Check if category exists if not loop enter category.
- Check if new category isn’t already assigned to the device.
- Check if category is set after script runs.
- Error handling in function: Change-DeviceCategory
- Error handling on Connect-msGraph
- Output changes
You can download my version of the script from my Github repo. Let me show you what the script does after my modifications.
Fist run the script with PowerShell (no admin rights required for this).
The script start checking if the Module MS Graph Intune is installed, if not installed it will be installed (in current user). When the module it is installed you will receive a prompt to sign in with you Entra ID account that is allowed to change device categories in Intune.
After signing in and perhaps after MFA if required, the script continues and will ask for a device name.
Now enter the device name on which you want to change the category. The script will check if the device is found, if not it will return an warning and you have to enter an existing device name.
Once you enter a device name that can be found, the script will continue. The script will also display the available categories to choose from and the currently assign category of the device. It will ask: Do you want to assign a category to the device?
If you enter N, the script will stop. If you do want to assign a category you enter Y and the script will ask you to enter the category to assign.
Now enter the category you want to assign to the device. The script will check if the category is found, if not it will return an warning and you have to enter an existing category.
Once you enter a category that can be found, the script will continue. The script will return a message when the category is actually assigned to the device.
But if your enter a category that is already assigned to the device the script will return a warning.
I also build in some extra Error handling.
When the function is executed to change the category of the device and the Entra ID account signed in at the start of the script hasn’t got the minimum permissions, the script will return an warning and exit the script.
If somethings goes wrong when signing in with the Entra ID account the script also returns a warning and the script exits.
I hope you enjoyed reading this post!
