First look at filters in Microsoft endpoint manAger

Two weeks Microsoft announced a new existing feature in Endpoint Manager. Filters is a new feature that will give IT admins the capability to create filters and apply those filters to policies and apps to determine which kind of devices should apply that policy or app, you can read more about the announcement here https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/use-microsoft-endpoint-manager-filters-to-target-apps-and/ba-p/2333342 or watch the video from Scott duffy below.

When I heard about this new feature I was really excited because this solves a few different things that many admins have been struggling with for quite some time now. With the push for “modern management” the last couple of years from Microsoft the user centric approach really took of when in the past for admins it was all about the device.

Admins in many organization is still stuck with managing device collection as their main target for different deployments when using ConfigMgr. Tho there are organizations who use User collections in ConfigMgr its far from common and comes with its own challanges.

When organizations starts using Microsoft Intune it makes more sense to go for user assignments for many different reason and the fact that in the long run is much easier and less work for an admin if you can do that.

The problem in the past has been that when working with Intune we have to rely on Azure AD groups instead of collections in ConfigMgr. We could target Applications and configurations to a AAD group that contains users but maybe if the user have both personal and corporate or logs on to a different computer once in a while and that specific app or configuration was not intended to go out to that machine that’s when you can run in to problems.

The solution for that was then to create dynamic device groups in Azure AD and assign things to that group. But the dynamic groups has been shown not to be super reliant in how fast they update. Maybe you are provisioning a new computer with Autopilot and Intune and based on the enrollment profile that device should get added to group X and get the assigned apps or configurations the evaluation of that group sometimes took 5 minutes, 10 minutes, 2 hours ? And there’s no official way of invoking an evaluation of an Azure AD group and workarounds like creating Run books in Azure to add a device to a specific group is no longer needed. And a common misconception that popups in different forums is that Scope tags was a way to tag devices and essentially do what filters does but that’s not the case and I’ve talked about that in a previous article here: https://timmyit.com/2019/07/22/demystifying-scope-tags-in-intune-part-1/

This brings me back to why I’m so excited for this filter feature. This will give IT admins the capability that we have been waiting for. Target Users for our assignments and then put filters on what kind of devices they should get applied to. This removes the problem of waiting for an Azure AD group to update since the evaluation of the assignment now is done directly on the device and should improve the time it takes for a policy or application to apply.

Examples

Here are a few exampel filters that I have been playing around with in my lab envirorment so far

NameRule
AndroidEnterprise-Personal-Device(device.deviceOwnership -eq “Personal”)
W10-Autopilot-AAD-Devices(device.enrollmentProfileName -eq “APAAD”)
W10-Autopilot-HAADJ-Devices(device.enrollmentProfileName -eq “APHAADJ”)
W10-Lenovo-Devices(device.manufacturer -eq “Lenovo”)
W10-Personal-Device(device.deviceOwnership -eq “Personal”)
iOS-ADE-Default(device.enrollmentProfileName -eq “Default”)
iOS-Corporate-Device(device.deviceOwnership -eq “Corporate”)
iOS-Personal-Device(device.deviceOwnership -eq “Personal”)

You can mix and match the different rules to fit your need and there are a few things on my wish list for the future but that is probably something for another time.

Filters and Graph API

Last but not least I cant look at a new feature in Intune without digging in to the Microsoft Graph and see how we can automate things with the Intune powershell SDK.

GET all filters

From the portal you can easily see all your filters that you have created.

Let’s do the same with Graph Explorer. Here’s an example from the Graph Explorer where I’m just using the GET method with the following URL

https://graph.microsoft.com/beta/deviceManagement/assignmentFilters

And if we are using the Intune powershell SDK it would look something like this

Connect-MSGraph -ForceInteractive

$tenant = “viacompany.onmicrosoft.com”
$Resource = "deviceManagement/assignmentFilters"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($resource)"
 

$Filters = Invoke-MSGraphRequest -HttpMethod GET -Url $uri
$Filters.value

Create a new filter

If we want to create a new filter using the Graph Explorer we need to change the method to POST and add the payload in the request body where it needs to be in a JSON format. The we click on “Run query” and we get a result back – Created – 201 which is a successful response.

If we want to do the same process but with the Intune Powershell SDK we can do it with the following script

#POST - Create filter 

$displayName = "Name Laptop"
$description = "This filter was created with the Intune Powershell SDK"
$platform = "Windows10AndLater"
$rule = '(device.deviceName -startsWith \"LAPTOP-\")'
 
$JSON = @"
{
"displayName":"$($displayName)","description":"$($description)","platform":"$($platform)","rule":"$($rule)","roleScopeTags":["0"]
}
"@


Invoke-MSGraphRequest -HttpMethod POST -Url $uri -Content $JSON

Export filters

If we want to export all of our filters to a .JSON file we can do that with simply reusing our GET method and just take the result of that and output it to JSON and save it to a location.

#Export

Connect-MSGraph -ForceInteractive

$tenant = "viacompany.onmicrosoft.com"
$Resource = "deviceManagement/assignmentFilters"
$graphApiVersion = "Beta"
$uri = "https://graph.microsoft.com/$graphApiVersion/$($resource)"

Invoke-MSGraphRequest -HttpMethod GET -Url $uri | ConvertTo-Json | Out-File -FilePath C:\temp\Filter.json 

Final thoughts

I’m really exciting for this feature. This is something we as IT Admin working with Intune and Endpoint Manager have been waiting for a long time. I’m also excited to see how organization will start using this and how the community could share their experiences with it. Happy testing !

Don’t forget to follow me on twitter @timmyitdotcom

3 comments

  1. Thank you, very useful feature!
    Question: which Graph application permissions does it require to work? When scrolling down the API permissions list in AAD mgmnt console, I didn’t find a suitable one.
    Without it, my https Graph Get call returns 401/Unauthorized

Leave a Reply