Forum Discussion
Policy applied allthough it shouldn't
Your filter actually looks correct to me. Since it suddenly started happening and also affects another tenant, this feels more like a Windows Server 2025/RDP session behavior change than a filter issue.
As a workaround, I’d probably try excluding those servers through a separate Entra group instead of relying on the device filter for now, just to see if the behavior changes. That would help confirm whether the issue is really filter related or something specific to Server 2025 sessions.
I found out that the policy was duplicated somehow and one of them hat less restrictions. weird.
Hi heinzelrumpel ,
Glad you tracked it down. Duplicate policies with the same control are easy to miss because the sign-in log shows the control firing without telling you which policy won unless you open the full list. Quick check next time symptoms contradict a configured filter: in the Entra admin center, go to Identity → Monitoring & health → Sign-in logs, open the sign-in event, and click the Conditional Access tab. Each applied policy shows as its own row with the result (Success, Not applied, Report-only). When two rows enforce the same control, the duplicate is your target.
One side note on the filter syntax itself: positive operators (-eq, -contains) don't match null device attributes, so an Exclude expression built on them silently fails for any device that doesn't have an Entra device object. Microsoft's persistent browser sample uses Include mode with -ne for that reason. Useful if a Server 2025 host ever ends up in scope without being registered, since Server 2025 isn't on the supported hybrid join OS list yet.
Our Servers are not in Intune. Problem persist today. Please see my last post. Maybe you find something I am missing
