Let’s learn to create assignment filters for Azure Virtual Desktop (a.k.a AVD—previously known as WVD). MEM Intune uses filters to deliver user policies only to single-session Azure VMs. Scott Duffey, Microsoft PM, sent me a Twitter note about using assignment filters.
“Don’t forget – If you want to do user targeting of Intune policies but only have it apply when they are on Azure Virtual Desktops, you can use Filters for that.”
Scott Duffey
We have a post where we use Intune filters to target app policies only to Windows 10 Multi-session VMs. If you want more details, like How to Use Filters for App Policy and Profile Deployments, here is the post you can go through: Use Filters For Assigning Apps Policies And Profiles In Intune Portal | Endpoint Manager.
I see filters similar to Configuration Manager dynamic collections rather than fully relying on Azure Active Directory for assignment logic. For some scenarios, it’s better not to use Azure AD Dynamic device groups.
NOTE! – The SLA for Azure AD dynamic group update is 24 hours! So, is it better to rely on filters?
Table of Contents
Create Assignment Filters for Azure Virtual Desktop Single Session
We can use the MEM Intune filter within Microsoft Endpoint Manager (a.k.a MEM) to cater to Azure Virtual Desktop Single Session Windows 10.
NOTE! – Since Intune filters are in public preview, you need to enable the Filters Public Preview option from Tenant administration > Filters (preview) > Try out the filters (preview) feature.
- Sign in to the Microsoft Endpoint Manager admin center with appropriate access rights.
- Go to the Tenant administration node.
- Click on Filters and then click on Create.
You can more details about Intune role-based access controls in the following article – https://docs.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control.
Now, you can head into the Microsoft Endpoint Manager Intune Filter creation workflow. Let’s look at how to create Intune filters using the following workflow.
- From the Basics page in the filter workflow:
- Enter the MEM Intune Filter name: Windows 10 Single Session.
- Enter the description of Azure VM Single-session persistent VMs based on the display name.
- Select the platform – Windows 10.
Click on the NEXT button to continue to the next page, where we define the rules of Intune filters to find Azure Virtual Desktop (AVD/WVD) single session Windows 10 VM based on the display name.
Create Filter Rules – Azure Virtual Desktop Single Session Windows 10
Let’s create the filter rules; you can use the rule builder or rule syntax text box to create or edit the filtering rule. Let’s go into the configuration of rules for Windows 10 single-session VMs.
NOTE: You need to carefully select the filter rules. As you know, WVD Windows 10 single session SKU is similar to the Windows 10 laptop/desktop/Hyper-V devices. We don’t have any “special SKU” for this type of Windows 10.
I plan to use hostname (MEM world. It’s called devicename) to find the filtering rule using the filter rule builder. Hover over the properties column so that you get an option to select Azure Virtual Desktop VMs based on naming standards AVD (a.k.a WVD) VMs.
- First, select the deviceName property from the Property drop-down, as shown in the following screenshot.
You can select the option ” StartWith ” from the operator column to select the hostname/devicename of Azure Virtual Desktop (a.k.a AVD/WVD) session hosts.
The device name of my Azure Virtual Desktop Windows 10 single session VM starts with “namaste”.
- In the value column, you can enter the device name “Namaste,” as shown in the screenshot below.
- Click on the NEXT button to continue.
If you have different admins handling virtual desktop-related policies in Microsoft Endpoint Manager (MEM) Intune, select the scope tags for virtual desktop management.
Intune Filter Syntax
The following is the filter query to help filter the assignments based on the device name. This would be useful if you are deploying the policy to all users and want to deploy it only to those who use Azure Virtual Desktop single-session VMs.
(device.deviceName -startsWith "Namaste")
Click on the Create button to complete the MEM Intune filter creation process.
Use Filter in Intune Assignments
Scenario: When you deploy a policy to all users, you want to deploy it only to the users who use Azure Virtual Desktop single session VMs.
How can we achieve the above scenario with the Intune filter rule in the assignment workplace?
To select the assignment filters from the Intune assignment workflow, refer to our previous blog post, Use Filters For Assigning Apps Policies And Profiles In Intune Portal | Endpoint Manager.
- Click on the Edit Filter hyperlink.
Select the options to apply a filter to include certain devices ( in this AVD/WVD session hosts) from this assignment.
- You can see the filter you created above when you click on the Include filtered devices in the assignment option.
- Click on the Windows 10 Single Session filter.
- Click on the select button to continue.
Make sure filter mode is included and that you have selected the correct filter to identify single-session Windows 10 Azure Virtual Desktop VMs based on the device name.
Click on the Review + Save button to save the configuration/assignment.
Results
Now, let’s look into the results of the scenario explained above. You can check the reports from a particular configuration profile (administrative template): the device Status tab. This administrative template policy is deployed to all users.
- Not Applicable means these physical devices are excluded because we are deploying this policy to users ONLY when they use WVD/AVD single-session AVD VMs.
- Succeeded means these are Azure Virtual Desktop VMs. The policy is deployed ONLY when the user enters a Windows 10 single-session VM.
Resources
- Use filters (preview) when assigning your apps, policies, and profiles in Microsoft Endpoint Manager https://docs.microsoft.com/en-us/mem/intune/fundamentals/filters
- How to Locate Device with Intune | Endpoint Manager
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.