Skip to main content
MEM v ENNBEE - Battles with Modern Device Management

Dynamic Groups vs Device Filters

· loading ·
Intune Administration Groups Filters
Author
Nick Benton
Principal Cloud Endpoint Consultant and Intune Blogger
Table of Contents

Now if you’ve ever spoken to me about Microsoft Intune and using Dynamic Groups for management of users and devices, I probably would have talked your ears off about the attribute usage, which attributes are suitable, and that moving away from assigned groups to dynamic is the only way forward for Modern Device Management.

What if I told you, that there’s something on par with these holy grail groups, and maybe, just maybe, even better.

My Beloved Dynamic Groups
#

Before we jump into Device Filters, let us talk about Dynamic Groups a little…

Firstly, I would highly recommend the use of these groups, especially for grouping devices, whether this be based on enrolment type, ownership, operating system type or version…and if you’ve got something or someone managing your user attributes, that you use them for user groups.

The Limitations
#

This sadly, is how quickly these groups update; Microsoft probably realised that people were using these groups in relation to device management, and also realised that the enumeration of the groups was using precious Compute infrastructure, for free, smh.

So Microsoft reduced how often these groups fully updated to once every 24 hours.

Now this is no good when we want to target settings and restrictions, or even just application deployment to these dynamically populated groups, we end up with delaying installations, configuration settings or even connectivity. Not a fan.

Bring on the Filters
#

So where Microsoft take away with one hand, they give with the other, and this is the new world of Device Filters.

At a high level, what makes filters so much better for use in Microsoft Intune comes down a couple of things:

  • The filter evaluation is done when the device enrols and/or checks in with the Intune service; this means the speed of evaluation is significantly faster than dynamic groups.
  • Filters are entirely reusable meaning we can now create one filter and use it for many areas within Microsoft Intune.

Filter Evaluation

Before a policy is applied to a device, filters dynamically evaluate applicability:

  1. You create a filter for any platform based on some device properties.

  2. You assign a policy or app to the group. In the assignment, you add the filter in either include or exclude mode. For example, you “include” personal devices, or you “exclude” personal devices from the policy.

  3. The filter is evaluated when the device enrols or at any other time a policy evaluates.

  4. You see the filter results based on the evaluation. For example, the app or policies applies, or it doesn’t apply.

Inconsistent Assignments
#

So we’ve talked about the limitations with Dynamic Groups, but we do need to talk about the limitations with Device Filters… Not all areas of Microsoft Intune support the use of Filters (as of today, though this will hopefully change), meaning that you can’t provide a consistent application method of assignments.

For example, Autopilot profiles don’t support filters, and nor do Endpoint Security Profiles, nor PowerShell scripts, nor MAM policies.

Device Filters

However, a lot of crucial areas do, including Compliance, Configuration and Windows Update for Business profiles.

Dynamic Groups

Groups looking good here.

Fewer Properties
#

Device Filters have fewer attribute properties to work with compared with Dynamic Groups, so any advanced filtering like with Autopilot Group Tags will still need to be done using Dynamic Groups.

Device Filters

Device Filters

Dynamic Groups

Dynamic Groups

Win for the Groups.

Fewer Operators
#

Device Filters do not support advanced logic with the operators such as ‘Match’, so turbo advanced filtering such as in Intelligent Phased Windows Update for Business Deployments need to be handled with groups still.

Device Filters

Device Filters

Dynamic Groups

Dynamic Groups

Another win there, 3-0 to the Groups.

Summary
#

Even with these Device Filter limitations (and the 3-0 loss), the benefits of reusability and speed in which they are processed still shine through over Dynamic Groups in many areas of Microsoft Intune, and I strongly recommend moving to using the ‘All Devices’ and ‘All Users’ in-built assignments in conjunction with Device Filters, just to make your life that little bit easier when managing devices.

You’ve come this far, so why not give creating them a shot and create a filter or two?

Related

Bulk Adding Device Notes to Enrolled Devices
· loading
Intune Administration PowerShell
Ever had to add notes to Intune Managed Devices in bulk? Me either, well not until a few weeks ago when I needed an easy way to update the notes field on 100’s of devices.
Configuring Available User Languages on Windows Devices
· loading
Intune Windows 10 and later Windows Autopilot Accessibility PowerShell
Have you ever wondered how to ensure that a number of languages are available for selection to end users on shared Windows 10 devices? The thought hadn’t crossed my mind, but then again, you encounter new use cases and requirements on a weekly basis.
Customising the Android Enterprise Enrolment QR Code
· loading
Intune Android Enrolment
We have already looked at allowing Android Enterprise enrolment using Mobile Data in a previous post, now it’s time to look at some of the other provisioning values that can be used to create a custom enrolment QR Code.