With the introduction of assignment filters, the value of applicability rules has diminished. With applicability rules you could define on which OS versions a configuration profile should work. Unfortunately, the ability to configure or delete applicability rules for some configuration profile types from the console has also been removed. It is to be expected that this can happen piece by piece for further types as well. In this blog post I want to show you how you can easily remove all applicability rules and switch to filters as soon as possible.
Table of contents
Find the needle in the haystack
Due to the above-mentioned change, it can happen that certain profile types no longer show the possibility to configure applicability rules via the console. It’s really hard to find the root cause and the reason for not-applicable assignments of configuration profiles.
If you look at such a profile via Graph you can see that there is an applicability rule attached to it. This can lead to confusion and long troubleshooting to find the root cause why a profile does not work on a device. For background on the device configuration objects involved, see the official Microsoft Learn documentation.
Why does this matter in day-to-day operations? When a profile silently fails to apply, the admin center rarely tells you that an applicability rule is the culprit. You see a device that is targeted but never reports the setting, and the assignment looks perfectly healthy. Without checking the underlying object through Graph, you can spend hours validating group membership, sync status and Autopilot enrollment before you even consider the applicability rule as the cause.
With assignment filters you can do the same as with an applicability rule, but much more and more complex. In one of my blog posts I explained how to work with assignment filter.
Remove all applicability rules
To make it easier to switch from applicability rules to assignment filters, or if you want to delete an applicability rule that you can’t delete via the UI, I wrote a script to make it easier for you. This script goes through all Configuration Profiles and deletes the ones that still have an applicability rule attached. In the output you can see which profile was adjusted, and you can then check whether you no longer need it or whether you want to attach a filter to the assignment.
What you have to do:
- Download the script from my GitHub repository
- Check if you want to delete all or only specific ones. The script is written to delete all, but if you want only specific ones you can add the following line:
....
Get-MgDeviceManagementDeviceConfiguration | ForEach-Object {
if(-not ($_.displayname -eq "name of the profile")){continue}
....A practical tip before you run this against a production tenant: start in a test or pilot environment, or at the very least scope the run to a single profile using the line above. Removing an applicability rule changes how a profile evaluates targeting, so you want to confirm the expected behaviour on a known device first. It is also a good idea to export your current profiles beforehand, so you have a record of which rules existed in case you need to recreate the same logic as a filter.
A common pitfall is assuming that deleting the applicability rule automatically replaces it with an equivalent filter. It does not. The script only removes the rule; you still need to create an assignment filter that mirrors the OS version logic you relied on and attach it to the relevant assignments. Plan that mapping first, otherwise a profile that previously targeted only Windows 11 may suddenly apply to every supported version.
Conclusion
I hope I could help you with this blog post to shorten the troubleshooting time for profiles that are not applied for some reason, or could help you to get away from applicability rules and switch to the much more powerful filters. If you have the need to automatically create and apply a filter to all existing assignments, let me know and I will be happy to add this to the script.
Stay healthy, Cheers
Jannik
Update 02.08.2022
You can also download my script from the PowerShell Gallery:
Install-Script -Name Remove-ApplicabilityRule
[…] https://jannikreinhard.com/2022/07/03/applicability-rule-gone-but-still-there/ […]