Blog Post

Microsoft Defender for Endpoint Blog
8 MIN READ

How to use tagging effectively (Part 1)

Steve Newby's avatar
Steve Newby
Icon for Microsoft rankMicrosoft
Jan 05, 2021

Why Use Tagging?

One important feature which often isn’t utilised correctly is the use of tags within Microsoft Defender for Endpoint.  This is a functionality that was introduced to allow you to apply a granular level of control over how you manage your devices.  In this blog we wanted to cover not only the primary uses for the tagging functionality, but also to explain some tips and tricks around how to effectively use this within your organisation.  We have split this into three parts to cover the basics but also some advanced scenarios for how to use tagging in your environment, so make sure to stay tuned to the blog for the full series.

 

Role Based Access Control - RBAC

The primary use for tagging is to allow you to create machine groups that can then be used for applying RBAC permissions.  Really the purpose of this is to enable a level of control such that different users can log into the portal and see only the machines that they are responsible for.  For example, in a large organisation spanning multiple geos rather than each geo having their own instance of Microsoft Defender for Endpoint, you would have a single instance where access is controlled through the use of roles and machine groups.  Having a single instance means that threat hunting and automation has full visibility of all devices across the entire organisation which is critical when a threat is hitting multiple endpoints.

 

The diagram below shows how you would break this down, and how you could further utilise this information to feed data into a SIEM where your SOC analysts can track threats across multiple areas of the infrastructure.

 

 

Later in this blog we will talk about the different ways you can apply tags to managed devices, but in order to utilise these tags you first need to create a machine group in Microsoft Defender Security Center portal and then apply specific security groups containing the user accounts of the devices you wish you manage. This is simple to do and the setting up of these machine groups is something you would typically do early on in the setup of the tenant, before you actually start doing any onboarding. This means that each time a machine is onboarded it goes straight into the appropriate group and only the correct people have visibility straight away.

Filtering

One of the great benefits of tagging is using them in machine views to present different views of machine lists.  Below are some examples of why you would use tags in filtering include:

  • Lab Machines – There is really no reason to have a separate tenant just for testing when the endpoints that report into Microsoft Defender for Endpoint can exist anywhere without any ties to a specific Azure AD or domain.  In this scenario, you might want to identify the specific lab machines with a tag:

 

By using this tag to create a machine group you can then exclude these machines from your threat reports or from threat and vulnerability management.

 

  • Decommissioned machines – Something we hear a lot from customers is that they have machines that they have decommissioned which they no longer want to see in their console; however, there is a very good reason why we don’t allow machines to be deleted. Just suppose there is a threat detected on the environment that originated some time back on a machine that had been decommissioned, if you deleted this from the tenant then you would have no way of understanding the source and techniques used in the breach. To address this, a machine record will remain in the tenant until the data retention period of the tenant expires.

 

We do understand though that you may not want to see these machines in the device list or have them show in the threat reports or threat and vulnerability management and so through the use of tags, and also machine groups, it is possible to effectively make these machines invisible.

 

The first stage of this would be to apply a tag against the machines, in the example below we have two machines tagged as “Decommissioned”.  Once you have set this tag you can then use the filters to exclude these tagged devices from the Device Inventory view:

 

Using this method is a quick and simple way to filter on your device inventory but you cannot use tag-based filtering in your reports or in threat and vulnerability management.  For this, you need to use machine groups so the next phase would be to create a machine group based on this tag, as described in the RBAC section above, at which point you can then exclude these groups from the threat and vulnerability management assessment:

It should be noted though that inactive machines are automatically excluded from threat and vulnerability management after 30 days anyway.

 

The use of machine groups in this scenario does open up another option which would then give you the desired result of removing a machine from the tenant whilst still maintaining the record for historical threat analysis; effectively hiding it.

 

To achieve this, create a user group with no members and then assign it to the Machine Group:

 

As there are no users assigned to this group, then any users who log into the portal (with the exception of Global Admin or Security Admin) will automatically have their view of any machines with the Decommissioned tag removed from all views, including threat and vulnerability management and reporting. Plus, simply adding the Decommissioned tag to a machine will effectively “delete” the machine from the portal.

 

 

Methods of Tag allocation

To utilise tags for RBAC and filtering you first need to make sure that the relevant machines have the tags applied and there are a number of methods to achieve this.

Registry tagging

This is via direct editing of the registry.  By setting the tag value in the DeviceTagging key (HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging) you are assigning a value to the machine that is picked up by Microsoft Defender for Endpoint telemetry.

 

There are a couple of points to be aware of when you are using the registry to tag a machine:

  1. The tag is fixed and cannot be changed through the portal, it can only be changed by modifying the registry.
  2. Only one tag can be specified in the registry.

In the image above, you can see the relevant key as displayed in Regedit; however, if you are modifying the registry to assign tags to production machines it is unlikely that it is Regedit you will use to set this value.  Instead, you are likely to use a script.  Obviously when using a script, you can add a lot of variables to determine what the tag value should be, meaning you could have a single script for all tag values you want to create or have multiple scripts that you then use another method with to define the logic.

What we have seen with several large organisations is utilising the onboarding script and adding a “REG ADD” command to the script and then using different onboarding scripts for different groups of machines. The value that would need to be added is:

 

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging" /v Group /t REG_SZ /d TAGNAME /f

 

You could use this script and have it as part of a GPO where you target it against an OU or use it in System Center Configuration Manager and target the script at different Collections.

However, if you wanted to keep the tagging separate from the onboarding then you may instead want to utilise a Powershell script which again you could apply via System Center Configuration Manager or another management tool.

To either have a specific script, or to add to another script, the lines you would need are:

 

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" -Name DeviceTagging -force

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging" -Name "Group" -Value "TAGNAME" -PropertyType "String"

 

Setting the tag via Intune

When using Intune, it is possible to utilise a custom policy to set the machine tag value in the registry via the WindowsAdvancedThreatProtection CSP (https://docs.microsoft.com/en-us/windows/client-management/mdm/windowsadvancedthreatprotection-csp)

This diagram shows the provider:

When setting the values in Intune you configure a custom profile and then define the URI to set the device tag.

These are the steps for configuring this:

  1. Create Custom profile:

 

  1. Give the profile a name and then add the URI value (./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group), set a data type of “String” and then define the tag you want:

 

  1. Now you assign the profile.  By assigning it to a specific group in Azure AD it means that you can base your tagging, and therefore RBAC and filtering on existing device groups you may already have in Azure AD:

 

  1. You can add Applicability Rules if you want, to target it at specific Windows versions/editions, but this shouldn’t really be necessary in the case of Machine Tagging. So then it is simply a case of reviewing the profile and applying it:

 

 

Manual tagging

One of the easiest ways to tag a device is to simply add a tag value through the machine page in the portal.  Through this method you can add multiple tags or remove existing tags (although not if they have been defined in the registry).

Clicking onto the device page presents you with an option to “Manage Tags” where you can add and remove as required:

 

 

Tagging via API

While manual tagging is great and allows you to specify multiple tags against a device to assist with RBAC and filtering, however what if you have 100’s or 1000’s of devices that you want to assign the same tag value to? In this scenario, you can use the API to mass-assign tags, we will be covering this advanced use case in Part 3 of our blog.

Setting the tag on macOS

Obviously, you may not just be managing Windows endpoints in your environment. Microsoft Defender for Endpoint also supports tagging macOS machines. To apply tags on this platform, you can utilise the manual method or the API method. However, if you want to automate this process, then you can push out the settings as part of a Configuration Profile (a .plist file).

When you are creating the .plist file, you would need to add the following entry in order to configure the tag:

 

            <dict>

                 <key>tags</key>

                    <array>

                        <dict>

                            <key>key</key>

                            <string>GROUP</string>

                            <key>value</key>

                            <string>ExampleTag</string>

                        </dict>

                   </array>

            </dict>

 

You can find details of how to do that here: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies#step-3-configure-microsoft-defender-atp-settings

 

This concludes Part 1 of our blog series on how to use tagging effectively.  Please join us for Part 2 where Miriam Wiesner will guide you through applying tags based upon the Organisational Unit placement of the device within Active Directory.

 

We welcome your feedback and questions on this or any of the other parts of this tagging blog and look forward to hearing from you.

 

Steve Newby (@steve_newby) and Miriam Wiesner (@miriamxyra)

Program Managers @ Microsoft Defender for Endpoint Product Group

 

 

 

Updated Jan 06, 2021
Version 9.0
  • BrechtMo's avatar
    BrechtMo
    Copper Contributor

    Nice writeup, thanks.

    We tried to assign tags to create a hiearchical structure, e.g.:

    Dept

    Dept.Subdept

    Dept.Subdept.SubSubDept

     

    but we can't filter in the device list on those tags. All devices are visible after you apply the filter.

    The dot character seems to be the issue, similar issue with "*".

  • AndrePKI's avatar
    AndrePKI
    Iron Contributor

    Steve Newby: You consistently use "machine groups" but in the portal and documentation it is "Device groups"
    Registry tagging is sooooo nice, except that it is not supported on newer OS versions anymore (Server 1803, 2019, 2022). Can we have that back, please?
    We cannot get a good distinction with the other filter options.

    Intune is not an option for servers 😞
    Manual tagging gives a chicken-egg issue: you can't tag machines you can't see because they are not in the device group you have access to before these are tagged...

  • hippyjm's avatar
    hippyjm
    Copper Contributor

    When using the intue method, how long shoudl the tag take to appear in 365 defender. 

    i can see that the OMA-URI has created a reg key value stating test03 but has not appeared in the defender portal. its been a day. 
    I have managed to get tagging working using a kql query in power automate, but wanting to use the intune method so we can target groups a bit easier. 

  • AndrePKI's avatar
    AndrePKI
    Iron Contributor

    hippyjm This information is sent from the machine to the cloud service once a day and after a reboot.

  • hippyjm's avatar
    hippyjm
    Copper Contributor

    AndrePKI thanks. I was just being a bit impatient. Its a good baseline to start with so once the device is built it can be tagged as desktop or laptop or office x.

    thanks for the guide

  • davidpmartin's avatar
    davidpmartin
    Copper Contributor

    When tagging with registry key method, the tag on device page seems to be a device groups and when I try to create "Device Group" based on the new tag created by registry key the new device group is empty.

    How can we create device groups based on registry tagging?

    Thanks