Intune assignment filters let you refine policy and app assignments without creating dozens of separate Entra ID groups. Instead of making a group for every combination of OS version, manufacturer, or model, you assign to a broad group and use filters to target the exact devices you want. This guide covers creating filters, the filter syntax, and real-world examples.
How filters work
Filters are applied at assignment time. When Intune evaluates whether a policy applies to a device, it checks:
- Is the device (or user) in the assigned group? If no, policy does not apply.
- Does the device pass the filter rule? If no, policy does not apply.
- Both conditions met - policy applies.
Filters evaluate device properties from the Intune device record - not from the device itself, so they apply quickly without waiting for a check-in.
Create a filter
- Give the filter a descriptive name (e.g. Filter - Windows 11 Only)
- Select Platform: Windows 10 and later
- Write your filter rule using the rule editor
- Use Preview to test against your real devices before saving
Filter rule syntax
Filter rules use a simple property-operator-value syntax. Multiple conditions can be joined with and / or.
Useful filter examples
Target Windows 11 devices only
(osVersion -startswith "10.0.22")
Target a specific manufacturer
(manufacturer -eq "Dell Inc.")
Exclude virtual machines
(manufacturer -ne "VMware, Inc.") and (manufacturer -ne "Microsoft Corporation") and (model -ne "Virtual Machine")
Target devices by naming convention
(deviceName -startswith "KIOSK-")
Target specific Windows 10 build or later
(osVersion -ge "10.0.19045.0")
Include vs Exclude mode
When applying a filter to a group assignment, you choose:
- Include filtered devices in assignment - policy applies only to devices that match the filter
- Exclude filtered devices from assignment - policy applies to all devices in the group except those matching the filter
Use Exclude mode to deploy a policy to everyone except specific device types - for example, assign a strict security policy to All Devices but exclude kiosk devices using a filter.
Evaluate filters on a device
To see what filter values apply to a specific device:
This shows the current property values for that device and lets you test whether a specific filter would match it - useful for verifying a filter before assigning it to production policies.
Frequently Asked Questions
Assignment filters let you refine who or what a policy, app, or configuration profile applies to within a group assignment. Instead of creating separate groups for every policy variation, you assign to All Devices then filter by device properties like OS version, manufacturer, or device name pattern.
Filters support: OS version (osVersion), device name (deviceName), manufacturer (manufacturer), model (model), device category (deviceCategory), OS (operatingSystem), and enrollment profile name (enrollmentProfileName). You can combine multiple properties using AND/OR operators.
No. Filters work on top of group assignments - you still assign to a group, then apply a filter to include or exclude devices within that group. Think of filters as a dynamic refinement layer on top of static group membership.
Yes. Filters work with configuration profiles, compliance policies, app assignments, Endpoint Security policies, and Update rings. They do not currently support Enrollment restrictions or some legacy policy types.