Machine tagging in Defender

%3CLINGO-SUB%20id%3D%22lingo-sub-2754354%22%20slang%3D%22en-US%22%3EMachine%20tagging%20in%20Defender%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2754354%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3EI%20have%20tagged%20a%20number%20of%20now%20inactive%20devices%20and%20added%20them%20to%20a%20machine%20group.%20But%20whilst%20I%20tagged%2024%20devices%2C%2031%20are%20showing%20up%20in%20my%20device%20group.%20I%20have%20tagged%20the%2024%20devices%20InactiveReimaged%20and%20the%20machine%20group%20is%20also%20InactiveReimaged.%20I%20chose%20to%20add%20devices%20to%20the%20group%20by%20using%20the%20Tag%20Equals%20InactiveReimaged%20option.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20did%20tag%20and%20untag%20a%20couple%20of%20devices%20before%20setting%20up%20the%20group%2C%20as%20a%20test%2C%20but%20only%20the%2024%20devices%20are%2C%20or%20should%20be%2C%20tagged.%3C%2FP%3E%3CP%3EAny%20ideas%20on%20why%20more%20devices%20are%20showing%20up%2C%20and%20more%20importantly%2C%20how%20I%20can%20fix%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2757585%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20tagging%20in%20Defender%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2757585%22%20slang%3D%22en-US%22%3EDid%20you%20see%20any%20duplicate%20entries%20in%2031%3F%20Did%20you%20ever%20tried%20onboarding%2F%20offboarding%20same%20devices%20more%20than%20one%20time%3F%20inactive%20entries%20remains%20in%20Device%20inventory%20until%20it's%20reaches%20the%20retention%20period.%3CBR%20%2F%3ETags%20can%20be%20managed%20manually%20or%20through%20API.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fadd-or-remove-machine-tags%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fadd-or-remove-machine-tags%3Fview%3Do365-worldwide%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi all,

I have tagged a number of now inactive devices and added them to a machine group. But whilst I tagged 24 devices, 31 are showing up in my device group. I have tagged the 24 devices InactiveReimaged and the machine group is also InactiveReimaged. I chose to add devices to the group by using the Tag Equals InactiveReimaged option. 

I did tag and untag a couple of devices before setting up the group, as a test, but only the 24 devices are, or should be, tagged.

Any ideas on why more devices are showing up, and more importantly, how I can fix this?

4 Replies
Did you see any duplicate entries in 31? Did you ever tried onboarding/ offboarding same devices more than one time? inactive entries remains in Device inventory until it's reaches the retention period.
Tags can be managed manually or through API.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/add-or-remove-machine-tags...
Yes, there are duplicates as some devices are used for testing and so are reimaged frequently. I know about adding and removing tags manually, as this is what I have done.

My question is why are seemingly untagged devices being added to a machine group that is explicitly for devices with tags.

Are the untagged devices still somehow tagged?
I am not sure what rule you have configured for device group. If any untagged devices or newly onboarded devices matches the rules configured in device group then it will be added to machine group.
The only rule I have set for the machine group is to add those devices with the tag to the group. The tag is the same as the machine group name. There should be 24 devices in the group, but there are 31. When I check device inventory, only 24 devices have a tag.

I have noticed that the extra devices were previously tagged (before the group was created). I am wondering why these devices, which are not tagged, should be in the group.