In Defender for Endpoint and for Business you cannot use groups or group tags from Intune / Autopilot for views and, for example, the web filter. You have to create your own for this.
In this article I will show you how you can use the Autopilot Group tag via Intune in Defender.
With the Defender for Business you can assign the scope tags and use them for views, but unfortunately you cannot create MDE groups.
Table of Contents
- Assign Autopilot Group tag
- Dynamic autopilot group
- Setup Intune Scope Tag
- Policy for distributing the tag to the devices
- Create MDE group based on tag
Assign Autopilot Group tag
If your devices don't already have a group tag, you can assign one to them in Intune:
Intune > devices > Windows > Windows enrollment > devices
This group tag persists even if you reset a device. You just can't delete it from the Autopilot list.
Dynamic autopilot group
In order to have all devices with a specific group tag in one group, we create a dynamic group that queries exactly this group tag.
The query is: (device.devicePhysicalIds -any (_ -eq "[OrderID]:scloud"))
(Replace "scloud" with your group tag.)
Setup Intune Scope Tag
This step is not absolutely necessary, but if you want to see the tags consistently everywhere, I recommend it.
With the Intune Scope tags, you also have the option of setting permissions for individual device groups and policies. For example, you can only give a supporter permissions for a certain department. He will not see all other devices and policies.
Scope tags are created under:
Intune > Tenant administration > roles > scope tags > + Create
We now give this the same name as before. In my case "scloud".
We also assign the created dynamic group. Our devices with the corresponding autopilot group tag are automatically given the scope tag.
After assignment, it takes a little while for the scope tag to be assigned. But once it is, you'll see this on the device object:
Policy for distributing the tag to the devices
In Intune we now create a custom policy with an OMA-URI. This then assigns the tag to the device locally, from where it can in turn be used in Defender for Endpoint / Business.
Attention: You can only define one tag per device.
Intune > devices > Windows > Configuration profiles > + Create profiles (Windows 10, Templates, Custom)
Enter a meaningful name here and add the following OMA-URI. At the "Value" you insert your group tag.
You now assign the policy to the previously created dynamic group.
| Name | Group tag |
| Description | Group tag for Defender |
| ORA Uri | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group |
| Data type | String |
| Value | scloud |
With a little patience, the tag will appear in the Security Center's device overview:
Create MDE group based on tag
Now that we finally have the tag in Defender, we can create a group for it.
This group can then be used for web filter policies, for example.
This step is not possible with the Defender for Business (Microsoft 365 Business Premium) license.
MDE > Settings > endpoints > Device groups > + Add device group
🏁 And that's it, now you have the tag from Autopilot to Intune to the Security Center / MDE.
EN
Pingback: Defender for Endpoint - Web Filters | scloud