Today, I am excited to announce the general availability of filters in Microsoft Endpoint Manager. In this blog post, I will highlight recently enabled enhancements as well as some of the feedback we heard since the public preview so you can learn about the most valuable scenarios directly from other customers.
To recap, filters can be used with apps, policies, and other Endpoint Manager workloads to achieve new granular targeting scenarios at lightning speed. Filters give IT admins more flexibility when managing a broad group of users, devices, and scenarios. Filters also help IT admins protect data within apps, simplify app deployments, and accelerate first-time device setup. Learning to use filters is easy; it has the same rule authoring interface as Azure Active Directory dynamic device groups and the new filters capability in Conditional Access.
When we first announced the public preview, the primary scenarios for using filters were:
- Applying Windows device restriction policy to just corporate (not personal) devices for users in a specific department such as Marketing.
- Deploying an iOS app to only iPads (not iPhones) for users in a single group, such as Finance.
- Defining a company-wide compliance policy for all Android mobile devices but excluding Android-based meeting room devices which require different compliance settings.
Since then, we have added support for even more scenarios, including:
- Deploying settings catalog profiles to only a subset of Windows or Mac devices (e.g., only applying to corporate devices or devices stamped with an "engineering" device category.)
- Managing Device Firmware Configuration Interface (DFCI) settings for specific Windows Autopilot devices, using naming conventions or operating system versions.
- Applying Enrollment Restrictions to users so they block enrollment of Windows 10 Home Edition devices or allow iPads to be enrolled via Apple's automated device enrollment.
- Customizing the Windows setup experience for users with the Enrollment Status Page, targeting a different experience for Windows 11 devices while keeping the existing page for Windows 10.
- Controlling the deployment of Windows update settings to ensure that update ring settings only apply to a user on corporate devices, not personal.
- Deploying script packages to a subset of Windows devices for proactive remediation, reducing support calls and improving security.
One of the best things about providing customers with a preview of our developing product capabilities is hearing feedback and using that feedback to guide our development plans. I wanted to share some highlights from the feedback so customers new to using filters in Endpoint Manager can discover where they might find the most value. Here's what some of our customers said:
- "We are using [this] to apply config to single-use devices without user affinity. We had previously looked to use a dynamic group but as membership updates could take several minutes, it left the device in a dangerous unconfigured state. The filters get around this issue."
- "For our use case, it helps with assigning to 'All Users' and only targeting corporate or BYOD. This also gives us the flexibility to scope available apps to personal/BYOD devices, which wasn't possible with device groups by using a user group and filtering for BYOD only."
- "HoloLens, Surface Hub, etc. are recognized by Intune as Windows devices. Device group management was essential to distinguish between these and regular Windows PCs in terms of policies and apps. However, if I use the filter function, I can deploy policies and apps according to the device type without specific device group management. This is a great feature that reduces administrative overhead."
We genuinely try to act on customer feedback to improve products. For example, we recently added a device preview capability that allows IT admins to preview the entire set of devices that will be included in a filter's scope. This greatly simplifies the IT admin's experience, reducing the time they need to spend on authoring rules, and assuring them that the targeting changes they plan to make will be risk-free in a production environment. Based on customer feedback, we added more filter objects and properties and are now allowing up to 200 filter objects per tenant that can then be re-used across as many assignments as needed.
Today is one milestone on our longer journey. We will continue to improve filters by supporting a larger set of workloads, including endpoint security and baselines, app configuration policies and web links, and further extending the list of filter properties and rules.
Thank you for the feedback to date, and please let us know how we can continue to improve filters.
Learn more about Microsoft Endpoint Manager:
- Return to the Microsoft Endpoint Manager blog home page.
- Join the conversation on Twitter at @MSIntune and LinkedIn.