In this post, you will how to create Windows 11 filter Rule in Intune. Let’s quickly look into possibilities of building Intune filter rule for Windows 11 PCs. You can also create different Azure AD dynamic device groups for Windows 10 and Windows. You can easily exclude Windows 11 PCs from deployments using the Intune filter rules.
The Intune filter rule based on Windows 11 PCs would help deploy relevant policies and apps. There could be many scenarios where you will have to exclude Windows 11 devices from some policies/applications. I prefer the filter rules method over to the Azure AD group segregation.
You can have a closer look at the preview version of Intune assignment filters and how to enable tenants. The filter rules are not supported with all the workflows with Intune while writing this post. However, I think you would filter out the main workflows like applications and policies, etc.
Windows 11 Filter Rule in Intune
Let’s create the Windows 11 filter rule in Intune or MEM admin center portal. The process of filter rule creation is similar to other workflows in Intune. The main difference comes when you build the logic for the Windows 11 filter rule.
NOTE! – I think Microsoft will soon change its platform option to include Windows 11 or rename it to Windows. I don’t know whether Microsoft is going to introduce Windows 11 as a new platform or not. We will wait and see.
- Sign in to the Microsoft Endpoint Manager admin center.
- Select Tenant administration > Filters.
- Click on + Create button to start the process.
- Enter the NAME of the Filter -> “Windows 365 Cloud PC” is the name I provided.
- Enter the description of the cloud PC filter policy as an optional setting.
- Select Windows 10 (weired – I know but this is what it’s for now) as platform from the drop-down list.
- Click on Next button to continue.
NOTE! – You don’t see a Filter node in the Tenant administration blade? Well, you might not have enabled the filter rule feature. You have to enable this feature before using it because it’s in public preview now.
Build Logic for Windows 11 Filter Rule
On the next page of the Intune filter rule for Windows 11 PCs, you can build the logic for identifying the Windows 11 devices from Intune. You will need to rely on the currently exposed drop-down list of device properties to build the logic. You will need to select the following property and value to create a Windows 11 filter rule using Intune (a.k.a MEM).
You can try the following details to create the Windows 11 filter rule using OS version details. I think all the Windows 11 versions will start with 10.0.2. Also, you can try to add additional validations like Operating System SKU if there is a requirement to do so.
- Property – osVersion
- Operator – StartsWith
- Value – 10.0.2
NOTE! – I don’t know whether there will be other types of Windows 11 Devices in your production tenants. For example Surface Studio, Devices in meeting rooms, Hololens? You will have to be careful whether these devices will be part of your filter rules or not.
(device.osVersion -startsWith "10.0.2")
You can also copy the above-mentioned filter logic query to filter Windows 11 PCs from wider deployments. You can click on the Next button to continue and select the Intune Scope tags if required. You can complete the filter rule creation process by clicking on the Next and Create buttons.
How to Use Windows 11 Filter Rule
Let’s look at the real-time use of the assignment filter rule during the assignment process flow. You can take the following scenario as an example to exclude Windows 11 devices.
- I have opened a setting catalog policy to change the timezone.
- The policy is deployed to all devices.
- I would like to exclude Windows 11 devices from this policy.
- Click on Edit option from assignments section.
- Click on Edit Filter option from Included Groups section.
You can now select either Include or Exclude Windows 11 devices from this policy. As mentioned before, I wanted to EXCLUDE Windows 11 devices from this policy.
- Click on Exclude filtered devices in assignment from Filters blade.
- Select the Windows 11 Devices filter rule from the below list of rules.
- Click on Select & Review + Save button to complete assignment of filter rule.
Ensure that filter and filter modes are correctly assigned to exclude Windows 11 devices from this settings catalog policy.
There is a lot of troubleshooting options available for filter rules. I have documented one of them -> Intune Filter Evaluation Report Options for Troubleshooting.
Ideally, the Time Zone policy should NOT get installed on Windows 11 PCs because we have excluded it using the filter rules. The same can be confirmed from Mode = Exclude & Evaluation Result = Match from the Evaluation Result column.
- The filter rule is checking whether the OS version of Windows PC starts with 10.0.2 or not.
- If the OS version start with Windows 11, then the Time zone policy won’t get deployed to those devices.
You can also check more details from the filter details and Properties used for evaluation.
- You can check the filter details
- Rule Syntax -> (device.osVersion -startsWith “10.0.2”)
- Platform -> Windows 10.
- Last modified – date & time.
- Propoerties used for evaluation is OSVersion = 10.0.22000.132.
You can also check the same results from the settings catalog policy (Device configuration profile – Settings Catalog) results.
- Open the Device configuration profile – Settings Catalog – policy.
- Click on View Reports button from Device Status section of settings catalog policy.
About Author -> Anoop is Microsoft’s Most Valuable Professional Award winner from 2015 on the technologies! He is a Solution Architect on enterprise device management solutions with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like Configuration Manager, Windows 365 Cloud PC, Intune, Azure Virtual Desktop, Windows 10, and Windows 11.