Intune Filters: Complete Assignment and Configuration Guide - CyberSystem Blog

Filters in Microsoft Intune allow you to dynamically target apps, policies, and profiles based on device or app properties. Filters provide granular control over assignments, enabling you to include or exclude devices based on specific criteria without creating additional groups.

Understanding Filters

Filters in Intune narrow the assignment scope of policies and apps based on rules you create. Filters dynamically evaluate device or app properties at check-in time, determining whether a policy or app should apply without requiring precomputed group membership.

Key Benefits

Dynamic Targeting: Target based on device properties
Flexible Assignment: Include or exclude devices
Reusable: Use same filter in multiple assignments
High Performance: Evaluated at device check-in
Granular Control: Fine-tune policy assignments

For an overview, see Use filters when assigning your apps, policies, and profiles in Microsoft Intune.

How Filters Work

Filter Evaluation

Filter Creation: Admin creates filter with rules
Policy Assignment: Filter added to policy assignment
Device Check-in: Filter evaluated when device checks in
Application: Policy applies if filter matches

Filter Modes

Include: Devices matching filter receive policy
Exclude: Devices matching filter don't receive policy

Creating Filters

Step 1: Access Filters

Sign in to the Microsoft Intune admin center
Navigate to Tenant administration > Assignment filters > Create
- Or: Devices > Organize devices > Assignment filters
- Or: Apps > Organize devices > Assignment filters

Step 2: Select Filter Type

Managed devices: For enrolled devices
Managed apps: For app protection policies

Step 3: Configure Basics

Filter name: Descriptive name
Description: Optional description
Platform: Select platform
- Managed devices: Android, iOS, macOS, Windows
- Managed apps: Android, iOS, Windows
Select Next

Step 4: Create Rules

Rule Builder:

Property: Select property (e.g., device.osVersion)
Operator: Select operator (equals, contains, etc.)
Value: Enter value
Add expression: Add to rule
And/Or: Add additional conditions

Rule Syntax:

Manually enter expressions
Use rule syntax editor
Example: (device.osVersion -eq "10.0.18362") and (device.manufacturer -eq "Microsoft")

Step 5: Preview Devices

Select Preview devices
Review devices matching filter
Search and filter preview list
Verify filter criteria

Step 6: Review and Create

Review filter configuration
Select Create

For step-by-step guidance, see Create a filter.

Using Filters

Assigning Filters to Policies

Navigate to policy (e.g., Compliance policy)
Select Properties > Assignments > Edit
Assign policy to group
Select Edit filter
Choose option:
- Do not apply a filter
- Include filtered devices in assignment
- Exclude filtered devices in assignment
Select filter > Select
Review + save > Save

For details, see Use a filter.

Filter Restrictions

General Restrictions

Maximum Filters: Up to 200 filters per tenant
Character Limit: Each filter limited to 3,072 characters
Managed Devices: Devices must be enrolled
Managed Apps: Apply to app protection and app configuration policies only

Supported Workloads

Filters support various workloads:

Apps
Compliance policies
Configuration profiles
Enrollment restrictions
And more

For complete list, see Supported workloads when creating filters.

Filter Examples

Example 1: Windows OS Version

Scenario: Deploy policy only to Windows 11 devices

Filter:

device.osVersion -startsWith "10.0.22"

Example 2: Device Manufacturer

Scenario: Exclude specific manufacturer

Filter:

device.manufacturer -ne "Samsung"

Example 3: Corporate Devices Only

Scenario: Include only corporate-owned devices

Filter:

device.enrollmentProfileName -ne ""

Example 4: Multiple Conditions

Scenario: Windows 11 corporate devices

Filter:

(device.osVersion -startsWith "10.0.22") and (device.enrollmentProfileName -ne "")

Filter Reports

Filter Evaluation Report

View filter evaluation for devices:

Navigate to Devices > All Devices
Select device > Filter evaluation
Review:
- Filters evaluated
- Evaluation time
- Match/No match results
- Filter mode (Include/Exclude)
- Filter rules and properties

For details, see Filter evaluation report for devices.

Best Practices

1. Use Descriptive Names

Name filters clearly
Include purpose in name
Document filter usage
Maintain naming consistency

2. Test Filters

Preview devices before creating
Test with pilot groups
Verify filter behavior
Monitor filter evaluation

3. Keep Filters Simple

Avoid overly complex rules
Use clear conditions
Test filter performance
Optimize as needed

4. Document Filters

Document filter purpose
Record filter usage
Maintain filter inventory
Update documentation

5. Review Regularly

Review filter assignments
Check filter effectiveness
Remove unused filters
Optimize filter rules

Troubleshooting

Common Issues

Filter Not Applying
- Verify filter assignment
- Check device properties
- Review filter rules
- Test filter evaluation
Unexpected Results
- Preview devices
- Review filter rules
- Check property values
- Verify operator usage
Performance Issues
- Simplify filter rules
- Reduce filter complexity
- Review filter usage
- Optimize conditions

Additional Resources

Conclusion

Filters provide powerful capabilities for dynamically targeting apps and policies in Intune. By following these best practices:

✅ Use descriptive filter names
✅ Test filters thoroughly
✅ Keep filters simple
✅ Document filter usage
✅ Review filters regularly

You can achieve granular control over policy assignments while maintaining performance and avoiding the need for numerous additional groups.

Remember: Filters are evaluated at device check-in time, providing dynamic targeting without precomputed group membership. Always preview devices and test filters before deploying to production.