Sign in Subscribe

8.0 Defender for Endpoint(MDE): Device Tag

Sakaldeep Yadav

4 min read
8.0 Defender for Endpoint(MDE): Device Tag

Tags are the label that we put on devices to organize the device, filter the device, create device groups, apply RBAC, apply security policy, etc. There are multiple ways to set tags on a device. In this post, we will see how to create tags from the Defender portal and from Intune admin center.

What is the use of tags on the device

  1. Filter the device
  2. Create Device Group
  3. Apply the policy to certain device
  4. Apply for Roles

In this post, we only look for Filter the device and will cover other remaining use of tags in another post.

Filter the device

The Defender for Endpoint portal shows all the devices when we navigate Assets->Devices. Suppose we want to see only certain device types like only windows 10 devices of the head office. There are default parameters like risk level, exposure level, OS platform, onboarding status, etc. based on that we can filter the device but there are no such parameters as the head office. In such cases, we need to use the tag. We can put tags named head office and then we can filter the device based on the tag.

Before tag: in the below image tag field is empty.

After Tag: In the below image use have put the tag we see as below and we can filter based on that tag.

After that, the device will be filtered based on the tag and only devices having those days will be shown.

Create Tags from the Defender portal

We can create the tag from the Defender portal which is very easy and reflects on the device very soon but this approach is not very effective as we have to create the tag manually on each device. This method is useful when we want to tag a small number of devices very quickly or temporarily.

Click on the device(win10-intuneman here)->manage tags. Type the tags name, it will show create new as below. Click on that and save it.

Go back to that device and see the tag below.

Create a Tag from Intune

In Intune, we can create a custom configuration profile policy and push the tags to the group of devices in one go. If any new device will be added to that group then that device also gets tags automatically.

Go to Intune admin center(endpoint.microsoft.com), navigate to Devices->Configuration profile->Create profile.

Select the correct platform. Choose templates from profiles and select custom and click on create.

On the basics, supply the required information. On Configuration settings, click on Add.

Provide the information below in new windows. The name can be any meaningful name. Value is the actual tag name, here AUGN is the tag name that will be deployed to the devices.

URL-./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group

Select the target group. Here, MDE_VM is the group name so this tag will be deployed to all the devices in the group.

We can see the tag AUGN has been applied to the device.

We can also push the tags using the Group Policy, you can try by yourself.

Conclusion

Tags can improve the visibility and control of the MDE environment which includes better security policy process management, device group creation based on certain criteria, apply indicators to a certain device.  It is a very useful tool in Defender for Endpoint in many works.

Hope this was helpful, contact me on Twitter @sakaldeep for any queries.