Filters were introduced to Intune around mid 2021 and for some reason have mainly escaped me up to this point. I like many have used Dynamic groups as the default approach when needing to narrow down the assignment of compliance policies, configuration profiles and applications. Filters however bring a number of welcome improvements to the table we will go through in this blog.
Filters introduce a way of applying advanced targeting and in some scenarios performance benefits to help you replace the use of dynamic group assignment. When it comes to defining and applying Filters you typically need to make the right architectural decisions for your own Intune deployments but filters add a new layer of targeting definitely worth considering. The natural way of structuring your users and devices hasn’t changed by creating Azure Active Directory ‘Groups’. By creating these you are defining a hierarchy and structure that reflects your organisation which may be through specific teams of people such as the ‘Sales team‘ or device types ‘Windows 11 devices‘. These are still relevant and provide the baseline for assignment to your applications, policies and profiles. For each of these groups where Microsoft have added the option for filters, you now have the ability to narrow the assignment scope that best fits your needs.
We do need to mention ‘Virtual Groups‘ as these include ‘All users‘ and ‘All devices‘ and by default they don’t have any management overhead meaning there is no need to first create or make changes for these. Its worth noting that every time you create a new group (one that has never been used before in an Intune assignment) they go through a first-time setup process together with a membership sync. This first sync will always take longer than subsequent (incremental) syncs. The upside to these virtual groups is that they are stable and highly optimized for assignment. The use of these may be few and far between so most admins will break down all users and all devices into sub groups. As a result the groups you create need to be synchronized from Azure AD and evaluated for assignment. And therein lies the major benefit for me, the performance of assignment. I have seen technical community requests for information when it comes to dynamic group assignment for example. The underlying issue is it sometimes takes longer than expected especially on larger group assignments to verify the members that apply to the dynamic groups which can then delay an app or policy being deployed or even delay an enrolment.
How to Filters work
As mentioned filters give you the ability to narrow the assignment scope and add granularity to Intune policies, profiles and applications applied to:
- Android device administrator
- Android Enterprise
- Windows 10/11
Example scenarios might be:
- To add a filter which targets devices with a specific OS version or even manufacturer.
- Deploy an application policy to an Android device to all users and exclude Samsung devices
- Deploy a compliance policy to all devices and exclude devices registered with a specific device category.
Other key benefits of Filters for me include the flexible and the reusable way they can be applied. I also prefer the ability to create and maintain Filters seperately outside of the main Groups admin page making them easier to manage compared to dynamic groups. You can find Filters by navigating on the Microsoft Endpoint Management portal multiple ways. These being:
Home > Tenant administration > Filters
Home > Devices > Filters
Home > Apps > Filters
On the Filters pane click ‘Create‘ then supply the:
Description of the filter:
On the next screen this is where you can use the available rule builder to create the granular assignment rules. Rules can be made up of ‘Device properties’. The properties currently available include:
deviceName / manufacturer / model / DeviceCategory / deviceOwnership / enrolmentProfileName or operatingSystemSKU as shown below.
Properties are assigned using the operator options which are:
Equals / NotEquals / In / NotIn / StartsWith / NotStartsWith / Contains or NotContains
You build up your multiple rules by clicking the ‘+ Add Expression‘ link on the page if this is neccessary for your assignments. A scenario might be two rules containing
osVersion is (device.osVersion -startsWith “10.0.18362”) and (device.model -startsWith “Surface Book”).
Where appropriate you can also create complex as well as simple rules where common operators such as And /Or
and the format is similar Azure AD dynamic groups: ([entity].[property name] [operation] [value]).
The beauty of Filters admin page also means you can preview which devices you are targeting by selecting the ‘Preview devices‘ option on the page. This is handy specifically where you are targeting specific devices and want to check it includes the likely machines.
When finished proceed to the review and create page and click ‘Create‘. You now have a filter you can use and reuse to narrow your assignments of profiles, policies and apps.
Your next step is make use of this Filter and as we already mentioned this is now reusable for any scenario this filter may apply to. If you have multiple deployments where say you only want to target Windows 10 rather than windows 11 devices you can make use of this multiple times.
Remember: It is advisable to make use of the virtual groups especially where you have many devices to deploy to. This is where you can benefit from the performance gains and Filters in this case are better than dynamic groups although dynamic groups at this stage do have more properties available to use so performance is only one factor to consider in your decisions particulaly where you have a smaller estate of devices.
With Filters, you can filter devices that are either in or out of that assignment based on the device properties defined. Filtering is high performance, low latency applicability evaluation at device check-in without any need to pre-compute. The process followed is:
- You create a reusable Filter for any platform based on some device properties. In the example above we used the filter to Windows 10 devices.
- You assign a policy or app to the group. In the assignment, you add the filter in include or exclude mode. For example, you “include” Windows 10 devices, or you “exclude” Windows 11 devices from the policy.
- The filter is evaluated when the device either enrolls or next checks in with the Intune service, or at any other time a policy evaluates.
- You see the filter results based on the evaluation. For example, the app or policy applies, or they don’t apply.
Filters add a new flexible and reusable way of assigning policies, profiles and apps to user or device groups. In many cases they can be used to replace dynamic group assignment. Where possible make use of virtual groups (‘All Users’ or ‘All Devices’) and add filters to narrow down the assignment. Both of these virtual groups as well as Filters are Intune constructs meaning the ongoing syncronisation between Azure AD and Intune is not needed. The applicablibilty of Filters allows devices to be evalauted for assignment dynamically during check-in or enrollment which may avoid sync bottlenecks and prevent a backlog of device assignments affecting your deployments.
Thanks for reading and please reach out with any questions and Ill try to answer with the best of my knowledge or help with your knowledge building.
Thanks, this has helped me. Well explained.