Using Filters to selectively target Intune Apps and Configs

Hi all, a post on how you can use Device Filters to target specific configurations within Intune to include or exclude Windows 11 devices only. This may be useful when you’re configuring personalisation settings or application deployments and want to either include or exclude specific device properties.

What are filters?

Microsoft released Filters for Intune in May of this year, Filters can be used to ensure that specific configurations, policies and applications are applied to specific attributes of the device itself, for example, you may have an application that should only be deployed to a specific hardware model, with filters this can be achieved. The following attributes can be used to either include or exclude devices from an assignment within Intune:

  • Device Name
  • Manufacturer
  • Model
  • Device Category
  • OS Version
  • IsRooted
  • Device Ownership
  • Enrolment Profile Name
  • Operating System SKU

Filters are only applicable to various assignment types within Intune, I’d recommend reviewing this list of applicable targets.

How to enable Filters?

Filters are currently in preview within Intune and need to be explicitly enabled, to do this, log into the MEMAC portal, navigate to Tenant Administration, then Filters (Preview), click the purple banner and then activate the Filters capability:

Enabling filters within Intune

Creating the Windows 11 Filter

With the Filters capability enabled, within the same section of Intune, click Create, then add an appropriate Name, Description and applicable Platform, like so:

Creating the Windows 11 filter

Now choose a Property of OSVersion, Operator of StartsWith and a Value of 10.0.2, which is unique to Windows 11 devices only, like so:

Tip: If you know the entire syntax of the filter, you can edit the rule syntax editor and just paste in the code, for the above example that would be (device.osVersion -startsWith “10.0.2”).

With the filter now created, it’s time to assign the filter to a particular configuration profile, don’t forget that filters can be used in other sections of Intune, check out this link for applicable targets.

Assigning the Windows 11 Filter

There are two options when assigning filters to configurations, include and exclude, include will apply to all of the devices within the assignment where the filter has matched as true and exclude will remove devices from the assignment scope. To include or exclude a filter, go to a configuration profile (where supported) and Assignments, you will have an option to Edit filter on each assignment:

A new window will appear, giving you the option to Include filters devices in assignment or Exclude filtered devices in assignment and then select your new Windows 11 filter, in this example, I want to make sure that this configuration profile applies to my Windows 11 devices within my IN-AP-DEVICE-ALL AAD group:

That’s it, devices within the assigned group that matches my Windows 11 filter will receive the configuration profile, ensure that you test!

Trust but Verify

Once the filter has been assigned to a deployment, you can view the filter status on a device record itself, in a section called Filter Evaluation (preview) to determine if the filter that has been created is a match or not.

Windows 10 device

Here is a Windows 10 device, as you can see the configuration profile status is showing as a ‘No match’ for the filter in question:

As a consequence, the configuration profile has not been assigned with a status of Not applicable:

Windows 11 device

As above, but with a difference of the filter showing as a match and as a consequence, the configuration profile has been assigned.


Happy Intuning.