Forum Discussion
Policy applied allthough it shouldn't
Hi,
all of a sudden Intune chaanges its behavior. I have a policy in place that sets persistent browser session. On the device filter tab I excluded devices with this syntax:
device.trustType -eq "ServerAD" -or device.deviceOwnership -eq "Company"
Starting last week I have to re-authenticate on a remote Desktop running Windows Server 2025 every 8 hours. Thats what the policy requires. In Entra I see in the logs for my user that this conditional access policy applied. I then extended the filter to this
device.trustType -eq "ServerAD" -or device.deviceOwnership -eq "Company" -or device.operatingSystem -contains "Server"
But it did not make a difference.
Any idea what is going? This is not specific to my tenant. On a different tenant it behaves the same way.
6 Replies
Allthough I deleted the duplicated Policy, the result today is the same
I am coming from a Windows Server 2025 virtual Desktop and the Policy Result says Windows10. The IP mentioned above is inserted as excluded IP in that policyActually I don't what I am missing. I all looks correct to me.
Your filter actually looks correct to me. Since it suddenly started happening and also affects another tenant, this feels more like a Windows Server 2025/RDP session behavior change than a filter issue.
As a workaround, I’d probably try excluding those servers through a separate Entra group instead of relying on the device filter for now, just to see if the behavior changes. That would help confirm whether the issue is really filter related or something specific to Server 2025 sessions.
I found out that the policy was duplicated somehow and one of them hat less restrictions. weird.
Hi heinzelrumpel ,
Glad you tracked it down. Duplicate policies with the same control are easy to miss because the sign-in log shows the control firing without telling you which policy won unless you open the full list. Quick check next time symptoms contradict a configured filter: in the Entra admin center, go to Identity → Monitoring & health → Sign-in logs, open the sign-in event, and click the Conditional Access tab. Each applied policy shows as its own row with the result (Success, Not applied, Report-only). When two rows enforce the same control, the duplicate is your target.
One side note on the filter syntax itself: positive operators (-eq, -contains) don't match null device attributes, so an Exclude expression built on them silently fails for any device that doesn't have an Entra device object. Microsoft's persistent browser sample uses Include mode with -ne for that reason. Useful if a Server 2025 host ever ends up in scope without being registered, since Server 2025 isn't on the supported hybrid join OS list yet.
Hi, the policy is applied even on Win11 devices that are hybrid joined.
