Microsoft is currently in the process of rolling out a preview of filtering for apps, policies and profiles in Microsoft Endpoint Manager.
With this new functionality you will be able to define extra applicability conditions for Apps, compliance policies and configuration profiles. Not every workload is supported (yet) though, for example you cannot use the filtering functionality while using a Settings Catalog configuration profile (at this point in time), you also cannot use filtering in Windows 10 Update rings and Windows 10 Feature updates. If you want to know what workloads and features are supporting filtering, check out this documentation article first.
With filtering you can assign an app or policy to a user or device group, while filtering specific devices in and out of the assignment. Filters can be configured to either include or exclude devices from the assignment, so you do not have to spend time selecting those devices in Intune or waiting for dynamic device group membership to be calculated.
Before you can use the filtering functionality, you have to enable the preview functionality first. This can be done from the Tenant Administration settings in the Microsoft Endpoint Manager Admin Center. You need to click on the hyperlink for “Try out the filters (preview) feature!” for the option to enable filters to appear.
Once enabled you can centrally create filters by clicking on the + Create button under Filters (preview). After providing a name for the filter (mandatory), a description (optional) and the platform (iOS/iPadOS, Windows 10, Android device administrator, macOS or Android Enterprise) you can define the ruleset.
This ruleset is similar to the ruleset available when creating Azure AD dynamic device groups, as shown in the figure below (1) displays the options for creating a dynamic device group and (2) shows the options for creating a filter.
Depending on the platform chosen properties are available to use while creating the filter rule. For Windows 10 the following properties are available:
Which propertiesare supported for which platform is detailed in the following article: Device properties, operators, and rule editing when creating filters in Microsoft Endpoint Manager
Below is an example of you a filter could look like, in this case we create a filter where the Operations System SKU is either Professional or ServerRdsh. ServerRdsh is the SKU for Windows Enterprise for Virtual Desktops for which Microsoft is currently rolling out supporting this SKU with Microsoft Endpoint Manager.
Once one or more filters are created, the filter can be used while creating assignments on supported workloads.
After the filter has been added you can see this reflected in the assignments for the workload you configured. The Assignment will reflect the name of the filter and whether the devices in the filter will be included or excluded.
This new functionality opens up a lot of possible scenario’s, I could use a filter for example to exclude Virtual Machines from my default Compliance Policy for example, or filter out Windows 10 Professional from my Start Menu customization. Allowing me to reduce the issues I receive and challenges I face for any exceptions in my environment.
As written in my article titled: “Designing and building your Microsoft Endpoint Manager/Intune environment for Operations” I outlined why I prefer to use one Azure AD user group to rule them all. With these filter capabilities I can find a solution for some of the scenario’s which weren’t that easy to implement because of my design choices.
From today I will start experimenting with the functionality in my demo tenant and explore its capabilities. I already know for sure though that filtering will become part of my standard Modern Workplace implementation solution.