Most often the device tagging requirements are simple or you do have a set of tags for the devices that are enrolled in Intune and a set of tags for the devices onboarded in Defender for Endpoint. However there can be situations where you need both services to have the same device tagging setup. This totally make sense and these services are inter-connected with each other and I don’t see a problem having the same tag. Also why is this not in place already in the first place? There are few methods you can use but my goal is to create a workflow. Meaning, once the setup is in place, you have to add the device to the Device Group once (dynamically or as assigned) and both Microsoft Endpoint Manager (MEM) and Microsoft Defender for Endpoint (MDE) tags will be applied. You can also consider this as a workaround because of the tag disconnection between the services.
For this method to work the device can have the mode Azure AD Joined or Hybrid Azure AAD Joined.
Device to be enrolled in Endpoint Manager and be onboarded in Microsoft Defender for Endpoint
Table of Content
- Create the Azure AD Device Group
- Create Endpoint Manager CSP
- Create the Endpoint Manager Scope Tags
- Check the Tag in Defender for Endpoint
- Check the Tag in Endpoint Manager
- Create MDE Device Group Based on Device Tags
- What’s Next?
- Final Thoughts
Create the Azure AD Device Group
Create the Azure AD group and add the devices. You can use a dynamic rule to add the devices if you need, or add the devices manually.
I have the group which I created named AZ-DEVICES
Create Endpoint Manager CSP
Create this to add a registry key via a OMA-URI profile and send it to the Windows device that’s onboarded in MDE. This will be the same activity where you can enable using GPOs but if the device joined via Azure AD mode only, the local GPO will not work.
Go to Endpoint Manager > Devices > Configuration Profiles > Create Profile >
Platform: Windows 10 and later
Profile Type: Templates > Custom
And press Next. In the next screen, add the OMA-URI command. My tag will be CLOUD-PC
Name: DeviceTagging
OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group
Data type: String
Value: CLOUD-PC
Press Next and add the device group in the next screen
In the next Device sync, this policy will be sent to the Windows device and the registry key will be added
Reg key will be created in the below path
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
Value (Reg_SZ): Group
Data: CLOUD-PC
A Limitation Worth Mentioning
The OMA-URI profile can be used to add only one Tag per device. I tried adding another tag and it gave me a policy conflict. Also the Registry only allow to create one entry with the name Group (obviously) in that path.
Create the Endpoint Manager Scope Tags
Go to Endpoint Manager > Tenant administration > Roles > Scope (Tags)
Start by providing the Tag name and assign it to the device group
Assign it to the same group that was created earlier, AZ-DEVICES
Check the Tag in Defender for Endpoint
If you go to http://security.microsoft.com and navigate to Device Inventory you will see below. Look for the Tags section for the device.
Check the Tag in Endpoint Manager
This can be checked from the Intune device’s properties.
Create MDE Device Group Based on Device Tags
MDE based device groups can be used for the MDE related activities inside the Defender Security portal and providing the RBAC to certain admins, enforce certain Web content filtering policies etc. You can create the device group with the below dynamic rule.
And the rule will capture the devices that has the provided tag name
What’s Next?
From this point onwards you can start adding the device in to the Azure AD Device group and it will add the tag(s) respectively.
Final Thoughts
As I mentioned earlier, this is not an elegant setup as the main goal of this activity is to set the same tag from both ends and the device can be found without going through much trouble. Also the 1 tag per device via this method as mentioned above, which can be a problem in some scenarios. I hope Microsoft will come up with a straight forward method to define the same tag between MEM and MDE in one go, but until then, hope this is useful for you to get things done.
EMS Route - Shehan Perera 
One thought on “An Attempt to Configure Defender for Endpoint and Endpoint Manager With the Same Device Tag”