Microsoft recently introduced Filters in Microsoft Endpoint Manager which allow more granular targeting of application and policies to specific devices. In this blog post, we will see how we can deploy a Microsoft store app to group of devices using Azure AD group and MEM Filters.
We will deploy Microsoft Whiteboard to all Windows 10 Devices which Device Category is ‘Training Devices’. For this example, we already approved Microsoft Whiteboard application in Microsoft Store for Business (MSfB) and it’s synced with Microsoft Endpoint Manager.
Microsoft Whiteboard application published in MEM
1. Create AD Group for Windows 10 Devices
The next step is to create a dynamic AAD group for all Windows 10 devices. If you already have a group for Windows 10 devices then you can skip this step.
From Azure Active Directory > Group, create a dynamic group. Use the below query expression to include all Windows 10 devices.
Azure AD Group – Dynamic Rule
(device.deviceOSVersion -startsWith "10.0") -and (device.DeviceOSType -startsWith "Windows") -and (device.managementType -eq "MDM")
2. Create Filter for Training Devices
In Microsoft Endpoint Manager admin center, Select Devices | Filters (preview) and click on Create.
Enter Filter Name, Description and Platform and then clock on Next. Add the expression to include devices which Device Category is ‘Training Devices’. Click on Next.
Review the details and then click on Create.
You can now see newly created filter in Devices | Filters (preview)
3. Deploy Microsoft Whiteboard on Devices using AAD group & MEM Filters
Now we have both AAD group and MEM Filter in place for granular deployment of application on Windows 10 devices which device category is ‘Training Devices’.
To deploy the application, Go to Apps, click on Microsoft Whiteboard and select Properties. Click on Edit link under Assignments section.
In the Edit application page, click on Add group under Required and select Windows 10 devices group. Click on Select.
Now you can see Windows 10 Devices group added under Required. The Filter option is now available.
Click on the None link below Filter mode.
Select “Include filtered devices in assignment” radio button.
From available filters, select the filter which you want to use and click on Select.
You can now see that Filter mode and Filter is now visible under Required. Filter mode is set to Include and Filter set to ‘Training Devices’.
Click on Review & Save.
Review the details and click on Save to complete deployment setup.
4. Deployment Status & Filters Evaluation
We will now check the deployment on one of our test Windows 10 laptop. The device category has not yet set on this laptop. Before proceed further , let’s understand how the include and exclude filters evaluated. Here is the excerpt from Microsoft documentations.
Microsoft Endpoint Manager Filters – Include and Exclude evaluation rule
To check the application deployment status, Go to Apps > Microsoft Whiteboard > Device install status. The following details are shown.
Status: Not applicable
Status Details: Filters criteria are not met
Filters (Preview): Filters evaluated
Application install status
Click on Filters evaluated link. You can see that Evaluation result is “Not match” hence the application was not offered to the device. You can also see that Device Category property was empty hence Filters criteria was not matched.
We will now set the Device category for this device, force client policy sync and check the Filters evaluation and deployment status again.
To change the Device category, go to Devices > Select Device and select Properties. Update the Device category. We changed this to “Training Devices”.
Device category
Force sync on Windows 10 device to quickly update the policy.
Windows Settings > Accounts > Access Work or School > Select Account and then click on Sync.
Wait for some time for Filters re-evaluation. I have waited for an hour and application got installed after filters evaluation succeeded.
See the Filter evaluation now. The include criteria was matched and application was offered to the device.
Filter evaluation
You can also find the application added in Start menu on Windows 10 device.
Related Posts
- Win32 Apps Deployment with Dependencies
- Upgrade / Replace Win32 Apps with Supersedence Relationship
- Win32 Apps vs LOB Apps
- Win32 App Deployment failed with error code 0x80070643
- Win32 App Deployment Failed with Error 0x87D1041C
- Win32 App Deployment failed with error 0x87D300C9
- Win32 App failed with error code 0x80070653
