Device tags by setting a registry key value (Part2) using GPO

Hi There! in my previous blog Part1 I explained how we could tag devices in MDE using Manual and API, in this blog I will be taking you through how to tag devices using GPO.

GPO tagging is applicable only on the following

Windows 11
Windows 10, version 1709 or later
Windows Server, version 1803 or later
Windows Server 2016
Windows Server 2012 R2
Windows Server 2008 R2 SP1
Windows 8.1
Windows 7 SP1

And the maximum number of characters that can be set in a tag is 200

Using GPO it is easy to target the machines in specific OU if you segregate the machines as per the location or department.

How to Create a GPO for tagging

Step 1: From the Group Policy Management, Navigate to Group Policy Object Right-Click and select New to create the GPO

Step 2: Provide a name for the new GPO and tap on OK to create the GPO

Step 3: Once a new GPO got created Right-Click on the GPO and select Edit to edit the settings

Step 4: Navigate to Preferences in Computer configuration, from there expand Windows Settings and Right-Click on Registry and select new, and tap on Registry Item to add the registry value

Step 5: In the General, Tab select Create in action tab which will create a new registry key, if you need to add a new value select Add instead of Create.

Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
Value Name: Group
Value Type: REG_SZ
Value Data: Name of the tag you want to set (Endpoint)

*Note
The device tag is part of the device information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new device information report.

If you need to remove a tag that was added using the above Registry key, clear the contents of the Registry key data instead of removing the 'Group' key.

Step 6: Tag the policy to the OU which you want the tags to be deployed in my case I had tagged the GPO to device OU, Right-Click on the OU you want to tag, and select Link an Existing GPO

Step 7: Select the GPO and Tap ok to link the GPO

This will tag the GPO to the device under the OU and the machines will get the GPO settings ( you have to wait for replication according to your AD structure ) once the GPO settings are applied on the Device this will create a value under the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\

You can see the device tag is updated in the security center Link

You can see device clientpc-i have the TAG endpoint added

But personally, I had faced challenges while removing the tag sometimes it's not working as expected or it take longer time to get removed. 

Reference

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machine-tags?view=o365-worldwide

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058