Introduction

In May Microsoft introduced Filters in Endpoint Manager. Many would go with a device centric approach instead of a user centric approach as one would normally do in configuration manager.

So how can filters help us?

Filters are here to assign policies and apps to users and then be able to manage what type of device, OS version, hardware model and much more, they apply to.

Why would I use such an approach? Because it will be much easier for your organisation to shift hardware as the policies now follow the user and not the device. No need to create tons of dynamic Azure AD groups to be able to leverage the correct policies which has proven to be slow in larger environments. There are many other reasons but I will stop here as the post is about how to use them actively in your environment.

In the bottom of this post, I will share the filters that I use. I will put more into this post as I discover more use cases and the need of filter rules.

 

Feedback goes into this link:

https://forms.office.com/r/ibB4tf6CAz

Are you afraid to use preview features in a production environment?

Don’t be, Microsoft got you fully supported

Public preview overview in Microsoft Intune – Azure | Microsoft Docs

 

Requirements

• Microsoft Endpoint Manager

 

Filters works on following platforms:

 

To see what policies and app types supported you can go to this link:
Platforms and policy types supported by filters in Microsoft Intune – Azure | Microsoft Docs

 

Enable Filters (Preview)

Sign into Endpoint Manager with an Intune Administrator.

Press Tenant administration

 

Choose Filters (preview)

 

Click the red text

 

Turn on the Filters (preview) and press ok.

 

3 ways into to create a filter

Sign into Endpoint Manager

Tenant administration -> Filters (preview)

 

Devices -> Filters (preview)

 

Apps -> Filters (preview)

 

Let’s create a filter

Sign into Endpoint Manager

 

Press create

 

Give it a filter name

Give it a description

And finally choose the platform for the filter to apply. (It is important to choose the correct platform, because it will only be available to use on the chosen platform when we assign it in a minute.)

 

For this filter to work we will specify the osVersion and startWith 10.0.18363

 

Click Create

 

Use filter on assignment

Sign into Endpoint Manager

 

Choose one of your configuration profiles

 

 

Edit

 

Edit Filter

 

Choose whether you want to include or exclude the filter applied.

OBS! You can only choose 1 filter.

Press select

 

Press Review + save

 

Now keep an eye on your devices and see how the filter works

 

This means the filter matches the device OS level and will therefore apply as it is in “Include” mode.

 

Filters that I use in my environment

Device properties what they are:

Supported filter device properties and operators in Microsoft Intune – Azure | Microsoft Docs

 

Windows 10

Query	Purpose
(device.osVersion -startsWith “10.0.17763”)	Filter on all your 1809 windows versions
(device.osVersion -startsWith “10.0.18363”)	Filter on all your 1909 windows versions
(device.osVersion -startsWith “10.0.19041”)	Filter on all your 20H1 windows versions
(device.osVersion -startsWith “10.0.19042”)	Filter on all your 20H2 windows versions
(device.osVersion -startsWith “10.0.19043”)	Filter on all your 21H1 windows versions
(device.operatingSystemSKU -ne “Holographic”) and (device.operatingSystemSKU -eq “Enterprise”)	You have HoloLens in your environment and users logon to them and do not want assignment to apply to that platform. See all the SKU in the above link
(device.manufacturer -eq “Lenovo”)	You only need to include or exclude device manufacturer Lenovo
(device.manufacturer -eq “Microsoft”)	You only need to include or exclude device manufacturer Microsoft
(device.manufacturer -in [“HP”, “Hewlett-Packard”])	You only need to include or exclude device manufacturer HP
(device.manufacturer -eq “Dell”)	You only need to include or exclude device manufacturer Dell
(device.model -in [“Latitude 5540”, “Latitude 5550”])	Specific models to include or exclude
(device.enrollmentProfileName -startsWith “AutoPilot”)	If you need policies to apply to devices enrolled with a specific autopilot profile name
(device.model -contains “Cloud PC”)	Filter on all Windows 365 devices

 

iOS/iPadOS

Query	Purpose
(device.deviceOwnership -eq “Personal”)	Include or exclude only personal devices
(device.deviceOwnership -eq “Corporate”)	Include or exclude only corporate devices
(device.deviceOwnership -eq “Unknown”)	Include or exclude only Unknown devices
(device.enrollmentProfileName -eq “iPad shared devices”)	If you need policies to apply to devices enrolled with a specific profile name

 

I currently do not have any Mac’s where I need filters and the same goes for Android devices.

 

If you have conflicting assignments for the same policy.

Filter reports and troubleshooting in Microsoft Intune – Azure | Microsoft Docs

 

 

Summary

Hope this post helped you on clarify what filters can be used for and how to use a user centric approach in your organization.

Happy testing!

 

Sources:
Create filters in Microsoft Intune – Azure | Microsoft Docs

Supported filter device properties and operators in Microsoft Intune – Azure | Microsoft Docs

Platforms and policy types supported by filters in Microsoft Intune – Azure | Microsoft Docs

Filter reports and troubleshooting in Microsoft Intune – Azure | Microsoft Docs