Device tags by setting a registry key value (Part2) using GPO
Updated: Jul 8, 2022
Hi There! in my previous blog Part1 I explained how we could tag devices in MDE using Manual and API, in this blog I will be taking you through how to tag devices using GPO.
GPO tagging is applicable only on the following
Windows 11 Windows 10, version 1709 or later Windows Server, version 1803 or later Windows Server 2016 Windows Server 2012 R2 Windows Server 2008 R2 SP1 Windows 8.1 Windows 7 SP1
And the maximum number of characters that can be set in a tag is 200
Using GPO it is easy to target the machines in specific OU if you segregate the machines as per the location or department.
How to Create a GPO for tagging
Step 1: From the Group Policy Management, Navigate to Group Policy Object Right-Click and select New to create the GPO
Step 2: Provide a name for the new GPO and tap on OK to create the GPO
Step 3: Once a new GPO got created Right-Click on the GPO and select Edit to edit the settings
Step 4: Navigate to Preferences in Computer configuration, from there expand Windows Settings and Right-Click on Registry and select new, and tap on Registry Item to add the registry value
Step 5: In the General, Tab select Create in action tab which will create a new registry key, if you need to add a new value select Add instead of Create.
Hive: HKEY_LOCAL_MACHINE Key Path: SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\ Value Name: Group Value Type: REG_SZ Value Data: Name of the tag you want to set (Endpoint)
*Note The device tag is part of the device information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new device information report. If you need to remove a tag that was added using the above Registry key, clear the contents of the Registry key data instead of removing the 'Group' key.
Step 6: Tag the policy to the OU which you want the tags to be deployed in my case I had tagged the GPO to device OU, Right-Click on the OU you want to tag, and select Link an Existing GPO
Step 7: Select the GPO and Tap ok to link the GPO
This will tag the GPO to the device under the OU and the machines will get the GPO settings ( you have to wait for replication according to your AD structure ) once the GPO settings are applied on the Device this will create a value under the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
You can see the device tag is updated in the security center Link
You can see device clientpc-i have the TAG endpoint added
But personally, I had faced challenges while removing the tag sometimes it's not working as expected or it take longer time to get removed.