In Microsoft Defender for Endpoint (MDE), tags can be attached to a device for reporting, filtering, and as a dynamic attribute for membership of a device group.  Device groups (previously machine groups), are used to assign devices different rules and administrative ownership.  A device can only belong to one group and controls settings such as auto-remediation level and which Role-Based Access Control (RBAC) roles have administrative permissions over it.

While you can assign tags, and therefore determine group membership, manually from the Security Center, this doesn’t exactly scale well.

Devices managed by Intune give us a couple of options, depending on which version of Windows 10 our device runs.  If we run Windows 10 version 1709 or later, we can use a Custom OMA-URI configuration profile.  If we run a version before 1709, we can edit the registry using a script.  Technically, we could go down the script route for version 1709+ too, but using Intune’s native toolset is much easier to manage as you get ongoing visibility of the setting.  With both, the tag is driven by the device itself, rather than an administrator in the Defender Security Center.  Therefore, if we want to change the tag, we need to do it using the same method we used to deploy; rather than just updating it in Defender Security Center.

Custom Intune Policy (Windows 1709+)

1. Navigate to the Microsoft Endpoint Manager admin center at endpoint.microsoft.com.

2. Browse to Devices > Windows > Configuration Profiles and click + Create Profile.  You want to choose a Custom type.

3. Give the profile an appropriate name and description.  One profile = one tag, so I like to include the tag itself in the name.

4. Click the Add button on the OMA-URI settings page.  The name and description can be whatever you want.  The important parts are the OMA-URI should be ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group, the Data type should be String, and the Value should be your tag.  When all the info is filled out, choose Save to add the line, then Next.

5. Assign your policy to the appropriate device group, then proceed to Create the policy.

When the device now syncs with Intune, it will apply the custom profile you created, and the device will show with your tag.

PowerShell Script (Registry Update) (Windows 1703 or older)

If you can’t use the above custom OMA-URI due to your version of Windows, you can use a PowerShell script to update the registry.  The script should look something like the below, where $tag is the string you want your tag to be.

1. Navigate to the Microsoft Endpoint Manager admin center at endpoint.microsoft.com.

2. Browse to Devices > Windows > PowerShell scripts and click + Add.  

3. Give the script an appropriate name and description.  One script = one tag, so I like to include the tag itself in the name.

4. Upload your script.  If you require signature checking, choose yes to this, otherwise leave the settings as No.

5. Assign your script to the appropriate device group, review the settings, then Add the script.

When the device now syncs with Intune, the Intune Management Extension on Windows 10 will execute the PowerShell script.  This adds the registry entry, and the Defender Security Center will reflect this.

Because I have a device group created based on the tag ‘Kiosk’, I can now see my two devices in it:

2 Comments

  1. Dawood Qanbari

    Thanks Ru for this great article. Is it possible to apply multiple tags to a machine? I was only able to apply multiple tags using MDATP portal. I’ve also noticed that if the device is added to multiple device groups based on tag, it will only add the device to one device group. any workarounds?

    • Hey Dawood. Using these methods, you can only apply one tag, as they both update the registry which can only hold one value and doesn’t support anything like comma-separated tags. What you could look into is doing with the API (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/add-or-remove-machine-tags?view=o365-worldwide) but this wouldn’t be driven by the endpoint, it’d be a script or app.

      Regarding multiple device groups: a device can only ever be in one device group. If you have dynamic rules that match a device to more than one group, it’s added to whichever has the highest priority. This is because device groups control the automated remediation level and if a device had two different settings for this, it would mess things up.

Comments are closed