Manage Defender for Endpoint device tags through Azure Automaton DSC

Another day I was playing around again with the Azure Desired State Configuration feature, and I wanted to test out Defender for Endpoint device tagging through Desired State. I wanted to tag my servers based on the Active Directory tier level.

Here is my example OU structure

In this case, I have three different tiers – 0, 1 and 2. If the server is under the correct OU, it will be tagged based on the OU path.

You can crab my DSC configuration from here – AzureAutomation/TagMDEServerTierLevel.ps1 at main ยท Kaidja/AzureAutomation (

Currently, you can configure only one tag through the registry. It takes some time before the tag shows up in the Defender for Endpoint portal.

PS! Please test and verify the code before using it.

Our notes about #printnightmare zero-day and Kaseya
Audit Active Directory Certificate Services using Azure Sentinel
Need more information?
Need more information?
  • This field is for validation purposes and should be left unchanged.