Forum Discussion

MarcVDH's avatar
MarcVDH
Iron Contributor
Sep 02, 2025

Cannot delete a tag added through an Asset rule

Hello, We had created in the past an asset rule to assign a tag to a few machines. Now we are trying to remove the tag but we can't find the right way. We have delete the Asset rule. (it was turned...
Lucaraheller's avatar
Lucaraheller
Brass Contributor
Oct 21, 2025

Here’s what’s happening and how to fix it.

In Microsoft Defender for Endpoint, rule-based tags are managed entirely through the automation rules (asset rules) engine — not manually. Even after you delete or disable a rule, the tags it created may remain attached to devices until a synchronization or background cleanup occurs. That’s why you still see the tag under Rule-based tags and can’t remove it through PowerShell, the API, or the console.

Here’s how to remove it properly:

  1. Confirm the rule is really gone
    • In the Defender portal, go to Settings → Endpoints → Device tagging → Manage rules.
    • Check that the rule that originally added the tag has been deleted and isn’t simply disabled.
    • If it’s only disabled, re-enable it, remove the tag assignment inside the rule, and then delete the rule again.
  2. Force a re-evaluation
    • Once the rule is deleted, devices update their tagging status only after the endpoint checks in again.
    • You can trigger a sync on each device:
    • MpCmdRun.exe -Sync

or wait for the next scheduled Defender for Endpoint heartbeat (usually every 30–60 minutes for active devices).

  1. If the tag persists after 24 hours
    • Create a temporary rule with the same name and conditions, but no tag assigned.
    • Let it run long enough for affected devices to check in and overwrite the tag data.
    • Then delete the temporary rule. This usually forces Defender to clear the orphaned tag entry.
  2. Manual deletion is not supported
    • The API and PowerShell cmdlets only manipulate manual tags.
    • The “rule-based” tags are read-only at the device level because they come from the backend service logic.

If you confirm the rule no longer exists and the tag still shows after a full day of device check-ins, open a support ticket with Microsoft 365 Defender support and include the device ID and tag name. They can trigger a backend tag refresh to remove orphaned entries.

In short: delete or modify the original rule, wait for device check-in, or recreate a neutral rule to flush the tag. There’s no local or API method to delete a rule-based tag directly.

 

Resources