Without clear tags your Web Content Filter stays messy and your RBAC scopes stay wide. In this guide I show you how the Defender for Endpoint Scope Tag travels from Autopilot through Intune into Defender for Endpoint. I use short steps and share what works for me in real projects.
Table of Contents
- Voraussetzungen
- Set the Autopilot Group Tag
- Create a dynamic Azure AD group
- Add an Intune Scope Tag (optional)
- Push the tag to the device
- Make an MDE device group
- Troubleshooting
- FAQ (2025)
Voraussetzungen
- Microsoft Intune with admin rights
- Defender for Endpoint Plan 1, Plan 2 or Defender for Business
- Windows 10 or 11 with the MDE sensor
- (Optional) Azure AD P1 for dynamic groups
Set the Autopilot Group Tag
- I open Intune ▸ Devices ▸ Windows ▸ Windows enrollment ▸ Devices.
- I pick a device and click on it.
- I type the tag name, for example
scloud.
💡 Persistency: The tag survives a wipe as long as I keep the entry in the Autopilot list.
Create a dynamic Azure AD group
Gather every tagged device in one bucket. Create a Security Group with Dynamic membership and paste this rule:
(device.devicePhysicalIds -any (_ -eq "[OrderID]:scloud"))Replace scloud with your own tag. New devices join the group on their own.
Add an Intune Scope Tag (optional)
Scope Tags can limit views for Help Desk roles, other predifeined roles or cusome roles.
- Go to Intune ▸ Tenant administration ▸ Roles ▸ Scope tags ▸ + Create.
- Name the tag exactly like your Group Tag.
- Under Assignments pick the dynamic group from Step 2.
Every device now carries the same Scope Tag.
After the assigment in can take a cloud-minut untily the Scope Tag actually shows up.
Push the tag to the device
Method A Classic: Intune Custom OMA URI
- Open Intune ▸ Devices ▸ Windows ▸ Configuration profiles ▸ + Create profile.
Platform: Windows 10 and 11
Template: Custom - Add one setting:
Name:Group Tag for Defender
OMA URI:./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group
Data type: String
Value:scloud(only one tag per device, 200 characters max) - Assign the profile to the dynamic group.
| Name | Group-Tag |
| Beschreibung | Group-Tag for Defender |
| ORA-Uri | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group |
| Data type | String |
| Value | scloud |
The tag appears on the device card in the Microsoft Defender portal after the next sync.
Method B Modern: Device Tagging rule
In the Defender portal open Settings ▸ Endpoints ▸ Device tagging and select Add tag rule. Target the Azure AD group from Step 2 and set the tag. No Intune profile is needed.
Make an MDE device group
- Open Settings ▸ Endpoints ▸ Device groups ▸ + Add device group.
- Enter a name and description.
- Under Tag query select
scloud. - Attach policies such as a Web Content Filter to this group.
Licence Note: Device groups work in Plan 1 and Defender for Business starting April 2024.
Troubleshooting
| Issue | Fix |
|---|---|
| Tag does not show up | Sync the device in Intune and check mdmDiagnostics.html under C:\ProgramData\Microsoft\MDMDiagnostics. |
| Need more than one tag | Switch to Device Tagging rules or Intune Filters. |
| Dynamic group stays empty | Check the query spelling. Tags are case sensitive. |
FAQ (2025)
Can I change the tag later?
Yes. Update the Autopilot entry, the profile or the tagging rule. The old tag may stick until the next device sync.
Does this work on macOS or iOS?
No. The OMA URI setting is Windows only. Tag other platforms directly in the Defender portal.
Do I need Azure AD P1?
You need it only for dynamic groups. Static groups work without it.
