SOLVED

Cannot remove tags

Occasional Contributor

I have a few tags appearing Microsoft Defender Security Center.  I cannot remove them either in the UI or using the Add/Remove tag API.  I don't see them in the registry key either.  These tags appear in grey versus the usual blue color.  I cannot find any information on this problem.  Has anyone ever seen this and know a fix?  I have added a screen shot showing the problem.

6 Replies
I also get this message from the API:

"error":{"code":"InvalidInput","message":"The Tag ExampleTag is a device tag and cannot be removed from the API","target":"dxxxx....

From the machine name I'd guess this is a MacBook Pro.

 

In that case, the tag was probably set using the mdatp command, and would work similarly to the Registry based tags on Windows. You'll probably need to run the mdatp command on the machine to remove it.

best response confirmed by bellinghamlady (Occasional Contributor)
Solution
I'd also suspect that someone has taken the sample Jamf/Intune property lists on the following page a bit too literally.
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-prefe...
Those do indeed set a tag named "ExampleTag".
Hello,

On my Defender Portal, I am able to "manage tags" do you have the right permissions? how are you authenticating to Defender API?
Can you find this "manage tags" on a device? and see if you can remove it manually?

https://imgur.com/rxzhg59
Yes, I can see and add/remove most tags. I have just found two tags that have that grey color and I cannot seem to remove. I will pursue the Jamf and mdatp suggestions.
The issue was the "ExampleTag" was deployed via Jamf. Thank you akakak!