Maximum incessantly the instrument tagging necessities are easy otherwise you do have a suite of tags for the gadgets which are enrolled in Intune and a suite of tags for the gadgets onboarded in Defender for Endpoint. On the other hand there will also be eventualities the place you wish to have each products and services to have the similar instrument tagging setup. This absolutely make sense and those products and services are inter-connected with each and every different and I don’t see an issue having the similar tag. Additionally why is that this now not in position already within the first position? There are few strategies you’ll use however my purpose is to create a workflow. That means, as soon as the setup is in position, you must upload the instrument to the Software Workforce as soon as (dynamically or as assigned) and each Microsoft Endpoint Supervisor (MEM) and Microsoft Defender for Endpoint (MDE) tags can be implemented. You’ll additionally imagine this as a workaround on account of the tag disconnection between the products and services.
For this way to paintings the instrument could have the mode Azure AD Joined or Hybrid Azure AAD Joined.
Software to be enrolled in Endpoint Supervisor and be onboarded in Microsoft Defender for Endpoint
Desk of Content material
Create the Azure AD Software Workforce
Create the Azure AD staff and upload the gadgets. You’ll use a dynamic rule so as to add the gadgets if you wish to have, or upload the gadgets manually.
I’ve the crowd which I created named AZ-DEVICES
Create Endpoint Supervisor CSP
Create this so as to add a registry key by means of a OMA-URI profile and ship it to the Home windows instrument that’s onboarded in MDE. This would be the similar process the place you’ll permit the use of GPOs but when the instrument joined by means of Azure AD mode simplest, the native GPO is not going to paintings.
Cross to Endpoint Supervisor > Gadgets > Configuration Profiles > Create Profile >
Platform: Home windows 10 and later
Profile Sort: Templates > Customized
And press Subsequent. Within the subsequent display screen, upload the OMA-URI command. My tag can be CLOUD-PC
Information sort: String
Press Subsequent and upload the instrument staff within the subsequent display screen
Within the subsequent Software sync, this coverage can be despatched to the Home windows instrument and the registry key can be added
Reg key can be created within the under trail
Trail: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Complicated Risk ProtectionDeviceTagging
Price (Reg_SZ): Workforce
A Limitation Value Bringing up
The OMA-URI profile can be utilized so as to add just one Tag according to instrument. I attempted including every other tag and it gave me a coverage warfare. Additionally the Registry simplest permit to create one access with the title Workforce (clearly) in that trail.
Create the Endpoint Supervisor Scope Tags
Cross to Endpoint Supervisor > Tenant management > Roles > Scope (Tags)
Get started by way of offering the Tag title and assign it to the instrument staff
Assign it to the similar staff that used to be created previous, AZ-DEVICES
Take a look at the Tag in Defender for Endpoint
Should you pass to http://safety.microsoft.com and navigate to Software Stock you are going to see under. Search for the Tags segment for the instrument.
Take a look at the Tag in Endpoint Supervisor
This will also be checked from the Intune instrument’s houses.
Create MDE Software Workforce In line with Software Tags
MDE primarily based instrument teams can be utilized for the MDE comparable actions throughout the Defender Safety portal and offering the RBAC to sure admins, implement sure Internet content material filtering insurance policies and so forth. You’ll create the instrument staff with the under dynamic rule.
And the rule of thumb will seize the gadgets that has the equipped tag title
From this level onwards you’ll get started including the instrument in to the Azure AD Software staff and it’ll upload the tag(s) respectively.
As I discussed previous, this isn’t a chic setup as the primary purpose of this process is to set the similar tag from each ends and the instrument will also be discovered with out going thru a lot hassle. Additionally the 1 tag according to instrument by means of this system as discussed above, which is usually a downside in some eventualities. I’m hoping Microsoft will get a hold of a immediately ahead way to outline the similar tag between MEM and MDE in a single pass, however till then, hope this comes in handy so that you can get issues finished.