The more I think about managing Windows 11 in Azure AD and Intune, the more I want to refine some of the configurations I have done.

The recent Windows 11 Dev Channel build had me thinking about the Azure AD and Intune Filter blog posts and the configurations done there.

Now if you are not doing any Windows Insidering at your company (first thing I’d ask is why not, but that’s a conversation for another time), then the configurations for Windows 11 in those blog posts should be perfectly fine until the next release of Windows 11 in 2022 (Remember, Feature Updates are moving to a one a year cycle with Windows 11) as the build number will change.

But I do use the Windows Insider for Business program, and do have devices on the Dev channel,  so updating the Azure AD Dynamic Group and the Intune Filter on what can be a weekly basis is not something I really want to do.

So what have I changed?

Groups:

With the Azure AD group, I have simply changed the Rule Syntax for deviceOSVersion from -contains  with a full build number to -Start With and the first part of the Windows 11 build number 10.0.22.

This means that any future builds for Windows 11 with a build number starting with 10.0.22, including future Dev Channel insider builds will be covered by this query (unless of course the 10.0.22 value changes in future builds).

I can confirm that this query works by using the Validate Rules (Preview) feature by adding a Windows 10 and Windows 11 device and validating

Windows 10

Windows 11

Filters:

For filters, I found that this involved a little bit more trial and error, but ultimately I was able to get it working using a similar rule syntax. 

NOTE – In my previous blog on filters, I had the filter rule (device.manufacturer -eq “Microsoft Corporation”) but found that when using this with a filter rule that used the operator StartsWith, the filter would always return the result Not match

Update – Do not use (device.manufacturer -eq “Microsoft Corporation”) as this restricts the rule to Microsoft Manufactured devices/VMs – I discovered this the hard way when using Intune Filters in production and my HP devices all ended up returning a Not Matched result.

So I now just use the single filter rule (device.osVersion -startsWith “10.0.22”)

The Filter evaluation shows this Evaluation result as a Match on the Windows 11 device.

This means I now can have a bit of certainty that my Azure AD group and Intune Filters will work on Windows 11 devices while the build number starts with 10.0.22, and not have to make any major changes until for a while – unlike the weekly changes before this change.

P.