In one of my posts I have explained how you can create and apply assignment filters. It is a very powerful feature to refine the assignment of a group. For example, you can assign a config profile to all devices and apply a filter to deploy the config profile only on Windows 11 devices within the group. To make it easier for you to start with filters I wrote a script which creates a default set of filters.
How to deploy a default set on filter
The script creates the following filters:
- Ownership filter for Personal and Corporate devices
- Enrollment profile: Reads all enrollment profiles and creates a filter for each of them
- Operating System, SKU: Filters are created for the following SKUs: Education, Enterprise, IoTEnterprise, Professional, Holographic
- Operating System Version: Filters are created for Windows 8.1, 10 and 11
- Device category: Filters are created for each device category in your tenant
If you don’t need a category, you can comment out this line in the script.
- Download the script from my GitHub repository or copy the code
<#
Version: 1.0
Author: Jannik Reinhard (jannikreinhard.com)
Script: Deploy-DefaultFilter
Description:
Default set on intune filteer
Release notes:
Version 1.0: Init
#>
function Get-GraphAuthentication{
try {
Import-Module Microsoft.Graph.DeviceManagement
} catch {
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph.DeviceManagement
}
try {
Connect-MgGraph -Scopes "DeviceManagementServiceConfig.Read.All"
} catch {
Write-Error "Failed to connect to MgGraph"
}
Select-MgProfile -Name "beta"
}
function Add-IntuneFilter{
param (
[parameter(Mandatory=$true)]$Name,
[parameter(Mandatory=$true)]$Platform,
[parameter(Mandatory=$true)]$Description,
[parameter(Mandatory=$true)]$Rule
)
Get-MgDeviceManagementAssignmentFilter -Search $Name | ForEach-Object {
Remove-MgDeviceManagementAssignmentFilter -DeviceAndAppManagementAssignmentFilterId $_.Id
}
$params = @{
DisplayName = $filterPreFix + $Name
Description = $Description
Platform = $Platform
Rule = $Rule
RoleScopeTags = @()
}
New-MgDeviceManagementAssignmentFilter -BodyParameter $params
}
#########################################################################################################
############################################ Start ######################################################
#########################################################################################################
$global:filterPreFix = "MDM"
Get-GraphAuthentication
###### Windows 10 ######
# Ownership
Add-IntuneFilter -Name "AllPersonalDevices" -Platform "Windows10AndLater" -Description "All personal W10 and later devices" -Rule '(device.deviceOwnership -eq "Personal")'
Add-IntuneFilter -Name "AllCorporateDevices" -Platform "Windows10AndLater" -Description "All corporate W10 and later devices" -Rule '(device.deviceOwnership -eq "Corporate")'
# Enrollment Profile
Get-MgDeviceManagementWindowAutopilotDeploymentProfile | ForEach-Object {
Add-IntuneFilter -Name ("Enrollment"+($($_.DisplayName).Trim())) -Platform "Windows10AndLater" -Description ("All devcies with enrollment profile"+($($_.DisplayName).Trim())) -Rule ('(device.enrollmentProfileName -eq "'+$($_.DisplayName)+'")' )
}
# Operating System SKU
$sku = @("Education", "Enterprise", "IoTEnterprise", "Professional", "Holographic")
$sku | ForEach-Object {
Add-IntuneFilter -Name "AllSku$_" -Platform "Windows10AndLater" -Description "All devices with SKU $_" -Rule ('(device.operatingSystemSKU -eq "'+$_+'")')
}
# Operating System Version
Add-IntuneFilter -Name "AllWindows11" -Platform "Windows10AndLater" -Description "All Windows 11 devices" -Rule '(device.osVersion -startsWith "10.0.22")'
Add-IntuneFilter -Name "AllWindows10" -Platform "Windows10AndLater" -Description "All Windows 10 devices" -Rule '(device.osVersion -startsWith "10.0.1")'
Add-IntuneFilter -Name "AllWindows8.1" -Platform "Windows10AndLater" -Description "All Windows 8.1 devices" -Rule '(device.osVersion -startsWith "6.3")'
# Device Category
Get-MgDeviceManagementDeviceCategory | ForEach-Object {
Add-IntuneFilter -Name ("Category"+($($_.DisplayName).Trim())) -Description ("All device with category "+($($_.DisplayName).Trim())) -Platform "Windows10AndLater" -Rule ('(device.deviceCategory -eq "'+$($_.DisplayName)+'")' )
}
# Model
Add-IntuneFilter -Name "AllCloudPCs" -Platform "Windows10AndLater" -Description "All Microsoft365 devices" -Rule '(device.model -contains "CloudPC") or (device.model -contains "Cloud PC")'
- Execute the script
- Open the Intune admin center
- Navigate to Tenant admin > Filters
- Check your filters
Conclusion
I hope this script helped you to get started with assignment filters. The script creates a default set with which you can fulfill many requirements. Of course, this will not meet all requirements, but it is really easy to create new filters or extend existing ones.
Stay healthy, Cheers
Jannik
Update 02.08.2022
You can also download my script from the PowerShell Gallery:
Install-Script -Name Deploy-DefaultFilter
What PowerShell module or modules does this script require?
Only the Microsoft.Graph.DeviceManagement is required
Thanks! I just ended up installing the Microsoft.Graph package as I realized I didn’t have any of it installed.
Had some issues with the script and I’m not sure if it was just how my system was configured but the scopes in the connect statement were not working. What worked for me was:
Connect-MgGraph -Scopes “DeviceManagementConfiguration.Read.All”,”DeviceManagementConfiguration.ReadWrite.All”,”DeviceManagementManagedDevices.Read.All”,”DeviceManagementManagedDevices.ReadWrite.All”