Use Filters in Intune to target All Devices except Personal
Intune now has the capability to Filter policy, app, and profile assignments. While you could previously also do this with dynamic Azure AD Groups, Filters process significantly faster and can be more reliable. They become incredibly useful if you want to use the All Devices or All Users default groups too.
One simple idea for using filters is for Endpoint Analytics configuration targetting. When you enable Endpoint Analytics, it will default to collecting data from all cloud-managed devices (the All Devices group). We can use a Filter so that this only targets Corporate devices (or, excludes Personal devices), because as an organization maybe we don’t want to collect personal devices data.
Go to endpoint.microsoft.com> Tenant administration > Filters (preview):
Click the purple banner that says Try out the filters (preview) feature! and turn on the preview feature:
With the feature enabled, click + Create to begin creating the Filter.
Enter a memorable name and select a platform. For our test I’m entering Filter Personal Windows devices:
Now we get to the rules portion. You can find a list of the supported rules and associated properties here. We’ll use the deviceOwnership property with the value of Personal. All of these are dropdowns, which makes making the filter remarkably easy:
We selected NotEquals because we don’t want Personal devices to be targeted by our policy. Then we just need to Create the filter:
And then we’ll see the Filter is created:
To assign the Filter, we need to go to any profile or app or policy. In our test for Endpoint Analytics, we’ll go to Devices > Configuration profiles > Intune data collection policy:
If you don’t see that profile or haven’t enabled Endpoint Analytics, we have a blog post on how easy it is here: Deploy Endpoint Analytics in 30 seconds.
In the policy, we’ll click Properties > Edit Assignments:
And here we’ll select the option to Edit filter:
Which prompts a flyout with our Filter options. This can be a bit tricky to read/logic out. We are targetting All Devices, but we want to only include devices that aren’t personal. So we’ll select Include filtered devices in assignment and select our policy that identifies devices that aren’t personal. It probably would have been clearer to create a filter that only includes devices that are marked corporate. Lesson learned! 😁
Once we have selected the Include option and our filter, we can click Save the Filter and see if it worked as expected:
As expected, in the Device Status for the policy we only see Corporate devices:
If we do want to edit the filter so it’s more clear (and not using a double negative), we can easily go back to the Filter and edit the Rules to say deviceownership Equals Corporate:
So that’s how Filters work! Very simple, and majorly useful. It really brings forward the usefulness of the All Devices or All Users groups, especially for Autopilot/enrollment scenarios where one second the device identities are being created in Intune and then immediately after we want policy/app assignments to be targeted.
Happy filtering! ⚗️