Mastering Microsoft Defender for Endpoint Device Group Ranking
When managing a large organization’s endpoints in Microsoft Defender for Endpoint (MDE), defining clear and logical device group rules is key for efficient threat monitoring and response.
This post explores how device group ranking works — using a fresh scenario involving a company with multiple branch locations and diverse operating systems.
If you’re preparing for the MS-102 or MD-102 certification, this example will help you clearly understand how devices are automatically categorized during onboarding.
Scenario: Northwind Traders and Defender Device Groups
Northwind Traders is a global company using Microsoft Defender for Endpoint to manage security across Windows, macOS, and server devices.
They’ve defined the following device groups to automatically organize devices when they are onboarded:
| Group Name | Rank | Membership Rule |
|---|---|---|
| Group-A | 1 | Device name contains “NYC” |
| Group-B | 2 | Operating system is Windows 11 |
| Group-C | 3 | Operating system is Windows Server 2022 |
| Ungrouped Machines (default) | Last | No criteria – fallback group |
The rank determines priority — Rank 1 is evaluated first, Rank 2 next, and so on.
A device will be added to the first group whose condition it matches.
Devices Being Onboarded
The following computers are about to be added to Microsoft Defender for Endpoint:
| Device Name | Operating System |
|---|---|
| HR-NYC-01 | Windows 11 |
| FIN-TOR-02 | Windows Server 2022 |
| ENG-NYC-03 | Windows Server 2022 |
| MKT-TOR-04 | macOS Ventura |
Your goal: determine which device group each will belong to once Defender onboarding is complete.
Step 1: Evaluate Each Device
1. HR-NYC-01
- Name contains “NYC” → ✅ Matches Group-A
- Also runs Windows 11 → ✅ Matches Group-B
🧠 Which wins?
Since Group-A has Rank 1 and Group-B has Rank 2, the device is assigned to the higher-ranked (lower number) group.
📘 Final Group: Group-A
2. FIN-TOR-02
- OS = Windows Server 2022 → ✅ Matches Group-C
- Name doesn’t include “NYC” → ❌ No match for Group-A
- OS ≠ Windows 11 → ❌ No match for Group-B
📘 Final Group: Group-C
3. ENG-NYC-03
- OS = Windows Server 2022 → ✅ Matches Group-C
- Name contains “NYC” → ✅ Matches Group-A
🧠 Again, Group-A has the higher priority (Rank 1), so it wins even though the device also matches Group-C.
📘 Final Group: Group-A
4. MKT-TOR-04
- OS = macOS Ventura → ❌ No match for any rule
- Name does not include “NYC” → ❌ No match
📘 Final Group: Ungrouped Machines (Default)
Step 2: Review Final Assignments
| Device Name | Operating System | Assigned Group |
|---|---|---|
| HR-NYC-01 | Windows 11 | Group-A |
| FIN-TOR-02 | Windows Server 2022 | Group-C |
| ENG-NYC-03 | Windows Server 2022 | Group-A |
| MKT-TOR-04 | macOS Ventura | Ungrouped Machines |
Step 3: Understanding Why Ranking Matters
When multiple group conditions are true for a single device, Defender for Endpoint evaluates from top to bottom — based on Rank order.
As soon as a match is found, that device is placed in that group, and no further evaluation occurs.
This ensures consistent grouping behavior and prevents overlapping policies or conflicting rules.
Step 4: Where to Configure Device Groups
You can create and manage device groups in:
Microsoft 365 Defender portal → Settings → Endpoints → Device groups
From here, you can:
- Add membership rules based on OS, domain, or device name.
- Adjust Rank numbers to prioritize certain groups.
- Use tags or filters to control which security team manages which devices.
- Integrate with Microsoft Intune for unified visibility.
Practical Use Case
Let’s say Northwind Traders has different security operations teams by region:
- The New York SOC handles all devices named with “NYC.”
- The Infrastructure team monitors all Windows Server 2022 systems.
- The Security compliance team oversees devices that don’t meet other criteria.
With ranked grouping:
- Regional devices take priority (e.g., NYC machines).
- OS-based groups catch remaining servers.
- Unclassified devices fall into the default group.
This structure keeps the incident queue organized, ensuring alerts route to the right team automatically.
Key Concepts Recap
| Feature | Description |
|---|---|
| Rank | Determines the order of rule evaluation (1 = highest priority). |
| Membership Rules | Define criteria for grouping (OS, name, tag, domain). |
| First Match Wins | The first group that meets the condition assigns the device. |
| Default Group | Devices that match no rule appear under “Ungrouped Machines.” |
| Integration with Intune | Intune can sync device info (tags, names, OS) to Defender for Endpoint for automatic grouping. |
Exam Tip
For Microsoft 365 exams like MS-102 or MD-102, always remember:
- Device group assignment follows rank priority.
- The first matching condition is the one applied.
- Ungrouped Machines act as a fallback group.
If two or more groups could apply, the lower rank number wins — a common trick question on the exam.
Summary
In our Northwind Traders example:
- HR-NYC-01 → Group-A (name rule wins)
- FIN-TOR-02 → Group-C (server rule wins)
- ENG-NYC-03 → Group-A (name rule wins)
- MKT-TOR-04 → Ungrouped Machines (no match)
Understanding ranking logic ensures your devices are correctly grouped for security monitoring, role-based access, and incident management within Microsoft Defender for Endpoint.
