Welcome back to the Endpoint Sphere series! Today, we dive into one of the most powerful but often misunderstood features inside Microsoft Intune — Filters. If you’ve ever struggled with targeting policies to “only laptops,” “only Windows 11 devices,” “only corporate devices,” “only devices with 8GB RAM,” or “only devices enrolled in Autopilot,” then this post is for you.
.png)
Introduction: Why Filters Matter Today
The modern endpoint ecosystem is incredibly diverse. An organization may simultaneously manage:
- Windows 10 laptops
- Windows 11 desktops
- Autopilot hybrid devices
- Virtual machines
- Dedicated frontline devices
- Azure Virtual Desktop (AVD) workloads
- Test and production device rings
And each of these groups often needs different Intune policies.
Traditional targeting based on:
- Azure AD groups
- Dynamic device rules
…works well, but is not enough when you need extremely granular, real‑time control.
This is where Intune Filters shine.
- Filters allow you to target:
- A subset of devices inside a group
- With no delay
- Based on real-time device properties
- Without requiring multiple groups or complex dynamic queries
Think of Filters as:
“A surgical tool that gives you precision policy targeting you never had before.”
What Exactly Are Intune Filters?
Filters are logical expressions that evaluate device attributes to include or exclude devices at assignment time.
An example filter:
(device.deviceOwnership -eq "Corporate") and (device.deviceModel -contains "Dell")
This filter would ensure a policy applies only to corporate-owned Dell devices, regardless of group membership.
Filters work across:
- Configuration Profiles
- Compliance Policies
- App Assignments
- Security Baselines
- Proactive Remediations
- Endpoint Security profiles
Filters are evaluated instantly
- No replication delay like Azure Dynamic Groups.
Why Filters Are Better Than Azure AD Dynamic Groups
Imagine this scenario:
You want one Compliance Policy for only laptops, and another one for only desktops.
Traditional way:
- Create two Azure AD dynamic device groups
- Write complex rule for laptops vs desktops
- Wait for Azure AD processing
- Assign policies to groups
Filter way:
- Keep one group (e.g., All Windows Devices)
- Create filter: (device.deviceModel -contains "Laptop")
- Assign laptop policies with this filter
- Done in less than 2 minutes.
Real‑World Use Cases (That Intune Admins Love)
1. Apply policies only to Laptops
Many organizations want stricter security on laptops (BitLocker, VPN enforcement, Wi-Fi policies).
Filter example:
(device.devicePhysicalMemoryInMB -gt 4000) and (device.deviceCategory -eq "Laptop")
2. Apply Wallpaper / Desktop Policy only to Windows 11
Useful for migration projects.
Filter:
(device.operatingSystem -eq "Windows") and (device.osVersion -startsWith "10.0.226")
3. Exclude Azure Virtual Desktop (AVD) from BitLocker or Wi‑Fi
(device.deviceManufacturer -eq "Microsoft Corporation") and (device.model -contains "Virtual")
4. Apply Autopilot policies only to new devices
(device.enrollmentProfileName -eq "Autopilot-Deployment")
5. Apply Conditional Apps only to Corporate devices
(device.deviceOwnership -eq "Corporate")
6. Target test-ring devices
Instead of creating separate groups:
(device.azureADDeviceId -eq "<DeviceID>")
7. Separate Desktop vs Laptop policies
(device.deviceModel -contains "Laptop") or (device.chassisType -eq "Desktop")
How Filters Work with Assignments (Allow vs Exclude)
Filters can work in two modes:
- Filter to Include
Policy applies only to devices matching filter.
Example:
Apply a firewall policy only to Windows 11 devices.
- Filter to Exclude
Policy applies to all assigned devices except those filtered out.
Example:
Exclude Azure Virtual Desktop devices from a Compliance Policy.
Best Practice: Filters + Azure AD Groups = Perfect Combination
Microsoft’s recommended approach:
- Create broad Azure AD groups
- All Windows Devices
- All Personal Devices
- All Corporate Devices
- Use Filters to carve out specific device types
- Only Windows 11
- Only Autopilot
- Only laptops
- Only VMs
- Only specific OEM models
This reduces:
- Group complexity
- Policy duplication
- Assignment errors
- Troubleshooting time
Creating a Filter (Step-by-Step)
Step 1: Go to Intune Admin Center
Devices → Filters → Create
Step 2: Select Platform
Windows 10/11
Step 3: Build Filter Rule
Use the rule builder or the advanced syntax.
Examples appear below.
Step 4: Save & Assign
During assignment:
Select Filter for devices
Choose Include or Exclude
Select the filter
The Most Useful Filter Rules (Copy & Paste)
Corporate devices only:
(device.deviceOwnership -eq "Corporate")
Only laptops:
(device.chassisType -eq "9") or (device.chassisType -eq "10")
Only desktops:
(device.chassisType -eq "3")
Windows 11 only:
(device.osVersion -startsWith "10.0.226")
Azure Virtual Desktop:
(device.deviceManufacturer -eq "Microsoft Corporation") and (device.model -contains "Virtual")
Autopilot devices:
(device.enrollmentProfileName -contains "Autopilot")
Troubleshooting Filters — What Every Admin Should Know
1. Device not showing in filter preview?
- Sync device
- Check enrollment profile
- Check Intune portal attributes
2. Filters not applying to policy?
- Filters only work for Device‑based assignments
(Not User-based assignments in some cases)
3. Attributes not appearing in device properties?
- Ensure device is fully enrolled
- MDM enrollment complete
- Intune connector synced
4. Autopilot not identified?
- Sometimes the "enrollmentProfileName" attribute updates late
Wait or sync manually.
Which Licenses Are Required for Filters?
Good news:
- Filters require no special add‑on licenses.
- They are included with any Intune‑eligible plan:
Supported Licensing:
- Microsoft Intune (Standalone)
- Microsoft 365 E3 / E5
- Microsoft 365 Business Premium
- Enterprise Mobility + Security (EMS) E3 / E5
As long as the device is managed by Intune, you can use Filters.
Filters vs Dynamic Groups vs Device Categories
| Feature | |||
| Filters | Dynamic Groups | Device Categories | |
| Real-time targeting | ✔ | ❌ | ❌ |
| Based on device attributes | ✔ | ✔ | ❌ |
| Good for policy assignments | ✔ | ✔ | limited |
| Works with Autopilot | ✔ | ❌ | ✔ |
| Easy to maintain | ✔ | ❌ | ✔ |
Winner: Filters
(But using Filters + Groups together = best practice)
Conclusion: Filters Are a Must‑Use Feature for Intune Admins
Filters are one of the most powerful capabilities in Intune but still underused by many administrators.
They give you the ability to:
- Target policies with surgical precision
- Reduce the number of Azure AD groups
- Speed up deployments
- Simplify Intune architecture
- Improve compliance accuracy
- Stabilize Autopilot rollout
If you manage Windows devices in any serious capacity, Filters should be part of your daily Intune strategy.