In one of my posts I have explain how you can create an apply assignment filters. Is a very powerful feature to refine the assignment of group. For example, you can assign a config profile to all devices and apply a filter to apply the config profile only on Windows 11 devices within the group. To make it easier for you to start with filters I wrote a script which creates a default set of filters.
How to deploy a default set on filter
The script creates the following filters:
- Ownership filter for Personal and Corporate devices
- Enrollment profile: Read out all enrollment profiles and create a filter for each of them
- Operating System, SKU: Filters are created for the following SKUs: Education, Enterprise, IoTEnterprise, Professional, Holographic
- Operating System Version: Filters are created for Windows 8.1, 10 and 11
- Device category: Filters are created for each device category in your tenant
If you don’t need a category you can comment out this line in the script
- Download the script from my git hub repository or copy the code
<#
Version: 1.0
Author: Jannik Reinhard (jannikreinhard.com)
Script: Deploy-DefaultFilter
Description:
Default set on intune filteer
Release notes:
Version 1.0: Init
#>
function Get-GraphAuthentication{
try {
Import-Module Microsoft.Graph.DeviceManagement
} catch {
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph.DeviceManagement
}
try {
Connect-MgGraph -Scopes "DeviceManagementServiceConfig.Read.All"
} catch {
Write-Error "Failed to connect to MgGraph"
}
Select-MgProfile -Name "beta"
}
function Add-IntuneFilter{
param (
[parameter(Mandatory=$true)]$Name,
[parameter(Mandatory=$true)]$Platform,
[parameter(Mandatory=$true)]$Description,
[parameter(Mandatory=$true)]$Rule
)
Get-MgDeviceManagementAssignmentFilter -Search $Name | ForEach-Object {
Remove-MgDeviceManagementAssignmentFilter -DeviceAndAppManagementAssignmentFilterId $_.Id
}
$params = @{
DisplayName = $filterPreFix + $Name
Description = $Description
Platform = $Platform
Rule = $Rule
RoleScopeTags = @()
}
New-MgDeviceManagementAssignmentFilter -BodyParameter $params
}
#########################################################################################################
############################################ Start ######################################################
#########################################################################################################
$global:filterPreFix = "MDM"
Get-GraphAuthentication
###### Windows 10 ######
# Ownership
Add-IntuneFilter -Name "AllPersonalDevices" -Platform "Windows10AndLater" -Description "All personal W10 and later devices" -Rule '(device.deviceOwnership -eq "Personal")'
Add-IntuneFilter -Name "AllCorporateDevices" -Platform "Windows10AndLater" -Description "All corporate W10 and later devices" -Rule '(device.deviceOwnership -eq "Corporate")'
# Enrollment Profile
Get-MgDeviceManagementWindowAutopilotDeploymentProfile | ForEach-Object {
Add-IntuneFilter -Name ("Enrollment"+($($_.DisplayName).Trim())) -Platform "Windows10AndLater" -Description ("All devcies with enrollment profile"+($($_.DisplayName).Trim())) -Rule ('(device.enrollmentProfileName -eq "'+$($_.DisplayName)+'")' )
}
# Operating System SKU
$sku = @("Education", "Enterprise", "IoTEnterprise", "Professional", "Holographic")
$sku | ForEach-Object {
Add-IntuneFilter -Name "AllSku$_" -Platform "Windows10AndLater" -Description "All devices with SKU $_" -Rule ('(device.operatingSystemSKU -eq "'+$_+'")')
}
# Operating System Version
Add-IntuneFilter -Name "AllWindows11" -Platform "Windows10AndLater" -Description "All Windows 11 devices" -Rule '(device.osVersion -startsWith "10.0.22")'
Add-IntuneFilter -Name "AllWindows10" -Platform "Windows10AndLater" -Description "All Windows 10 devices" -Rule '(device.osVersion -startsWith "10.0.1")'
Add-IntuneFilter -Name "AllWindows8.1" -Platform "Windows10AndLater" -Description "All Windows 8.1 devices" -Rule '(device.osVersion -startsWith "6.3")'
# Device Category
Get-MgDeviceManagementDeviceCategory | ForEach-Object {
Add-IntuneFilter -Name ("Category"+($($_.DisplayName).Trim())) -Description ("All device with category "+($($_.DisplayName).Trim())) -Platform "Windows10AndLater" -Rule ('(device.deviceCategory -eq "'+$($_.DisplayName)+'")' )
}
# Model
Add-IntuneFilter -Name "AllCloudPCs" -Platform "Windows10AndLater" -Description "All Microsoft365 devices" -Rule '(device.model -contains "CloudPC") or (device.model -contains "Cloud PC")'
- Execute the script
- Open the MEM Portal
- Navigate to Tenant admin > Filters
- <check your filters
Conclusion
I hope I could help you with this script to get started with Assignment filter. You create with the script a default set with which you can fulfill many requirements. Of course this will not meet all requirements but it really easy create new filter or extend existing ones.
Stay healthy, Cheers
Jannik
Update 02.08.2022
You can also download my script from the PowerShell Gallery:
Install-Script -Name Deploy-DefaultFilter
Modern Device Management 
What PowerShell module or modules does this script require?
LikeLike
Only the Microsoft.Graph.DeviceManagement is required
LikeLike
Thanks! I just ended up installing the Microsoft.Graph package as I realized I didn’t have any of it installed.
LikeLike
Had some issues with the script and I’m not sure if it was just how my system was configured but the scopes in the connect statement were not working. What worked for me was:
Connect-MgGraph -Scopes “DeviceManagementConfiguration.Read.All”,”DeviceManagementConfiguration.ReadWrite.All”,”DeviceManagementManagedDevices.Read.All”,”DeviceManagementManagedDevices.ReadWrite.All”
LikeLike