Last Updated: 25/03/2025
Device Tagging on Defender for Endpoint is a key method of being able to logically group devices for easier filtering and applying protective functionality to endpoint devices.
We mainly use Device Tags in the following scenarios:
- Easier filtering and grouping of devices.
- Scoping Web Content Filtering policies.
- Creating dynamic rules for device groups, which allows you to set automated remediation levels and assign administrators.
There are a few methods to be aware of for creating Device Tags, some of which have limitations and interesting use cases. For now, il focus on device tags with Windows based devices.
- Manually by using the Defender for Endpoint portal.
- Dynamically by using ‘Asset Rule Management’ in Defender XDR.
- Via the device registry, allowing the use of scripts & GPO.
- Using custom Intune profiles for OMA-URI settings. (This will add a registry value).
Assigning Tags via the MDE Portal
Assigning tags via the MDE portal is straight forward. However, you should use it manually when tagging smaller groups of machines.
Tagging can be done from the device page which can be reached via alerts, device inventory or by using the search box. Once we have navigated to a device, we can drop down the options in the top right and select ‘Manage Tags’.
This will provide us with the option to search or add in tags.
If we want to this this in bulk, rather than one by one. We can navigate to the device inventory screen, select our devices and tag them all at once.
We can then apply tags to multiple machines accordingly.
Dynamic Assignment by Asset Rule Management
Asset Rule Management allows us to create rules in Defender XDR that will tag devices. Please note that the asset rule management options are in the Defender XDR options and not the Defender for Endpoint options.
We can go ahead and create a rule and specify the conditions that will apply a tag.
The conditions are somewhat limited. Being only able to specify:
- Device name
- Domain
- OS Platform
- Internet facing
- Onboarding Status
- Device Tags
There are currently no options to link this to a Entra ID device group or similar.
Once we have created our condition, we can then define the tag to apply.
Tagging via Device Registry
Use the device registry to tag specific groups of devices that are already defined in GPO or via a custom script.
Note: Only one tag is supported via registry, you cannot have multiple tags defined by the registry.
We can use the following registry details:
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
Key Value/REG_SZ: Group
Key Data: The name of the tag
Configuring the registry will look like the below:
It can sometimes take time for the tag to appear in Defender for Endpoint. Once it does appear, you will see this tag listed under ‘System Tags’ in the ‘Manage Machine tags’ section.
Custom Profile via Microsoft Intune
Using a custom Intune profile with OMA-URI settings will allow you to apply the tag information into the registry. Its very similar to the above approach and still has the limitation of only having one system tag per device.
To do this, from Intune, create a new configuration profile for Windows devices. We will use the template custom settings for this configuration.
Under configuration settings, we will need to add an OMA-URI setting and populate this with the registry details we want to add/change.
OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group
Data Type: String
Value: Name of the Tag
Once you have defined the tag, you can assign your configuration profile and deploy. Like the registry method, this method can take some time to propagate. Check the configuration profile status to ensure that it has succeeded and identify any errors that may occur.
Conclusion
Hopefully this guide helps those of you that are looking to get started with Defender for Endpoint and how to tag machines. As mentioned before, you can use Device tagging to scope Web Content Filtering policies and create device groups for automation levels.
Using the registry/Intune option is a good way to tag devices based on machine groups or existing GPO structures, just bear in mind that you can only define one tag this way, so make it count!
Thanks for reading, if you haven’t already, please check out my Cheat Sheet for KQL. Whilst it’s made for Microsoft Sentinel, it can also be used in the advanced threat hunting sections of Defender XDR.