This is a well hidden gem in Microsoft Endpoint Manager (MEM). Filters. I’m not to sure that all of you knows what this is. Maybe you have seen it when setting the assignments for a profile.
Or when going to Tenant Administration.
But what are filters?
Filters in Microsoft Endpoint Manager
Filters in MEM is a way to assign profiles, applications and much more in MEM using the built in “All users”/”All devices” groups or a larger target group, and then filtering out based on specific conditions. You create the filters and set the conditions for the filters.
You can apply filters on
Filters basically singles out users or devices from a larger group of devices, just like filter does. You can re-use the same filter on different assignment groups and get different result for your policy.
The benefits with using filters instead of several dynamic groups is that the filters are evaluated instantly, which makes applying things with them a lot faster then having a dynamic group needing to process which members it should have.
One example could be that you want to be able to single out only Windows 11 computers to apply a specific policy just to them.
Creating a filter
To use a filter, you must first define the conditions of it by going to the MEM admin center (https://endpoint.microsoft.com) and navigate to Tenant administration > Filters.
To create a new filter, press “+ Create” and give your filter a name and select what platform to target. In this example, we will create a filter which will filter out Windows 365 Cloud PCs running Windows 11.
In the next step, you will need to create the conditions for your rule. Since I want to create a filter to single out Windows 365 Cloud PCs running Windows 11, I will add conditions for this by stating that osVersion should start with 10.0.22 (which is the easiest way to identify Windows 11), and that the manufacturer equals Microsoft Corporation, and that model name starts with Cloud PC.
You can also write your own syntax instead of using the built in values.
The easiest way to find the information for your filters is to go to Devices > Windows > Windows devices and search for a device which meets the requirements for your filter. Click the device and select Hardware in the menu, that will show you the information you need.
Once you have configured your rule, you can click the “Preview devices” at the bottom of the filter configuration to validate that your filter is doing what you wanted.
For this filter, I want to be able to select the Cloud PCs running Windows 11, which you can see here that it was able to find.
When you are happy with your filter configuration, click next followed by create.
Using a filter
You can use filters in a lot of different places in MEM. To see what’s currently supported to use filer, have a look at Microsoft Docs. New applications of filters are added constantly.
As of now, I want to deploy and app to only my Cloud PC running Windows 11. I want to make this application available for all my users, but only if they are using a Cloud PC running Windows 11.
The first thing I do, is to add the built in “All users” group to the “Available for enrolled devices” segment under Assignments for the application.
Next, I click on the blue text “None” under Filter mode. To use your filter, you first need to select how you want the filter to behave. You have 3 options.
- Do not apply a filter
- Include filtered devices in assignment
- Exclude filtered devices in assignment
In this case, I want to include my Cloud PCs running Windows 11, so I select the include option. Next step is to select the newly created filter called “Cloud PC Windows 11”. Once I have selected the filter, I press “Select” at the bottom of the screen.
You will now notice that the filter has been applied to our assignment.
Now only my Cloud PCs running Windows 11 will be able to install the application.
Summary
Filters are a great addition to MEM and doing assignments, since you can target on a wider group and select just a few devices from that group. You could also make sure that only certain things gets applied to a users device which fulfills your requirements. One such scenario could be that you wish to enforce installation on a users device if the ownership is set to “Corporate” but make it available if ownership is set to “Personal”. There are a lot of different scenarios where this could be super handy!
The best thing is however that applying things using the built in “All devices” and “All users” group are usually a lot faster, and you don’t end up in a scenario where the user or device was not added to the group for a mandatory application. You can then filter out only specific devices from that larger group.