By: Anders Ahl – Principal Product Manager | Microsoft Endpoint Manager – Intune
Since the introduction of filters in Intune, customers have been using them for all types of creative selection criteria. This includes some very impressive combinations of properties to get exactly the target collection they were looking for, without having to wait for one or several dynamic groups to be evaluated and updated. One of the many benefits of filters is that they are instantly evaluated but even if the creation of the filter itself is simple, the evaluation of it might not render the outcome you were expecting unless you understand the rules of Boolean algebra.
Consider a scenario where you want to use the new and exciting filters feature in Intune to make sure your hardware is either one of two models and the assigned Windows Autopilot profile is either one of two profiles.
A quick refresher on how Boolean Algebra works:
x | y | x AND y | x OR y |
0 | 0 | 0 | 0 |
0 | 1 | 0 | 1 |
1 | 0 | 0 | 1 |
1 | 1 | 1 | 1 |
Used in an Intune filter, the way to think of the resulting “1” and “0” is that if an expression evaluates to “1” the device will be included in your selection and if it evaluates to “0” it will not.
After going through the supported device properties article, use the rule builder to enter the hardware models (separated by an OR operator) and the Autopilot profile names, also separated by an OR operator. The two logical groups of your filter are ANDed together.
Create filter in Microsoft Endpoint Manager admin center
The Rule syntax generated for you by the rule builder is:
(device.model -startsWith "Precision 3541") or (device.model -startsWith "Latitude") and (device.enrollmentProfileName -eq "Autopilot Prod Profile") or (device.enrollmentProfileName -eq "Autopilot Lab Profile")
which looks exactly what we were hoping for. If we add a few line breaks to make it easier to read, we get:
(device.model -startsWith "Precision 3541")
OR
(device.model -startsWith "Latitude")
AND
(device.enrollmentProfileName -eq "Autopilot Prod Profile")
OR
(device.enrollmentProfileName -eq "Autopilot Lab Profile")
Let’s try the filter on a couple of devices to see if it performs as expected.
Our first device is a Dell Precision 3541 with "Autopilot Prod Profile" assigned and it would qualify for the following chain of Boolean operations: 1 OR 0 AND 1 OR 0.
If we break this down one operator at a time and color code each output/input for visibility (the blue output from the first operation is used as input in the second operation) we would get:
The result is ”1” which is desired, and the filter would work as expected and include this device.
A second example (to make sure we really exercise your newly awakened Boolean skills) is a Dell Precision 3541 with "Autopilot Lab Profile" assigned, giving us 1 OR 0 AND 0 OR 1.
Yet again we get a “1” as a result which would satisfy the purpose of the filter and we see many customers happily starting to use the filter for their targeting.
As you may suspect, there’s more to this filter than the fact that it looks like it’s working. Let’s use a device that we don’t expect to satisfy the filter, in this case a Surface Laptop 4 with the "Autopilot Lab Profile" assigned, giving us 0 OR 0 AND 0 OR 1.
Woah! Did we just get a ”1” result from this evaluation? How could that happen? We clearly didn’t have a device that satisfied any of the two types we were looking for.
Feel free to pause here and see if you can figure out what went wrong. For the rest of you, it’s as easy as being a logical pitfall because we didn’t think about PEMDAS.
As we have operators to consider, all with the same weight/priority, they are evaluated left to right. To change the order of evaluation we need to use parentheses to clarify that this is really two OR groups that should be ANDed together.
Looking back at the “easier to read query” above we need to turn it into:
Even if this can look a bit daunting at first, it’s as easy as adding a few parentheses (marked in yellow below) to the rule syntax:
((device.model -startsWith "Precision 3541")
OR
(device.model -startsWith "Latitude"))
AND
((device.enrollmentProfileName -eq "Autopilot Prod Profile")
OR
(device.enrollmentProfileName -eq "Autopilot Lab Profile"))
As you do this, the syntax checker will happily accept your change but unfortunately the rule builder can no longer display the query and you must continue perfecting your query in the rule syntax text box.
Editing the rule syntax removes the option to use the rule builder.
If we look at the logical evaluation of our new statement, we get (0 OR 0) AND (0 OR 1).
Ah! Much better! We now have a filter that not only works for successfully matched rules, but it also works for the cases that don’t satisfy the rules.
I hope this guidance helps, and happy filtering! If you have any questions, feel free to respond to this post or reach out on Twitter @Intunesuppteam.
Updated Dec 01, 2023
Version 4.0Intune_Support_Team
Microsoft
Joined October 11, 2018
Intune Customer Success
Follow this blog board to get notified when there's new activity