In this post we will explore Intune filters and use them in a use case.
Table of Contents
Intune Filters
So what are Intune filters. We can use them to filter devices based on specific rules and narrow the assignment scope of a policy or deployment. Take a look at the image below explaining the way they work.
Filters are available for:
- Devices enrolled in Intune, which are managed devices.
- Apps that are managed by Intune, which are managed apps (Android, iOS/iPadOS).
The platforms that are eligible for filter usage are shown below:
- Android device administrator
- Android Enterprise
- Android (AOSP)
- iOS/iPadOS
- macOS
- Windows 10/11
Filter creation
Now that we know what is a filter, let’s create one.
To do that first navigate to Intune portal and the Tenant Administration blade. There click Filters.
Click Create and select either Managed devices or Managed apps. In this example we will choose Managed devices.
Give a name and a description to the filter and select the platform to which it is going to be applied. Here we want to include or exclude Windows devices so we are going to select Windows 10 and later.
At the next step we have to configure the rule, that will be used to include or exclude devices.
As you can see we can use specific device properties and operators to populate the filter rule (such as deviceName and many more). More details can be found here. Let’s create a rule
In our example we want to exclude devices, whose name starts with “Test-“. Based on this criteria the rule is configured as shown below.
Clicking the preview button will show the devices that meet the filter criteria.
Finally review the configurations and create the filter.
Useful Filters
1) All Corporate Windows Devices = (device.accountEnabled -eq true) and (device.deviceManagementAppId -eq “0000000a-0000-0000-c000-000000000000”) and (device.deviceOwnership -eq “Company”) and (device.deviceOSType -eq “Windows”)
2) Corporate Windows 10 Devices = (device.accountEnabled -eq true) and (device.deviceManagementAppId -eq “0000000a-0000-0000-c000-000000000000”) and (device.deviceOwnership -eq “Company”) and (device.deviceOSType -eq “Windows”) and (device.deviceOSVersion -startsWith “10.0.19”)
3) Corporate Windows 11 Devices = (device.accountEnabled -eq true) and (device.deviceManagementAppId -eq “0000000a-0000-0000-c000-000000000000”) and (device.deviceOwnership -eq “Company”) and (device.deviceOSType -eq “Windows”) and (device.deviceOSVersion -startsWith “10.0.22”)
Use case
To better understand how filters operate, let’s see the below use case.
In this use case we deploy an application (check how to prepare an application for deployment here) to a specific device group and we want to exclude specific test devices in order to conduct some tests. Of course for this kind of actions, we could exclude a group containing the test devices, but for demonstrating purposes let’s use filters.
As we can see no filters are applied to this application. To edit the Assignments and select a filter click Edit.
Here we can either Include the filtered devices in the assignment or exclude them. Select “Exclude filtered devices in assignment” and choose the desired filter (in our case the “Exclude Test Devices” filter).
Always double check the assignment at the final step and save the change.
Now the devices of the filter are going to be excluded from the deployment.
References and documentation: