In a previous post I wrote about a way to create an Azure AD dynamic device group to identify Windows 11 devices.

But what if you don’t want to add an additional group or groups, or do a bit of rework with your Intune configuration, or have Intune profiles and policies targeted at groups that only contain users?

Fortunately a recent Intune feature (currently in preview) may be able to help here.

Filters are a way to deploy Intune profiles and policies to user and/or device groups where there maybe (for example) both Windows 10 and Windows 11 devices, but only have the deployment apply to only Windows 10 devices.

For this scenario, I’ve created following two filters:

Windows 10

For the Windows 10 filter, I have used the following Rule Syntax:

(device.manufacturer -eq “Microsoft Corporation”) and (device.osVersion -contains “10.0.19041”) or (device.osVersion -contains “10.0.19042”) or (device.osVersion -contains “10.0.19043”) or (device.osVersion -contains “10.0.19044”)

Updated – Do not use (device.manufacturer -eq “Microsoft Corporation”) as this restricts the rule to Microsoft Manufactured devices/VMs – More information in this post

In a nutshell, the rule will apply to Windows 10 versions 20H1, 20H2, 21H1 and 21H2. You will need to modify this when newer versions become available as well as removing older versions as they go unsupported

Windows 11

For Windows 11, I have followed a similar Rule Syntax:

(device.manufacturer -eq “Microsoft Corporation”) and (device.osVersion -contains “10.0.22000”) or (device.osVersion -contains “10.0.22449”)

Updated – Do not use (device.manufacturer -eq “Microsoft Corporation”) as this restricts the rule to Microsoft Manufactured devices/VMs – More information in this post

This will cover Windows 11 version 21H2 and the current Dev Channel build of 10.0.22449. Like the Windows 10 Filter, you will need to modify this when newer Windows 11 versions become available and remove the unsupported versions. Don’t forget to also add the Insider build numbers if you also want Intune Profiles and Policies to apply to insider builds

I will now modify the assignment the Configuration Profile Win 10 – Device Restrictions – Start which uses the Azure AD Dynamic Group that contains both Windows 10 and Windows 11 devices. By Selecting Include filtered devices in assignment and selecting the Windows 10 Devices filter, the profile will be assigned to all of the devices in this Azure AD group, but only apply to the Windows 10 devices

The following shows two Virtual Machines in my Lab where this configuration profile has been assigned. MVP-LAB-001 running Windows 10 and MVP-LAB-002 running Windows 11.

On MVP-LAB-001

You can see that the Configuration profile Win 10 – Device Restrictions – Start has been applied and is showing as Succeeded

By reviewing the Filter Evaluation on the device, you can see that the rules have been evaluated against the device and the result is a Match so the profile is applied to the device.

On MVP-LAB-002, the same process will also happen

The Intune Configuration Profile Win 10 – Device Restrictions – Start is assigned to the device, but the profile shows as Not Applicable

Looking at the filter evaluation, the rules have been evaluated against the device and do not pass so the result of No match is returned and the profile will show as not applicable to the device.

The final result of a Configuration Profile for a Windows 10 Device being assigned to a group that contains both Windows 10 and Windows 11 Devices results in a correct assignment thanks to Filters.

Microsoft have a troubleshooting page on Docs that is also very useful.

Two key points to note from the Docs page.

I really like the idea of Filters and look forward to Microsoft both expanding on the feature as well as it going GA very soon.

P.