Microsoft recently added a new preview feature “Filters” to Intune that enables you as an Intune Admin to have better control over policy assignments. This post runs you through a quick overview of the new feature.
Table of Contents
Intune new feature in Preview – “Filters”
The new “Filters” functionality enables you as an Intune Admin to fine tune your policy assignments (apps, compliance policies, and configuration profiles).
For example, you can use filters to target devices with a specific OS version or a specific manufacturer, target only personal devices or only organization-owned devices, and more.
This “Filters” functionality is applicable for all the MEM Intune supported platforms as below
- Android device administrator
- Android Enterprise
- iOS/iPadOS
- macOS
- Windows 10 and newer
How the new feature works is already documented here.
Note that not all the policy settings in MEM Intune have support for this new feature yet!
For example, you cannot use the filtering functionality for Windows 10 Update Ring policies or PowerShell script deployments as of now.
Check the MS documentation to learn more about features that don’t support using filters (yet!).
Enable the new “Filters” feature for your tenant
The new “Filters” feature is not enabled for the tenant by default. An Intune Administrator needs to enable the new feature for the tenant.
If you are an Intune Administrator, you need to
- login to MEM Admin Center,
- navigate to Tenant Administration > Filters (preview)
- click on the Try out the filters (preview) feature! notification that is displayed
- A flyout pane will appear from the right side of the browser window. Toggle the Filters (preview) feature to Enabled (ON) state and click on Apply.
- The new “Filters” feature will now be enabled for the tenant.
Create your “Filters” for Policy Assignments
Once you have the “Filters” feature enabled for the tenant, you can create your own filters as per requirements that you can then use for your policy assignments.
To create a new Filter
- Navigate to Tenant Administration > Filters (preview) and click on Create.
- Give a meaningful name for the filter you are creating.
- Select the platform for which the filter is being created and click on Next.
- Next, you get the section to build the rules for the filter. You can use the UI-based Rule builder or use the Rule syntax to manually enter your custom rule expression for the filter. This is similar to how you create expressions for Azure AD dynamic groups.
Above, you can see me creating a filter for a particular device make/model Asus ROG Strix as an example. Similarly, if you have Surface Pro X in your environment which is ARM based and runs Windows 10 on ARM edition, you can easily create a filter for the make/model for policy assignment exclusion/inclusion.
- Complete the wizard to create the filter with the rule as per requirement.
You can find all the filters created from Tenant Administration > Filters (Preview).
Use of “Filters” for Policy Assignment
As an example, below you can see me using the “Filters” feature to exclude Asus Rog devices from the MSI app assignment which is assigned to All devices.
Once you have selected the filter and filter mode for the Assignment, it will reflect the name of the filter and whether the devices in the filter will be included or excluded.
Once the assignment is done, devices are evaluated against the filter to check if the policy is applicable. The results of the filter evaluations are logged and reported in the Microsoft Endpoint Manager Admin center.
Check this MS documentation to learn about how filter evaluation is reported in MEM Admin Center.
Check Filter Evaluation Result for Config Policies
In the MEM Admin center, you can see the Filter evaluation report for config policies for a device by
- navigating to Devices > All Devices > select a device > Filter evaluation (preview)
Here you can see all the filters that were evaluated for this device. When you click on the Filter evaluated link for a particular filter displayed here, you will get the below information.
- Evaluation results – Match or No match
- Filter mode used – Include or Exclude
- Filter name, description, platform, and rules
- The properties that were evaluated for the device for this filter.
- Date and time of the filter evaluation.
Similarly you can also see the filter evaluation report for application deployments. Check here.
“Filters” Conflict Resolution
The use of filters in assignments can cause overlaps. An overlap can occur when a device is in multiple targeted assignments having different filter/filter modes. Overlapping is not recommended, as it can cause possible conflicts.
The below image sourced from MS documentation shows the conflict resolution matrix
Wrap Up
This new functionality opens up a lot of possibilities for Intune Admins to have better control over policy assignments.
More Information: