Cannot delete a tag added through an Asset rule

this is still a known limitation in Microsoft Defender for Endpoint. Tags created by Asset rules are stored and managed separately from manual tags, and deleting the asset rule itself does not always remove the associated tag from existing devices. When an asset rule is deleted, the tag remains attached in the database as a stale rule-based tag, but because it no longer has a linked rule, it becomes effectively read-only. That is why you cannot remove it from the console, PowerShell, or API.

Right now, the only reliable way to remove such tags is to recreate the same rule using the same tag name and scope, let it synchronize for a few hours so that the rule re-links to the devices, and then delete the rule again. Once that synchronization completes, the tag is properly removed. This behavior is documented internally, but it has not yet been fully fixed in the product.

Here is the step-by-step workaround that works consistently:

Go to Defender portal > Settings > Endpoints > Asset rules.

Create a new rule using the exact same tag name as the one you want to remove and target the same devices or groups that still show it.

Wait until those devices report back to Defender (usually within one to two synchronization cycles).

Delete that recreated rule again. When the rule is removed after being actively linked, the tag disappears from all affected devices.

There is currently no API method or PowerShell parameter that can force-remove a rule-based tag after the original rule has been deleted. Microsoft has acknowledged this as a service issue and is tracking it for a fix in future Defender platform updates.

In short, re-create the rule using the same tag, allow it to resync, and then delete it again. That process cleans up the tag from all endpoints. Please hit like if you like the solution.