Forum Discussion

heinzelrumpel's avatar
heinzelrumpel
Brass Contributor
May 04, 2026

Policy applied allthough it shouldn't

Hi,   all of a sudden Intune chaanges its behavior. I have a policy in place that sets persistent browser session. On the device filter tab I excluded devices with this syntax: device.trustTy...
Conditional Access
intune
Lucaraheller's avatar
Lucaraheller
MCT
May 28, 2026

Hi,

I would check two things here.

First, open the affected sign-in event in Entra ID and review the Conditional Access tab. Make sure there is not another policy applying the same session control. Duplicate or overlapping CA policies are very easy to miss.

Second, be careful with device filters in this scenario. Conditional Access device filters are evaluated based on the device attributes available in Microsoft Entra ID. If the session does not provide the expected registered device attributes, or if the device is not evaluated as expected, the exclusion may not match.

Microsoft documents this behavior here:

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-condition-filters-for-devices

For RDP / Windows Server sessions, I would not rely only on operatingSystem -contains "Server" as the exclusion logic. If this server/VDI scenario must be excluded, I would test a separate exclusion using a specific Entra group or named location first, then validate the result in the sign-in logs.

So my approach would be:

  1. Check for duplicate/overlapping CA policies.
  2. Confirm the device details shown in the sign-in log.
  3. Validate whether the filter is actually matching.
  4. Use a dedicated exclusion group or named location if the device attributes are not reliable for that session.