With the introduction of assignment filters, the value of applicability rules has diminished. With applicability rules you could define on which OS versions a configuration profile should work. Unfortunately, the ability to configure or delete applicability rules for some configuration profile types from the console has also been removed. It is to be expected that this can happen piece by piece for further types as well. In this blog post I want to show you how you can easily remove all applicability rules and switch to filters as soon as possible.
Find the needle in the haystack
Due to the above-mentioned change, it can happen that certain profile types no longer show the possibility to configure applicability rules via the console. It’s really hard to find the root cause and the reason for not-applicable assignments of configuration profiles.
If you look at such a profile via Graph you can see that there is an applicability rule attached to it. This can lead to confusion and long troubleshooting to find the root cause why a profile does not work on a device.
With assignment filters you can do the same as with an applicability rule, but much more and more complex. In one of my blog posts I explained how to work with assignment filter.
Remove all applicability rules
To make it easier to switch from applicability rules to assignment filters, or if you want to delete an applicability rule that you can’t delete via the UI, I wrote a script to make it easier for you. This script goes through all Configuration Profiles and deletes the ones that still have an applicability rule attached. In the output you can see which profile was adjusted, and you can then check whether you no longer need it or whether you want to attach a filter to the assignment.
What you have to do:
- Download the script from my GitHub repository
- Check if you want to delete all or only specific ones. The script is written to delete all, but if you want only specific ones you can add the following line:
....
Get-MgDeviceManagementDeviceConfiguration | ForEach-Object {
if(-not ($_.displayname -eq "name of the profile")){continue}
....Conclusion
I hope I could help you with this blog post to shorten the troubleshooting time for profiles that are not applied for some reason, or could help you to get away from applicability rules and switch to the much more powerful filters. If you have the need to automatically create and apply a filter to all existing assignments, let me know and I will be happy to add this to the script.
Stay healthy, Cheers
Jannik
Update 02.08.2022
You can also download my script from the PowerShell Gallery:
Install-Script -Name Remove-ApplicabilityRule