How to use tagging effectively (Part 2)

Published Jan 11 2021 09:52 AM 7,076 Views
Microsoft

In Part 1 of this blog series, we learnt about why tags are useful and how to maximise their potential for administration of Microsoft Defender for Endpoint. In the next two parts of this blog serieswe wanted to cover some advanced scenarios for applying tags, starting with…

 

Tagging your Microsoft Defender for Endpoint devices by OU path

Sometimes when working with Microsoft Defender for Endpoint you might want to display your Organizational Unit (OU) structure within Defender for Endpoint to build device groups to get better transparency for reporting.

 

To realize this scenario with Group Policies, we will create one script file in the process:

  • DefenderTagging.ps1

Create this script file and copy it to a location where you have access from a Domain Controller.

Contents of MSDETagging.ps1

 

 

 

 

$DN = (Get-ItemProperty -Path  "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine" -Name Distinguished-Name)."Distinguished-Name"
$OU = $DN.Substring($DN.IndexOf('OU='))

$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging"
$name = "Group"

IF(!(Test-Path $registryPath))
  {
    New-Item -Path $registryPath -Force | Out-Null
    Set-ItemProperty -Path $registryPath -Name $name -Value $OU
  }
 ELSE {
    Set-ItemProperty -Path $registryPath -Name $name -Value $OU
  }

 

 

 

 

 

Depending on how many OUs your environment contains, you might want to fine grain the $OU selection done by this script: configuring too many tags could impact the performance when working in the Microsoft Defender Security Center.

 

Getting our scripts to run: Execution Policy

The Execution Policy restricts the execution of PowerShell Scripts on the system. On newer systems the default setting is “Restricted”. Having this setting configured, the system does not run scripts at all, therefore this setting needs to be changed before we can run the tagging script.

 

Execution Policy is not a real security feature, although some documentation states so. It is rather a feature that keeps you from running scripts unintentionally.

 

To maintain protection from running scripts unintentionally, but to have the ability to run scripts nevertheless, the setting “RemoteSigned” is a good approach:
Only local scripts (scripts within the local domain and signed scripts) can be run, unsigned scripts from the internet will be blocked from running.

 

You can either configure this option manually using the following PowerShell command:

 

 

 

 

Set-ExecutionPolicy RemoteSigned

 

 

 

 

Or since configuring it manually can take quite some effort, you can also configure it via Group Policy.

 

Getting started with the Group Policy

Create a new Group Policy Object which is linked to the root folder in which all your Defender protected devices are located.

 

Then navigate to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.

 

miriamwiesner_0-1607335344610.png

 

Configure the Setting “Turn on Script Execution” and choose the option “Allow local scripts and remote signed scripts”, which configures the Execution Policy to “RemoteSigned”.

 

This setting is the foundation that our PowerShell script will be executed on the systems on which you want to configure your custom tagging.

 

miriamwiesner_1-1607335344617.png

 

Configuring the script in your Group Policy

In the Group Policy Object, navigate to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown) and open the properties of “Startup”.

miriamwiesner_2-1607335344623.png

 

Once the properties window opens, navigate to the tab PowerShell Scripts, and click on “Add”. The “Edit Script” window will open. Click on “Browse…” which opens a file browser window.

 

miriamwiesner_3-1607335344626.png

 

miriamwiesner_4-1607335344627.png

 

Per default, the location that is opened is already the right location within your Group Policy Object folder.

 

Now copy your DefenderTagging.ps1 script inside this folder and select the script and confirm with “Open”.

 

miriamwiesner_5-1607335344629.png

 

 

miriamwiesner_6-1607335344631.png

 

Confirm with OK and apply the changes to your Group Policy Object. Your tagging Group Policy is now configured.

 

miriamwiesner_7-1607335344633.png

 

Verify that your tagging was successful

The next time that your device applies the Group Policy, the settings will be configured, and you can also find your properly tagged machines in the Microsoft Defender Security Center.

 

Note:
If the Execution Policy needs to be configured first, you might find the new tag after the GPO was applied to your device for the second time. If you want to apply both settings at the same time, you can create two Group Policies and let the one that sets the Execution Policy run before the GP containing the startup script is executed.

 

miriamwiesner_8-1607335344635.png

 

Finding your devices in Defender for Endpoint can take up one day for the devices to sync.

 

miriamwiesner_9-1607335344636.png

 

Find your tagged device’s events via advanced hunting:

To find your tagged device, you can use an advanced hunting query such as the one below. Simply replace "DC=xyra,DC=local" with the distinguished name of your Active Directory domain.

 

DeviceInfo | where RegistryDeviceTag contains "DC=xyra,DC=local"

 

miriamwiesner_10-1607335344637.png

 

 

This concludes Part 2 of the blog series on how to use tagging effectively. Please join us for Part 3 where Steve Newby will guide you through scripting against the Defender for Endpoint API to apply tags based upon advanced hunting queries.

 

We welcome your feedback and questions on this or any of the other parts of this tagging blog and look forward to hearing from you.

 

Miriam Wiesner (@miriamxyra) and Steve Newby (@steve_newby)

Program Managers @ Microsoft Defender for Endpoint Product Group

6 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-1962008%22%20slang%3D%22en-US%22%3EHow%20to%20use%20tagging%20effectively%20(Part%202)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1962008%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3E%3CSPAN%3EIn%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-endpoint%2Fhow-to-use-tagging-effectively-part-1%2Fba-p%2F1964058%22%20target%3D%22_blank%22%3EPart%201%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bof%20this%20blog%20series%2C%20we%20learnt%20about%20why%20tags%20are%20useful%20and%20how%20to%20maximise%20their%20potential%20for%20administration%20of%20Microsoft%20Defender%20for%20Endpoint.%20In%20the%20next%20two%20parts%20of%20this%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-endpoint%2Fbg-p%2FMicrosoftDefenderATPBlog%2Flabel-name%2FTagging%2520effectively%22%20target%3D%22_blank%22%3Eblog%20series%3C%2FA%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewe%20wanted%20to%20cover%20some%20advanced%20scenarios%20for%20applying%20tags%2C%20starting%20with%E2%80%A6%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1181832460%22%20id%3D%22toc-hId--1180818607%22%20id%3D%22toc-hId--1180818607%22%20id%3D%22toc-hId--1180818607%22%20id%3D%22toc-hId--1180818607%22%20id%3D%22toc-hId--1180818607%22%20id%3D%22toc-hId--1180818607%22%20id%3D%22toc-hId--1180818607%22%20id%3D%22toc-hId--1180818607%22%20id%3D%22toc-hId--1180818607%22%20id%3D%22toc-hId--1180818607%22%20id%3D%22toc-hId--1180818607%22%20id%3D%22toc-hId--1180818607%22%20id%3D%22toc-hId--1180818607%22%20id%3D%22toc-hId--1180818607%22%20id%3D%22toc-hId--1180818607%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-1305680373%22%20id%3D%22toc-hId-1306694226%22%20id%3D%22toc-hId-1306694226%22%20id%3D%22toc-hId-1306694226%22%20id%3D%22toc-hId-1306694226%22%20id%3D%22toc-hId-1306694226%22%20id%3D%22toc-hId-1306694226%22%20id%3D%22toc-hId-1306694226%22%20id%3D%22toc-hId-1306694226%22%20id%3D%22toc-hId-1306694226%22%20id%3D%22toc-hId-1306694226%22%20id%3D%22toc-hId-1306694226%22%20id%3D%22toc-hId-1306694226%22%20id%3D%22toc-hId-1306694226%22%20id%3D%22toc-hId-1306694226%22%20id%3D%22toc-hId-1306694226%22%3ETagging%20your%20Microsoft%20Defender%20for%20Endpoint%20devices%20by%20OU%20path%3C%2FH2%3E%0A%3CP%3ESometimes%20when%20working%20with%20Microsoft%20Defender%20for%20Endpoint%20you%20might%20want%20to%20display%20your%20Organizational%20Unit%20(OU)%20structure%20within%20Defender%20for%20Endpoint%20to%20build%20device%20groups%20to%20get%20better%20transparency%20for%20reporting.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20realize%20this%20scenario%20with%20Group%20Policies%2C%20we%20will%20create%20one%20script%20file%20in%20the%20process%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDefenderTagging.ps1%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ECreate%20this%20script%20file%20and%20copy%20it%20to%20a%20location%20where%20you%20have%20access%20from%20a%20Domain%20Controller.%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1996241847%22%20id%3D%22toc-hId-1997255700%22%20id%3D%22toc-hId-1997255700%22%20id%3D%22toc-hId-1997255700%22%20id%3D%22toc-hId-1997255700%22%20id%3D%22toc-hId-1997255700%22%20id%3D%22toc-hId-1997255700%22%20id%3D%22toc-hId-1997255700%22%20id%3D%22toc-hId-1997255700%22%20id%3D%22toc-hId-1997255700%22%20id%3D%22toc-hId-1997255700%22%20id%3D%22toc-hId-1997255700%22%20id%3D%22toc-hId-1997255700%22%20id%3D%22toc-hId-1997255700%22%20id%3D%22toc-hId-1997255700%22%20id%3D%22toc-hId-1997255700%22%3EContents%20of%20MSDETagging.ps1%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24DN%20%3D%20(Get-ItemProperty%20-Path%26nbsp%3B%20%22HKLM%3A%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CGroup%20Policy%5CState%5CMachine%22%20-Name%20Distinguished-Name).%22Distinguished-Name%22%0A%24OU%20%3D%20%24DN.Substring(%24DN.IndexOf('OU%3D'))%0A%0A%24registryPath%20%3D%20%22HKLM%3A%5CSOFTWARE%5CPolicies%5CMicrosoft%5CWindows%20Advanced%20Threat%20Protection%5CDeviceTagging%22%0A%24name%20%3D%20%22Group%22%0A%0AIF(!(Test-Path%20%24registryPath))%0A%26nbsp%3B%20%7B%0A%26nbsp%3B%26nbsp%3B%26nbsp%3B%20New-Item%20-Path%20%24registryPath%20-Force%20%7C%20Out-Null%0A%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Set-ItemProperty%20-Path%20%24registryPath%20-Name%20%24name%20-Value%20%24OU%0A%26nbsp%3B%20%7D%0A%26nbsp%3BELSE%20%7B%0A%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Set-ItemProperty%20-Path%20%24registryPath%20-Name%20%24name%20-Value%20%24OU%0A%26nbsp%3B%20%7D%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EDepending%20on%20how%20many%20OUs%20your%20environment%20contains%2C%20you%20might%20want%20to%20fine%20grain%20the%20%24OU%20selection%20done%20by%20this%20script%3A%20configuring%20too%20many%20tags%20could%20impact%20the%20performance%20when%20working%20in%20the%20Microsoft%20Defender%20Security%20Center.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1985738743%22%20id%3D%22toc-hId-1986752596%22%20id%3D%22toc-hId-1986752596%22%20id%3D%22toc-hId-1986752596%22%20id%3D%22toc-hId-1986752596%22%20id%3D%22toc-hId-1986752596%22%20id%3D%22toc-hId-1986752596%22%20id%3D%22toc-hId-1986752596%22%20id%3D%22toc-hId-1986752596%22%20id%3D%22toc-hId-1986752596%22%20id%3D%22toc-hId-1986752596%22%20id%3D%22toc-hId-1986752596%22%20id%3D%22toc-hId-1986752596%22%20id%3D%22toc-hId-1986752596%22%20id%3D%22toc-hId-1986752596%22%20id%3D%22toc-hId-1986752596%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-178284280%22%20id%3D%22toc-hId-179298133%22%20id%3D%22toc-hId-179298133%22%20id%3D%22toc-hId-179298133%22%20id%3D%22toc-hId-179298133%22%20id%3D%22toc-hId-179298133%22%20id%3D%22toc-hId-179298133%22%20id%3D%22toc-hId-179298133%22%20id%3D%22toc-hId-179298133%22%20id%3D%22toc-hId-179298133%22%20id%3D%22toc-hId-179298133%22%20id%3D%22toc-hId-179298133%22%20id%3D%22toc-hId-179298133%22%20id%3D%22toc-hId-179298133%22%20id%3D%22toc-hId-179298133%22%20id%3D%22toc-hId-179298133%22%3EGetting%20our%20scripts%20to%20run%3A%20Execution%20Policy%3C%2FH2%3E%0A%3CP%3EThe%20Execution%20Policy%20restricts%20the%20execution%20of%20PowerShell%20Scripts%20on%20the%20system.%20On%20newer%20systems%20the%20default%20setting%20is%20%E2%80%9CRestricted%E2%80%9D.%20Having%20this%20setting%20configured%2C%20the%20system%20does%20not%20run%20scripts%20at%20all%2C%20therefore%20this%20setting%20needs%20to%20be%20changed%20before%20we%20can%20run%20the%20tagging%20script.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EExecution%20Policy%20is%20not%20a%20real%20security%20feature%2C%20although%20some%20documentation%20states%20so.%20It%20is%20rather%20a%20feature%20that%20keeps%20you%20from%20running%20scripts%20unintentionally.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20maintain%20protection%20from%20running%20scripts%20unintentionally%2C%20but%20to%20have%20the%20ability%20to%20run%20scripts%20nevertheless%2C%20the%20setting%20%E2%80%9CRemoteSigned%E2%80%9D%20is%20a%20good%20approach%3A%3CBR%20%2F%3EOnly%20local%20scripts%20(scripts%20within%20the%20local%20domain%20and%20signed%20scripts)%20can%20be%20run%2C%20unsigned%20scripts%20from%20the%20internet%20will%20be%20blocked%20from%20running.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20either%20configure%20this%20option%20manually%20using%20the%20following%20PowerShell%20command%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ESet-ExecutionPolicy%20RemoteSigned%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOr%20since%20configuring%20it%20manually%20can%20take%20quite%20some%20effort%2C%20you%20can%20also%20configure%20it%20via%20Group%20Policy.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1629170183%22%20id%3D%22toc-hId--1628156330%22%20id%3D%22toc-hId--1628156330%22%20id%3D%22toc-hId--1628156330%22%20id%3D%22toc-hId--1628156330%22%20id%3D%22toc-hId--1628156330%22%20id%3D%22toc-hId--1628156330%22%20id%3D%22toc-hId--1628156330%22%20id%3D%22toc-hId--1628156330%22%20id%3D%22toc-hId--1628156330%22%20id%3D%22toc-hId--1628156330%22%20id%3D%22toc-hId--1628156330%22%20id%3D%22toc-hId--1628156330%22%20id%3D%22toc-hId--1628156330%22%20id%3D%22toc-hId--1628156330%22%20id%3D%22toc-hId--1628156330%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-858342650%22%20id%3D%22toc-hId-859356503%22%20id%3D%22toc-hId-859356503%22%20id%3D%22toc-hId-859356503%22%20id%3D%22toc-hId-859356503%22%20id%3D%22toc-hId-859356503%22%20id%3D%22toc-hId-859356503%22%20id%3D%22toc-hId-859356503%22%20id%3D%22toc-hId-859356503%22%20id%3D%22toc-hId-859356503%22%20id%3D%22toc-hId-859356503%22%20id%3D%22toc-hId-859356503%22%20id%3D%22toc-hId-859356503%22%20id%3D%22toc-hId-859356503%22%20id%3D%22toc-hId-859356503%22%20id%3D%22toc-hId-859356503%22%3EGetting%20started%20with%20the%20Group%20Policy%3C%2FH2%3E%0A%3CP%3ECreate%20a%20new%20Group%20Policy%20Object%20which%20is%20linked%20to%20the%20root%20folder%20in%20which%20all%20your%20Defender%20protected%20devices%20are%20located.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20navigate%20to%20%3CEM%3EComputer%20Configuration%20%26gt%3B%20Administrative%20Templates%20%26gt%3B%20Windows%20Components%20%26gt%3B%20Windows%20PowerShell%3C%2FEM%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22miriamwiesner_0-1607335344610.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F238218iC1E46EBFAC8149CA%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22miriamwiesner_0-1607335344610.png%22%20alt%3D%22miriamwiesner_0-1607335344610.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EConfigure%20the%20Setting%20%3CEM%3E%E2%80%9CTurn%20on%20Script%20Execution%E2%80%9D%3C%2FEM%3E%20and%20choose%20the%20option%20%3CEM%3E%E2%80%9CAllow%20local%20scripts%20and%20remote%20signed%20scripts%E2%80%9D%3C%2FEM%3E%2C%20which%20configures%20the%20Execution%20Policy%20to%20%3CEM%3E%E2%80%9CRemoteSigned%E2%80%9D%3C%2FEM%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20setting%20is%20the%20foundation%20that%20our%20PowerShell%20script%20will%20be%20executed%20on%20the%20systems%20on%20which%20you%20want%20to%20configure%20your%20custom%20tagging.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22miriamwiesner_1-1607335344617.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F238219i165F30A654D9AA77%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22miriamwiesner_1-1607335344617.png%22%20alt%3D%22miriamwiesner_1-1607335344617.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--949111813%22%20id%3D%22toc-hId--948097960%22%20id%3D%22toc-hId--948097960%22%20id%3D%22toc-hId--948097960%22%20id%3D%22toc-hId--948097960%22%20id%3D%22toc-hId--948097960%22%20id%3D%22toc-hId--948097960%22%20id%3D%22toc-hId--948097960%22%20id%3D%22toc-hId--948097960%22%20id%3D%22toc-hId--948097960%22%20id%3D%22toc-hId--948097960%22%20id%3D%22toc-hId--948097960%22%20id%3D%22toc-hId--948097960%22%20id%3D%22toc-hId--948097960%22%20id%3D%22toc-hId--948097960%22%20id%3D%22toc-hId--948097960%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-1538401020%22%20id%3D%22toc-hId-1539414873%22%20id%3D%22toc-hId-1539414873%22%20id%3D%22toc-hId-1539414873%22%20id%3D%22toc-hId-1539414873%22%20id%3D%22toc-hId-1539414873%22%20id%3D%22toc-hId-1539414873%22%20id%3D%22toc-hId-1539414873%22%20id%3D%22toc-hId-1539414873%22%20id%3D%22toc-hId-1539414873%22%20id%3D%22toc-hId-1539414873%22%20id%3D%22toc-hId-1539414873%22%20id%3D%22toc-hId-1539414873%22%20id%3D%22toc-hId-1539414873%22%20id%3D%22toc-hId-1539414873%22%20id%3D%22toc-hId-1539414873%22%3EConfiguring%20the%20script%20in%20your%20Group%20Policy%3C%2FH2%3E%0A%3CP%3EIn%20the%20Group%20Policy%20Object%2C%20navigate%20to%20%3CEM%3EComputer%20Configuration%20%26gt%3B%20Policies%20%26gt%3B%20Windows%20Settings%20%26gt%3B%20Scripts%20(Startup%2FShutdown)%3C%2FEM%3E%20and%20open%20the%20properties%20of%20%E2%80%9C%3CEM%3EStartup%E2%80%9D%3C%2FEM%3E.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22miriamwiesner_2-1607335344623.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F238217i6F6FC00D4C8E261E%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22miriamwiesner_2-1607335344623.png%22%20alt%3D%22miriamwiesner_2-1607335344623.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20the%20properties%20window%20opens%2C%20navigate%20to%20the%20tab%20%3CEM%3EPowerShell%20Scripts%2C%3C%2FEM%3E%20and%20click%20on%20%E2%80%9C%3CEM%3EAdd%3C%2FEM%3E%E2%80%9D.%20The%20%E2%80%9CEdit%20Script%E2%80%9D%20window%20will%20open.%20Click%20on%20%E2%80%9C%3CEM%3EBrowse%E2%80%A6%3C%2FEM%3E%E2%80%9D%20which%20opens%20a%20file%20browser%20window.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22miriamwiesner_3-1607335344626.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F238222i1F0AD9341FDF63B2%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22miriamwiesner_3-1607335344626.png%22%20alt%3D%22miriamwiesner_3-1607335344626.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22miriamwiesner_4-1607335344627.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F238220iC65F803CB18319C1%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22miriamwiesner_4-1607335344627.png%22%20alt%3D%22miriamwiesner_4-1607335344627.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPer%20default%2C%20the%20location%20that%20is%20opened%20is%20already%20the%20right%20location%20within%20your%20Group%20Policy%20Object%20folder.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20copy%20your%20DefenderTagging.ps1%20script%20inside%20this%20folder%20and%20select%20the%20script%20and%20confirm%20with%20%E2%80%9COpen%E2%80%9D.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22miriamwiesner_5-1607335344629.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F238221iE0CA259AE18FBE57%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22miriamwiesner_5-1607335344629.png%22%20alt%3D%22miriamwiesner_5-1607335344629.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22miriamwiesner_6-1607335344631.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F238224iD29323BE5ACFF6C1%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22miriamwiesner_6-1607335344631.png%22%20alt%3D%22miriamwiesner_6-1607335344631.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EConfirm%20with%20OK%20and%20apply%20the%20changes%20to%20your%20Group%20Policy%20Object.%20Your%20tagging%20Group%20Policy%20is%20now%20configured.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22miriamwiesner_7-1607335344633.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F238225i6E83F0DA46FB6216%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22miriamwiesner_7-1607335344633.png%22%20alt%3D%22miriamwiesner_7-1607335344633.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--269053443%22%20id%3D%22toc-hId--268039590%22%20id%3D%22toc-hId--268039590%22%20id%3D%22toc-hId--268039590%22%20id%3D%22toc-hId--268039590%22%20id%3D%22toc-hId--268039590%22%20id%3D%22toc-hId--268039590%22%20id%3D%22toc-hId--268039590%22%20id%3D%22toc-hId--268039590%22%20id%3D%22toc-hId--268039590%22%20id%3D%22toc-hId--268039590%22%20id%3D%22toc-hId--268039590%22%20id%3D%22toc-hId--268039590%22%20id%3D%22toc-hId--268039590%22%20id%3D%22toc-hId--268039590%22%20id%3D%22toc-hId--268039590%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--402738167%22%20id%3D%22toc-hId--401724314%22%20id%3D%22toc-hId--401724314%22%20id%3D%22toc-hId--401724314%22%20id%3D%22toc-hId--401724314%22%20id%3D%22toc-hId--401724314%22%20id%3D%22toc-hId--401724314%22%20id%3D%22toc-hId--401724314%22%20id%3D%22toc-hId--401724314%22%20id%3D%22toc-hId--401724314%22%20id%3D%22toc-hId--401724314%22%20id%3D%22toc-hId--401724314%22%20id%3D%22toc-hId--401724314%22%20id%3D%22toc-hId--401724314%22%20id%3D%22toc-hId--401724314%22%20id%3D%22toc-hId--401724314%22%3EVerify%20that%20your%20tagging%20was%20successful%3C%2FH2%3E%0A%3CP%3EThe%20next%20time%20that%20your%20device%20applies%20the%20Group%20Policy%2C%20the%20settings%20will%20be%20configured%2C%20and%20you%20can%20also%20find%20your%20properly%20tagged%20machines%20in%20the%20Microsoft%20Defender%20Security%20Center.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENote%3A%3C%2FSTRONG%3E%3CBR%20%2F%3EIf%20the%20Execution%20Policy%20needs%20to%20be%20configured%20first%2C%20you%20might%20find%20the%20new%20tag%20after%20the%20GPO%20was%20applied%20to%20your%20device%20for%20the%20second%20time.%20If%20you%20want%20to%20apply%20both%20settings%20at%20the%20same%20time%2C%20you%20can%20create%20two%20Group%20Policies%20and%20let%20the%20one%20that%20sets%20the%20Execution%20Policy%20run%20before%20the%20GP%20containing%20the%20startup%20script%20is%20executed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22miriamwiesner_8-1607335344635.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F238223i9DFE5C5BB82C78A5%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22miriamwiesner_8-1607335344635.png%22%20alt%3D%22miriamwiesner_8-1607335344635.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFinding%20your%20devices%20in%20Defender%20for%20Endpoint%20can%20take%20up%20one%20day%20for%20the%20devices%20to%20sync.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22miriamwiesner_9-1607335344636.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F238227i2942E3BCD9558040%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22miriamwiesner_9-1607335344636.png%22%20alt%3D%22miriamwiesner_9-1607335344636.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-2084774666%22%20id%3D%22toc-hId-2085788519%22%20id%3D%22toc-hId-2085788519%22%20id%3D%22toc-hId-2085788519%22%20id%3D%22toc-hId-2085788519%22%20id%3D%22toc-hId-2085788519%22%20id%3D%22toc-hId-2085788519%22%20id%3D%22toc-hId-2085788519%22%20id%3D%22toc-hId-2085788519%22%20id%3D%22toc-hId-2085788519%22%20id%3D%22toc-hId-2085788519%22%20id%3D%22toc-hId-2085788519%22%20id%3D%22toc-hId-2085788519%22%20id%3D%22toc-hId-2085788519%22%20id%3D%22toc-hId-2085788519%22%20id%3D%22toc-hId-2085788519%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-277320203%22%20id%3D%22toc-hId-278334056%22%20id%3D%22toc-hId-278334056%22%20id%3D%22toc-hId-278334056%22%20id%3D%22toc-hId-278334056%22%20id%3D%22toc-hId-278334056%22%20id%3D%22toc-hId-278334056%22%20id%3D%22toc-hId-278334056%22%20id%3D%22toc-hId-278334056%22%20id%3D%22toc-hId-278334056%22%20id%3D%22toc-hId-278334056%22%20id%3D%22toc-hId-278334056%22%20id%3D%22toc-hId-278334056%22%20id%3D%22toc-hId-278334056%22%20id%3D%22toc-hId-278334056%22%20id%3D%22toc-hId-278334056%22%3EFind%20your%20tagged%20device%E2%80%99s%20events%20via%20advanced%20hunting%3A%3C%2FH2%3E%0A%3CP%3ETo%20find%20your%20tagged%20device%2C%20you%20can%20use%20an%20advanced%20hunting%20query%20such%20as%20the%20one%20below.%20Simply%20replace%20%22DC%3Dxyra%2CDC%3Dlocal%22%20with%20the%20distinguished%20name%20of%20your%20Active%20Directory%20domain.%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EDeviceInfo%20%7C%20where%20RegistryDeviceTag%20contains%20%22DC%3Dxyra%2CDC%3Dlocal%22%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22miriamwiesner_10-1607335344637.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F238226iDB36D63EF41A5DF5%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22miriamwiesner_10-1607335344637.png%22%20alt%3D%22miriamwiesner_10-1607335344637.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThis%20concludes%20Part%202%20of%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-endpoint%2Fbg-p%2FMicrosoftDefenderATPBlog%2Flabel-name%2FTagging%2520effectively%22%20target%3D%22_blank%22%3Eblog%20series%3C%2FA%3E%20on%20how%20to%20use%20tagging%20effectively.%20Please%20join%20us%20for%20Part%203%20where%20Steve%20Newby%20will%20guide%20you%20through%20scripting%20against%20the%20Defender%20for%20Endpoint%20API%20to%20apply%20tags%20based%20upon%20advanced%20hunting%20queries.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CP%3EWe%20welcome%20your%20feedback%20and%20questions%20on%20this%20or%20any%20of%20the%20other%20parts%20of%20this%20tagging%20blog%20and%20look%20forward%20to%20hearing%20from%20you.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMiriam%20Wiesner%20(%40miriamxyra)%20and%20Steve%20Newby%20(%40steve_newby)%3C%2FP%3E%0A%3CP%3EProgram%20Managers%20%40%20Microsoft%20Defender%20for%20Endpoint%20Product%20Group%3C%2FP%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1962008%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Tagging2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F244445i34151D7929B4A17B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Tagging2.png%22%20alt%3D%22Tagging2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ETips%20and%20tricks%20from%20Steve%20Newby%20and%20Miriam%20Wiesner%20on%20how%20to%20get%20the%20best%20out%20of%20tagging%20in%20Microsoft%20Defender%20for%20Endpoint.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1962008%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ETagging%20effectively%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2065250%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20tagging%20effectively%20(Part%202)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2065250%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Miriam%2C%20is%20possible%20create%20a%20TAG%20automatically%20when%20a%20machine%20%22Active%22%20or%20%22Inactive%22%3F%3CBR%20%2F%3EExample%3A%20Onboarding%20the%20new%20Machine%20is%20set%26nbsp%3Ba%20TAG%20automatically%20%22Active%22%20or%20machine%20is%20classified%20as%20%22Inactive%22%26nbsp%3Bis%20set%26nbsp%3Ba%20TAG%20automatically%20%22Inactive%22.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2070178%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20tagging%20effectively%20(Part%202)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2070178%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F637519%22%20target%3D%22_blank%22%3E%40EltonSancho%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20device%20is%20automatically%20tagged%20as%20inactive%20according%20to%20specific%20conditions%20described%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Ffix-unhealthy-sensors%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%26nbsp%3B%20Do%20you%20have%20another%20use%20case%20for%20marking%20a%20device%20as%20inactive%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2082056%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20tagging%20effectively%20(Part%202)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2082056%22%20slang%3D%22en-US%22%3E%3CP%3EVery%20Useful%20information%20for%20many%20Customers.%20Thanks%20for%20the%20info.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2093053%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20tagging%20effectively%20(Part%202)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093053%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F380693%22%20target%3D%22_blank%22%3E%40miriamwiesner%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ecan%20i%20suggest%20this%20method%20to%20simplify%20the%20tagging%3F%3C%2FP%3E%0A%3CP%3Egroup%20policy%20preference%20%22Registry%22%2C%20this%20is%20an%20example%20to%20tag%20the%20Domain%20Controllers%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_0-1611561983617.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F249065i2832CB1A4BF531CD%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_0-1611561983617.png%22%20alt%3D%22msftdario_0-1611561983617.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditormsftdario_2%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditormsftdario_4%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditormsftdario_5%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_0-1611562637029.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F249073iCDC1034D745F037E%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_0-1611562637029.png%22%20alt%3D%22msftdario_0-1611562637029.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditormsftdario_3%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_1-1611562094913.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F249067i8019F3368A892C42%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_1-1611562094913.png%22%20alt%3D%22msftdario_1-1611562094913.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ethis%20will%20be%20so%20much%20easy%20than%20deploy%2C%20manage%20and%20maintain%20the%20powershell%20script%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThought%3F%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EDario%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20class%3D%22ms-editor-squiggler%22%20style%3D%22color%3A%20initial%3B%20font%3A%20initial%3B%20font-feature-settings%3A%20initial%3B%20font-kerning%3A%20initial%3B%20font-optical-sizing%3A%20initial%3B%20font-variation-settings%3A%20initial%3B%20forced-color-adjust%3A%20initial%3B%20text-orientation%3A%20initial%3B%20text-rendering%3A%20initial%3B%20-webkit-font-smoothing%3A%20initial%3B%20-webkit-locale%3A%20initial%3B%20-webkit-text-orientation%3A%20initial%3B%20-webkit-writing-mode%3A%20initial%3B%20writing-mode%3A%20initial%3B%20zoom%3A%20initial%3B%20place-content%3A%20initial%3B%20place-items%3A%20initial%3B%20place-self%3A%20initial%3B%20alignment-baseline%3A%20initial%3B%20animation%3A%20initial%3B%20appearance%3A%20initial%3B%20aspect-ratio%3A%20initial%3B%20backdrop-filter%3A%20initial%3B%20backface-visibility%3A%20initial%3B%20background%3A%20initial%3B%20background-blend-mode%3A%20initial%3B%20baseline-shift%3A%20initial%3B%20block-size%3A%20initial%3B%20border-block%3A%20initial%3B%20border%3A%20initial%3B%20border-radius%3A%20initial%3B%20border-collapse%3A%20initial%3B%20border-inline%3A%20initial%3B%20inset%3A%20initial%3B%20box-shadow%3A%20initial%3B%20box-sizing%3A%20initial%3B%20break-after%3A%20initial%3B%20break-before%3A%20initial%3B%20break-inside%3A%20initial%3B%20buffered-rendering%3A%20initial%3B%20caption-side%3A%20initial%3B%20caret-color%3A%20initial%3B%20clear%3A%20initial%3B%20clip%3A%20initial%3B%20clip-path%3A%20initial%3B%20clip-rule%3A%20initial%3B%20color-interpolation%3A%20initial%3B%20color-interpolation-filters%3A%20initial%3B%20color-rendering%3A%20initial%3B%20color-scheme%3A%20initial%3B%20columns%3A%20initial%3B%20column-fill%3A%20initial%3B%20gap%3A%20initial%3B%20column-rule%3A%20initial%3B%20column-span%3A%20initial%3B%20contain%3A%20initial%3B%20contain-intrinsic-size%3A%20initial%3B%20content%3A%20initial%3B%20content-visibility%3A%20initial%3B%20counter-increment%3A%20initial%3B%20counter-reset%3A%20initial%3B%20counter-set%3A%20initial%3B%20cursor%3A%20initial%3B%20cx%3A%20initial%3B%20cy%3A%20initial%3B%20d%3A%20initial%3B%20display%3A%20block%3B%20dominant-baseline%3A%20initial%3B%20empty-cells%3A%20initial%3B%20fill%3A%20initial%3B%20fill-opacity%3A%20initial%3B%20fill-rule%3A%20initial%3B%20filter%3A%20initial%3B%20flex%3A%20initial%3B%20flex-flow%3A%20initial%3B%20float%3A%20initial%3B%20flood-color%3A%20initial%3B%20flood-opacity%3A%20initial%3B%20grid%3A%20initial%3B%20grid-area%3A%20initial%3B%20height%3A%20initial%3B%20hyphens%3A%20initial%3B%20image-orientation%3A%20initial%3B%20image-rendering%3A%20initial%3B%20inline-size%3A%20initial%3B%20inset-block%3A%20initial%3B%20inset-inline%3A%20initial%3B%20isolation%3A%20initial%3B%20letter-spacing%3A%20initial%3B%20lighting-color%3A%20initial%3B%20line-break%3A%20initial%3B%20list-style%3A%20initial%3B%20margin-block%3A%20initial%3B%20margin%3A%20initial%3B%20margin-inline%3A%20initial%3B%20marker%3A%20initial%3B%20mask%3A%20initial%3B%20mask-type%3A%20initial%3B%20max-block-size%3A%20initial%3B%20max-height%3A%20initial%3B%20max-inline-size%3A%20initial%3B%20max-width%3A%20initial%3B%20min-block-size%3A%20initial%3B%20min-height%3A%20initial%3B%20min-inline-size%3A%20initial%3B%20min-width%3A%20initial%3B%20mix-blend-mode%3A%20initial%3B%20object-fit%3A%20initial%3B%20object-position%3A%20initial%3B%20offset%3A%20initial%3B%20opacity%3A%20initial%3B%20order%3A%20initial%3B%20origin-trial-test-property%3A%20initial%3B%20orphans%3A%20initial%3B%20outline%3A%20initial%3B%20outline-offset%3A%20initial%3B%20overflow-anchor%3A%20initial%3B%20overflow-wrap%3A%20initial%3B%20overflow%3A%20initial%3B%20overscroll-behavior-block%3A%20initial%3B%20overscroll-behavior-inline%3A%20initial%3B%20overscroll-behavior%3A%20initial%3B%20padding-block%3A%20initial%3B%20padding%3A%20initial%3B%20padding-inline%3A%20initial%3B%20page%3A%20initial%3B%20page-orientation%3A%20initial%3B%20paint-order%3A%20initial%3B%20perspective%3A%20initial%3B%20perspective-origin%3A%20initial%3B%20pointer-events%3A%20initial%3B%20position%3A%20initial%3B%20quotes%3A%20initial%3B%20r%3A%20initial%3B%20resize%3A%20initial%3B%20ruby-position%3A%20initial%3B%20rx%3A%20initial%3B%20ry%3A%20initial%3B%20scroll-behavior%3A%20initial%3B%20scroll-margin-block%3A%20initial%3B%20scroll-margin%3A%20initial%3B%20scroll-margin-inline%3A%20initial%3B%20scroll-padding-block%3A%20initial%3B%20scroll-padding%3A%20initial%3B%20scroll-padding-inline%3A%20initial%3B%20scroll-snap-align%3A%20initial%3B%20scroll-snap-stop%3A%20initial%3B%20scroll-snap-type%3A%20initial%3B%20shape-image-threshold%3A%20initial%3B%20shape-margin%3A%20initial%3B%20shape-outside%3A%20initial%3B%20shape-rendering%3A%20initial%3B%20size%3A%20initial%3B%20speak%3A%20initial%3B%20stop-color%3A%20initial%3B%20stop-opacity%3A%20initial%3B%20stroke%3A%20initial%3B%20stroke-dasharray%3A%20initial%3B%20stroke-dashoffset%3A%20initial%3B%20stroke-linecap%3A%20initial%3B%20stroke-linejoin%3A%20initial%3B%20stroke-miterlimit%3A%20initial%3B%20stroke-opacity%3A%20initial%3B%20stroke-width%3A%20initial%3B%20tab-size%3A%20initial%3B%20table-layout%3A%20initial%3B%20text-align%3A%20initial%3B%20text-align-last%3A%20initial%3B%20text-anchor%3A%20initial%3B%20text-combine-upright%3A%20initial%3B%20text-decoration%3A%20initial%3B%20text-decoration-skip-ink%3A%20initial%3B%20text-indent%3A%20initial%3B%20text-overflow%3A%20initial%3B%20text-shadow%3A%20initial%3B%20text-size-adjust%3A%20initial%3B%20text-transform%3A%20initial%3B%20text-underline-offset%3A%20initial%3B%20text-underline-position%3A%20initial%3B%20touch-action%3A%20initial%3B%20transform%3A%20initial%3B%20transform-box%3A%20initial%3B%20transform-origin%3A%20initial%3B%20transform-style%3A%20initial%3B%20transition%3A%20initial%3B%20user-select%3A%20initial%3B%20vector-effect%3A%20initial%3B%20vertical-align%3A%20initial%3B%20visibility%3A%20initial%3B%20-webkit-app-region%3A%20initial%3B%20border-spacing%3A%20initial%3B%20-webkit-border-image%3A%20initial%3B%20-webkit-box-align%3A%20initial%3B%20-webkit-box-decoration-break%3A%20initial%3B%20-webkit-box-direction%3A%20initial%3B%20-webkit-box-flex%3A%20initial%3B%20-webkit-box-ordinal-group%3A%20initial%3B%20-webkit-box-orient%3A%20initial%3B%20-webkit-box-pack%3A%20initial%3B%20-webkit-box-reflect%3A%20initial%3B%20-webkit-highlight%3A%20initial%3B%20-webkit-hyphenate-character%3A%20initial%3B%20-webkit-line-break%3A%20initial%3B%20-webkit-line-clamp%3A%20initial%3B%20-webkit-mask-box-image%3A%20initial%3B%20-webkit-mask%3A%20initial%3B%20-webkit-mask-composite%3A%20initial%3B%20-webkit-perspective-origin-x%3A%20initial%3B%20-webkit-perspective-origin-y%3A%20initial%3B%20-webkit-print-color-adjust%3A%20initial%3B%20-webkit-rtl-ordering%3A%20initial%3B%20-webkit-ruby-position%3A%20initial%3B%20-webkit-tap-highlight-color%3A%20initial%3B%20-webkit-text-combine%3A%20initial%3B%20-webkit-text-decorations-in-effect%3A%20initial%3B%20-webkit-text-emphasis%3A%20initial%3B%20-webkit-text-emphasis-position%3A%20initial%3B%20-webkit-text-fill-color%3A%20initial%3B%20-webkit-text-security%3A%20initial%3B%20-webkit-text-stroke%3A%20initial%3B%20-webkit-transform-origin-x%3A%20initial%3B%20-webkit-transform-origin-y%3A%20initial%3B%20-webkit-transform-origin-z%3A%20initial%3B%20-webkit-user-drag%3A%20initial%3B%20-webkit-user-modify%3A%20initial%3B%20white-space%3A%20initial%3B%20widows%3A%20initial%3B%20width%3A%20initial%3B%20will-change%3A%20initial%3B%20word-break%3A%20initial%3B%20word-spacing%3A%20initial%3B%20x%3A%20initial%3B%20y%3A%20initial%3B%20z-index%3A%20initial%3B%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20class%3D%22ms-editor-squiggler%22%20style%3D%22color%3A%20initial%3B%20font%3A%20initial%3B%20font-feature-settings%3A%20initial%3B%20font-kerning%3A%20initial%3B%20font-optical-sizing%3A%20initial%3B%20font-variation-settings%3A%20initial%3B%20forced-color-adjust%3A%20initial%3B%20text-orientation%3A%20initial%3B%20text-rendering%3A%20initial%3B%20-webkit-font-smoothing%3A%20initial%3B%20-webkit-locale%3A%20initial%3B%20-webkit-text-orientation%3A%20initial%3B%20-webkit-writing-mode%3A%20initial%3B%20writing-mode%3A%20initial%3B%20zoom%3A%20initial%3B%20place-content%3A%20initial%3B%20place-items%3A%20initial%3B%20place-self%3A%20initial%3B%20alignment-baseline%3A%20initial%3B%20animation%3A%20initial%3B%20appearance%3A%20initial%3B%20aspect-ratio%3A%20initial%3B%20backdrop-filter%3A%20initial%3B%20backface-visibility%3A%20initial%3B%20background%3A%20initial%3B%20background-blend-mode%3A%20initial%3B%20baseline-shift%3A%20initial%3B%20block-size%3A%20initial%3B%20border-block%3A%20initial%3B%20border%3A%20initial%3B%20border-radius%3A%20initial%3B%20border-collapse%3A%20initial%3B%20border-inline%3A%20initial%3B%20inset%3A%20initial%3B%20box-shadow%3A%20initial%3B%20box-sizing%3A%20initial%3B%20break-after%3A%20initial%3B%20break-before%3A%20initial%3B%20break-inside%3A%20initial%3B%20buffered-rendering%3A%20initial%3B%20caption-side%3A%20initial%3B%20caret-color%3A%20initial%3B%20clear%3A%20initial%3B%20clip%3A%20initial%3B%20clip-path%3A%20initial%3B%20clip-rule%3A%20initial%3B%20color-interpolation%3A%20initial%3B%20color-interpolation-filters%3A%20initial%3B%20color-rendering%3A%20initial%3B%20color-scheme%3A%20initial%3B%20columns%3A%20initial%3B%20column-fill%3A%20initial%3B%20gap%3A%20initial%3B%20column-rule%3A%20initial%3B%20column-span%3A%20initial%3B%20contain%3A%20initial%3B%20contain-intrinsic-size%3A%20initial%3B%20content%3A%20initial%3B%20content-visibility%3A%20initial%3B%20counter-increment%3A%20initial%3B%20counter-reset%3A%20initial%3B%20counter-set%3A%20initial%3B%20cursor%3A%20initial%3B%20cx%3A%20initial%3B%20cy%3A%20initial%3B%20d%3A%20initial%3B%20display%3A%20block%3B%20dominant-baseline%3A%20initial%3B%20empty-cells%3A%20initial%3B%20fill%3A%20initial%3B%20fill-opacity%3A%20initial%3B%20fill-rule%3A%20initial%3B%20filter%3A%20initial%3B%20flex%3A%20initial%3B%20flex-flow%3A%20initial%3B%20float%3A%20initial%3B%20flood-color%3A%20initial%3B%20flood-opacity%3A%20initial%3B%20grid%3A%20initial%3B%20grid-area%3A%20initial%3B%20height%3A%20initial%3B%20hyphens%3A%20initial%3B%20image-orientation%3A%20initial%3B%20image-rendering%3A%20initial%3B%20inline-size%3A%20initial%3B%20inset-block%3A%20initial%3B%20inset-inline%3A%20initial%3B%20isolation%3A%20initial%3B%20letter-spacing%3A%20initial%3B%20lighting-color%3A%20initial%3B%20line-break%3A%20initial%3B%20list-style%3A%20initial%3B%20margin-block%3A%20initial%3B%20margin%3A%20initial%3B%20margin-inline%3A%20initial%3B%20marker%3A%20initial%3B%20mask%3A%20initial%3B%20mask-type%3A%20initial%3B%20max-block-size%3A%20initial%3B%20max-height%3A%20initial%3B%20max-inline-size%3A%20initial%3B%20max-width%3A%20initial%3B%20min-block-size%3A%20initial%3B%20min-height%3A%20initial%3B%20min-inline-size%3A%20initial%3B%20min-width%3A%20initial%3B%20mix-blend-mode%3A%20initial%3B%20object-fit%3A%20initial%3B%20object-position%3A%20initial%3B%20offset%3A%20initial%3B%20opacity%3A%20initial%3B%20order%3A%20initial%3B%20origin-trial-test-property%3A%20initial%3B%20orphans%3A%20initial%3B%20outline%3A%20initial%3B%20outline-offset%3A%20initial%3B%20overflow-anchor%3A%20initial%3B%20overflow-wrap%3A%20initial%3B%20overflow%3A%20initial%3B%20overscroll-behavior-block%3A%20initial%3B%20overscroll-behavior-inline%3A%20initial%3B%20overscroll-behavior%3A%20initial%3B%20padding-block%3A%20initial%3B%20padding%3A%20initial%3B%20padding-inline%3A%20initial%3B%20page%3A%20initial%3B%20page-orientation%3A%20initial%3B%20paint-order%3A%20initial%3B%20perspective%3A%20initial%3B%20perspective-origin%3A%20initial%3B%20pointer-events%3A%20initial%3B%20position%3A%20initial%3B%20quotes%3A%20initial%3B%20r%3A%20initial%3B%20resize%3A%20initial%3B%20ruby-position%3A%20initial%3B%20rx%3A%20initial%3B%20ry%3A%20initial%3B%20scroll-behavior%3A%20initial%3B%20scroll-margin-block%3A%20initial%3B%20scroll-margin%3A%20initial%3B%20scroll-margin-inline%3A%20initial%3B%20scroll-padding-block%3A%20initial%3B%20scroll-padding%3A%20initial%3B%20scroll-padding-inline%3A%20initial%3B%20scroll-snap-align%3A%20initial%3B%20scroll-snap-stop%3A%20initial%3B%20scroll-snap-type%3A%20initial%3B%20shape-image-threshold%3A%20initial%3B%20shape-margin%3A%20initial%3B%20shape-outside%3A%20initial%3B%20shape-rendering%3A%20initial%3B%20size%3A%20initial%3B%20speak%3A%20initial%3B%20stop-color%3A%20initial%3B%20stop-opacity%3A%20initial%3B%20stroke%3A%20initial%3B%20stroke-dasharray%3A%20initial%3B%20stroke-dashoffset%3A%20initial%3B%20stroke-linecap%3A%20initial%3B%20stroke-linejoin%3A%20initial%3B%20stroke-miterlimit%3A%20initial%3B%20stroke-opacity%3A%20initial%3B%20stroke-width%3A%20initial%3B%20tab-size%3A%20initial%3B%20table-layout%3A%20initial%3B%20text-align%3A%20initial%3B%20text-align-last%3A%20initial%3B%20text-anchor%3A%20initial%3B%20text-combine-upright%3A%20initial%3B%20text-decoration%3A%20initial%3B%20text-decoration-skip-ink%3A%20initial%3B%20text-indent%3A%20initial%3B%20text-overflow%3A%20initial%3B%20text-shadow%3A%20initial%3B%20text-size-adjust%3A%20initial%3B%20text-transform%3A%20initial%3B%20text-underline-offset%3A%20initial%3B%20text-underline-position%3A%20initial%3B%20touch-action%3A%20initial%3B%20transform%3A%20initial%3B%20transform-box%3A%20initial%3B%20transform-origin%3A%20initial%3B%20transform-style%3A%20initial%3B%20transition%3A%20initial%3B%20user-select%3A%20initial%3B%20vector-effect%3A%20initial%3B%20vertical-align%3A%20initial%3B%20visibility%3A%20initial%3B%20-webkit-app-region%3A%20initial%3B%20border-spacing%3A%20initial%3B%20-webkit-border-image%3A%20initial%3B%20-webkit-box-align%3A%20initial%3B%20-webkit-box-decoration-break%3A%20initial%3B%20-webkit-box-direction%3A%20initial%3B%20-webkit-box-flex%3A%20initial%3B%20-webkit-box-ordinal-group%3A%20initial%3B%20-webkit-box-orient%3A%20initial%3B%20-webkit-box-pack%3A%20initial%3B%20-webkit-box-reflect%3A%20initial%3B%20-webkit-highlight%3A%20initial%3B%20-webkit-hyphenate-character%3A%20initial%3B%20-webkit-line-break%3A%20initial%3B%20-webkit-line-clamp%3A%20initial%3B%20-webkit-mask-box-image%3A%20initial%3B%20-webkit-mask%3A%20initial%3B%20-webkit-mask-composite%3A%20initial%3B%20-webkit-perspective-origin-x%3A%20initial%3B%20-webkit-perspective-origin-y%3A%20initial%3B%20-webkit-print-color-adjust%3A%20initial%3B%20-webkit-rtl-ordering%3A%20initial%3B%20-webkit-ruby-position%3A%20initial%3B%20-webkit-tap-highlight-color%3A%20initial%3B%20-webkit-text-combine%3A%20initial%3B%20-webkit-text-decorations-in-effect%3A%20initial%3B%20-webkit-text-emphasis%3A%20initial%3B%20-webkit-text-emphasis-position%3A%20initial%3B%20-webkit-text-fill-color%3A%20initial%3B%20-webkit-text-security%3A%20initial%3B%20-webkit-text-stroke%3A%20initial%3B%20-webkit-transform-origin-x%3A%20initial%3B%20-webkit-transform-origin-y%3A%20initial%3B%20-webkit-transform-origin-z%3A%20initial%3B%20-webkit-user-drag%3A%20initial%3B%20-webkit-user-modify%3A%20initial%3B%20white-space%3A%20initial%3B%20widows%3A%20initial%3B%20width%3A%20initial%3B%20will-change%3A%20initial%3B%20word-break%3A%20initial%3B%20word-spacing%3A%20initial%3B%20x%3A%20initial%3B%20y%3A%20initial%3B%20z-index%3A%20initial%3B%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2093521%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20use%20tagging%20effectively%20(Part%202)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093521%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F494701%22%20target%3D%22_blank%22%3E%40msftdario%3C%2FA%3E%26nbsp%3B%2C%20I%20would%20think%20the%20same%2C%26nbsp%3B%20GPO%20preference%20could%20be%20the%20preferred%20way%20to%20deliver%20the%20reg%20key%20change%20to%20domain%20devices%20.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Jan 11 2021 09:52 AM
Updated by: