Event banner
Event details
43 Comments
- Heather_Poulsen
Community Manager
- Will device type be added (ie laptop, desktop, vm)?
- Is there a way to reverse engineer and find what apps/policies/profiles are deployed to a group?
- You can accomplish this with PowerShell and the Graph module. There are scripts out there if you search for them, search for get-intunedevicecompliancepolicy. The one I found searched for ALL Apps, Compliance Policies, Configuration Profiles, and Admin Templates in ALL AAD groups. It does NOT find things like Baselines and Update Policies, but maybe that functionality has since been added. I modified the script I found into several other scripts targeting a single AAD group or single configuration object type.
- Please post links, thank you!
Pallavi_JoshiMicrosoft
Hi, sure here is the link to Filters document - https://learn.microsoft.com/mem/intune/fundamentals/filters and this article talks about Grouping and Targeting recommendations - https://techcommunity.microsoft.com/t5/intune-customer-success/intune-grouping-targeting-and-filtering-recommendations-for-best/ba-p/2983058
- Is there a way to prevent a local IT administrator who only manages a subset of the devices enrolled in Intune (based on scope tag) to add all devices/users available in AAD to a security group used in Intune? Similar to how limiting collections work in ConfigMgr.
- When can we have filter or dynamic rule to identify existing Hybrid AD Join PC (so we can exclude or include them for some assignment). We register all device for Autopilot so using Deployment Profile as the filter does not work because our Hybrid AD join device also has a deployment profile assigned. What is the workaround to have a dynamic group of just Hybrid AD Join device?
- Scott DuffeyYou can build a dynamic device group based on AAD Join type (TrustType). Check out the AAD doc on this here: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#rules-for-devices Join type is also on our filters backlog.
- THANK YOU. The TrustType attribute for dynamic rule probably just gets added recently? We did not see that before but THANK YOU, I will give that a try
- I think they mentioned that a $null value was coming soon? And also something for Join type? I have been experimenting with this to accomplish a similar need " (device.enrollmentProfileName -eq " ") and (device.deviceOwnership -eq "Corporate")"
- Can you you have a group/filter of devices with a particular app installed?
- Scott DuffeyCurrently no. Not using filters. The list of filter properties is here: https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters-device-properties That said, most customers asking for this can typically use other Intune features to meet requirements here, such as requirements rules for win32 apps on Windows.
- We would need that. Either by add/remove pgm or by exe
- Heather_Poulsen
We’ll continue to answer questions here in the chat for the rest of the half hour and we’ll check back throughout the week. For bonus content, make sure to check out our Technical Takeoff Demo Channel!
- When can we use filters when assigning Autopilot profiles?
- Scott DuffeyToday AP profiles are only assignable to groups of devices. Fine-grain filtering is usually already done in the AAD device group definition using things like AutoPilot group tags. For that reason, this workload isn't on any near-term roadmap but please do give us the feedback on that! We are always revising the roadmap based on customer feedback.
- You can use GroupTags for this. This is the best way. You can create dynamic groups based on GroupTags.
- I'm not convinced these groups update quickly enough. We have many machines that don't initially pick up the right AP profile, despite us using GroupTags and a dynamic group. Filters should help with this, no?
- What do you recommend for an isolation process to test a new Policy or Profile?
