Let’s learn to create assignment filters for Azure Virtual Desktop (a.k.a AVD – previously known as WVD). This is MEM Intune way of delivering the user policies only to single session Azure VMs using filters. Scott Duffey, Microsoft PM, sent me a note on Twitter about the use of assignment filters.
“Don’t forget – If you want to do user targeting of Intune policies but only have it apply when they are on Azure Virtual Desktops, you can use Filters for that.”Scott Duffey
We have a post where we use Intune filters to target apps policies only to Windows 10 Multi-session VMs. If you are looking for more details like How to Use Filters for App Policy and Profile Deployments, here is the post you can go through Use Filters For Assigning Apps Policies And Profiles In Intune Portal | Endpoint Manager.
I see filters similar to Configuration Manager dynamic collections rather than fully rely on Azure Active Directory for assignment logic. For some scenarios, it’s better not to use Azure AD Dynamic device groups.
NOTE! – The SLA for Azure AD dynamic group update is 24 hours! So, is it better to rely on filters?
Create Assignment Filters for Azure Virtual Desktop Single Session
We can use the MEM Intune filter within Microsoft Endpoint Manager (a.k.a MEM) to cater to Azure Virtual Desktop Single Session Windows 10.
NOTE! – Since Intune filters are in public preview, you need to Enable Filters Public Preview option from Tenant administration > Filters (preview) > Try out the filters (preview) feature.
- Sign in to the Microsoft Endpoint Manager admin center with appropriate access rights.
- Go to Tenant administration node.
- Click on Filters and then click on Create.
You can more details about Intune role-based access controls from the following article – https://docs.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control.
Now, you can head into Microsoft Endpoint Manager Intune Filter creation work flow. Let’s have a look how to create Intune filters using the following workflow.
- From the Basics page in the filter workflow:
- Enter the MEM Intune Filter name: Windows 10 Single Session.
- Enter the Description: Azure VM Single session persistent VMs based on the display name.
- Select the platform – Windows 10.
Click on the NEXT button to continue to the next page, where we define rules of Intune filters to find out Azure Virtual Desktop (AVD/WVD) single session Windows 10 VM based on the display name.
Create Filter Rules – Azure Virtual Desktop Single Session Windows 10
Let’s create the filter rules; you can use the rule builder or rule syntax text box to create or edit the filtering rule. Let’s go into the configuration of rules for Windows 10 single session VMs.
NOTE! – You need to carefully select the filter rules. As you know, WVD Windows 10 single session SKU is similar to the Windows 10 laptop/desktop/Hyper-V devices. We don’t have any “special SKU” for this type of Windows 10.
I plan to use hostname (MEM world. It’s called devicename) to find out the filtering rule using filter rule builder. Hover over the properties column so that you get an option to select Azure Virtual Desktop VMs based on naming standards AVD (a.k.a WVD) VMs.
- First, You have to select deviceName property from the Property drop-down as shown in the following screenshot.
From the operator column, you can select the option names “StartWith” to select the hostname/devicename of Azure Virtual Desktop (a.k.a AVD/WVD) session hosts.
The device name of my Azure Virtual Desktop Windows 10 single session VM starts with “namaste”.
- In the value column, you can enter the device name “Namaste” as shown in the below screenshot.
- Click on NEXT button to continue.
Select the scope tags for Virtual Desktop management if you have different admins handling virtual desktop-related policies in Microsoft Endpoint Manager (MEM) Intune.
Intune Filter Syntax
The following is the filter query to helps to filter the assignments based on the device name. This would be useful if you are deploying the policy to all the users, and you want to get the policy deployed only to the users who use Azure Virtual Desktop single session VMs.
(device.deviceName -startsWith "Namaste")
Click on Create button to complete the process of MEM Intune filter creation.
Use Filter in Intune Assignments
Scenario – When you are deploying a policy to all the users, you want to get the policy deployed only to the users who use Azure Virtual Desktop single session VMs.
How can we achieve the above-mentioned scenario with Intune filter rule in the assignment workplace?
You can refer to our previous blog post to select the assignment filters from the Intune assignment workflow. Refer to Use Filters For Assigning Apps Policies And Profiles In Intune Portal | Endpoint Manager.
- Click on Edit Filter hyper-link.
Select the options to apply a filter to include certain devices ( in this AVD/WVD session hosts) from this assignment.
- You can see the filter that you created above section when you click on Include filtered devices in the assignment option.
- Click on the Windows 10 Single Session filter.
- Click on the select button to continue.
Make sure filter mode is Include, and you have selected the correct filter to identify single session Windows 10 Azure Virtual Desktop VMs based on the device name.
Click on Review + Save button to save the configuration/assignment.
Now, let’s look into the results of the scenario explained above. You can check the reports from a particular configuration profile (administrative template) – Device Status tab. This administrative template policy is deployed to all the users.
- Not Applicable means these are physical devices excluded because we are deploying this policy to users ONLY when they use WVD/AVD single session AVD VMs.
- Succeeded means these are Azure Virtual Desktop VMs. The policy is deployed ONLY when the user is going into Windows 10 single session VM.
- Use filters (preview) when assigning your apps, policies, and profiles in Microsoft Endpoint Manager
- How to Locate Device with Intune | Endpoint Manager