Skip to content
Defender Scope Tag Intune
Home » Defender for Endpoint Scope tag via Intune

Defender for Endpoint Scope tag via Intune

In Defender for Endpoint and for Business you cannot use groups or group tags from Intune / Autopilot for views and, for example, the web filter. You have to create your own for this.
In this article I will show you how you can use the Autopilot Group tag via Intune in Defender.

With the Defender for Business you can assign the scope tags and use them for views, but unfortunately you cannot create MDE groups.

Table of Contents

Assign Autopilot Group tag

If your devices don't already have a group tag, you can assign one to them in Intune:
Intune > devices > Windows > Windows enrollment > devices

Autopilot Group tag

This group tag persists even if you reset a device. You just can't delete it from the Autopilot list.

Dynamic autopilot group

In order to have all devices with a specific group tag in one group, we create a dynamic group that queries exactly this group tag.

The query is: (device.devicePhysicalIds -any (_ -eq "[OrderID]:scloud"))
(Replace "scloud" with your group tag.)

Dynamic Security Group
Security Group Query

Setup Intune Scope Tag

This step is not absolutely necessary, but if you want to see the tags consistently everywhere, I recommend it.
With the Intune Scope tags, you also have the option of setting permissions for individual device groups and policies. For example, you can only give a supporter permissions for a certain department. He will not see all other devices and policies.

Scope tags are created under:
Intune > Tenant administration > roles > scope tags > + Create

We now give this the same name as before. In my case "scloud".
We also assign the created dynamic group. Our devices with the corresponding autopilot group tag are automatically given the scope tag.

Create Intune Scope Tag
Assign Intune Scope Tag

After assignment, it takes a little while for the scope tag to be assigned. But once it is, you'll see this on the device object:

Scope tag on Intune Device

Policy for distributing the tag to the devices

In Intune we now create a custom policy with an OMA-URI. This then assigns the tag to the device locally, from where it can in turn be used in Defender for Endpoint / Business.
Attention: You can only define one tag per device.

Intune > devices > Windows > Configuration profiles > + Create profiles (Windows 10, Templates, Custom)

Enter a meaningful name here and add the following OMA-URI. At the "Value" you insert your group tag.

Intune, Custom OMA-URI profile
Intune, Profile name
Intune, Custom OMA URI

You now assign the policy to the previously created dynamic group.

Intune, profile assignment
NameGroup tag
DescriptionGroup tag for Defender
ORA Uri./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group
Data typeString

With a little patience, the tag will appear in the Security Center's device overview:

MDE tags

Create MDE group based on tag

Now that we finally have the tag in Defender, we can create a group for it.
This group can then be used for web filter policies, for example.
This step is not possible with the Defender for Business (Microsoft 365 Business Premium) license.

MDE > Settings > endpoints > Device groups > + Add device group

Create MDE Group
MDE Group query

🏁 And that's it, now you have the tag from Autopilot to Intune to the Security Center / MDE.

1 thought on “Defender for Endpoint Scope-Tag via Intune”

  1. Pingback: Defender for Endpoint - Web Filters | scloud

Leave a Reply

Your email address will not be published. Required fields are marked *

de_CH DE
de_CH DE
en_US EN
Exit mobile version