An Attempt to Configure Defender for Endpoint and Endpoint Manager With the Same Device Tag

Most often the device tagging requirements are simple or you do have a set of tags for the devices that are enrolled in Intune and a set of tags for the devices onboarded in Defender for Endpoint. However there can be situations where you need both services to have the same device tagging setup. This totally make sense and these services are inter-connected with each other and I don’t see a problem having the same tag. Also why is this not in place already in the first place? There are few methods you can use but my goal is to create a workflow. Meaning, once the setup is in place, you have to add the device to the Device Group once (dynamically or as assigned) and both Microsoft Endpoint Manager (MEM) and Microsoft Defender for Endpoint (MDE) tags will be applied. You can also consider this as a workaround because of the tag disconnection between the services.

For this method to work the device can have the mode Azure AD Joined or Hybrid Azure AAD Joined.

Device to be enrolled in Endpoint Manager and be onboarded in Microsoft Defender for Endpoint

Table of Content

Create the Azure AD Device Group

Create the Azure AD group and add the devices. You can use a dynamic rule to add the devices if you need, or add the devices manually.

I have the group which I created named AZ-DEVICES

Create Endpoint Manager CSP

Create this to add a registry key via a OMA-URI profile and send it to the Windows device that’s onboarded in MDE. This will be the same activity where you can enable using GPOs but if the device joined via Azure AD mode only, the local GPO will not work.

Go to Endpoint Manager > Devices > Configuration Profiles > Create Profile >

Platform: Windows 10 and later
Profile Type: Templates > Custom

And press Next. In the next screen, add the OMA-URI command. My tag will be CLOUD-PC

Name: DeviceTagging
OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group
Data type: String
Value: CLOUD-PC

Press Next and add the device group in the next screen

In the next Device sync, this policy will be sent to the Windows device and the registry key will be added

Reg key will be created in the below path

Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
Value (Reg_SZ): Group
Data: CLOUD-PC

A Limitation Worth Mentioning
The OMA-URI profile can be used to add only one Tag per device. I tried adding another tag and it gave me a policy conflict. Also the Registry only allow to create one entry with the name Group (obviously) in that path.

Create the Endpoint Manager Scope Tags

Go to Endpoint Manager > Tenant administration > Roles > Scope (Tags)

Start by providing the Tag name and assign it to the device group

Assign it to the same group that was created earlier, AZ-DEVICES

Check the Tag in Defender for Endpoint

If you go to http://security.microsoft.com and navigate to Device Inventory you will see below. Look for the Tags section for the device.

Check the Tag in Endpoint Manager

This can be checked from the Intune device’s properties.

Create MDE Device Group Based on Device Tags

MDE based device groups can be used for the MDE related activities inside the Defender Security portal and providing the RBAC to certain admins, enforce certain Web content filtering policies etc. You can create the device group with the below dynamic rule.

And the rule will capture the devices that has the provided tag name

What’s Next?

From this point onwards you can start adding the device in to the Azure AD Device group and it will add the tag(s) respectively.

Final Thoughts

As I mentioned earlier, this is not an elegant setup as the main goal of this activity is to set the same tag from both ends and the device can be found without going through much trouble. Also the 1 tag per device via this method as mentioned above, which can be a problem in some scenarios. I hope Microsoft will come up with a straight forward method to define the same tag between MEM and MDE in one go, but until then, hope this is useful for you to get things done.

One thought on “An Attempt to Configure Defender for Endpoint and Endpoint Manager With the Same Device Tag

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.