You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/intune/fundamentals/filters-reports-troubleshoot.md
+11-2Lines changed: 11 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ keywords:
7
7
author: MandiOhlinger
8
8
ms.author: mandia
9
9
manager: dougeby
10
-
ms.date: 07/13/2022
10
+
ms.date: 10/10/2022
11
11
ms.topic: conceptual
12
12
ms.service: microsoft-intune
13
13
ms.subservice: fundamentals
@@ -70,6 +70,10 @@ In the following example, you can see this information for the **TestDevice**:
70
70
71
71
:::image type="content" source="./media/filters-reports-troubleshoot/filter-properties-single-device.png" alt-text="See the date, time, evaluation results, and other device filter assignment properties in Microsoft Endpoint Manager and Microsoft Intune.":::
72
72
73
+
> [!IMPORTANT]
74
+
>
75
+
> Filter evaluation reports for devices don't show the results of any Azure AD conditional access evaluations. To troubleshoot conditional access issues, use the Azure AD sign-in logs. For more information, go to [Sign-in logs in Azure Active Directory](/azure/active-directory/reports-monitoring/concept-sign-ins).
76
+
73
77
### Workload filter evaluation reports
74
78
75
79
These reports show filter information for each device that's evaluated in an app or policy assignment. For each device, you can see the device's overall applicability for a workload, and get more detailed information about the filter evaluation.
@@ -97,6 +101,7 @@ In the following example, you can see this information for the **Microsoft Word*
97
101
> - When assigning a policy, you can add devices to the "Excluded groups". These excluded devices aren't shown in the workload device status reports.
98
102
> - In the **Apps** and **Settings Catalog** device status reports, there's a column that shows any filter evaluation. Currently, the filter evaluation information isn't available for all Intune workloads.
99
103
104
+
100
105
## Include vs. Exclude
101
106
102
107
When you create a filter, you choose to include or exclude devices based on some properties, such as `device.model -equals “Surface pro”`, or `device.model -notEquals “Surface pro”`. It can be difficult to understand the evaluation results, especially when including or excluding devices.
@@ -113,7 +118,11 @@ Use the following table to help understand when you include or exclude devices:
113
118
### What you need to know
114
119
115
120
- A **Not evaluated** filter result may show when a policy has a conflicting assignment on the device. For more information, see [Filters and assignment conflict resolution](#filters-and-assignment-conflict-resolution) (in this article).
116
-
- Filters are evaluated at enrollment and device check-in. The evaluation can also run at other times, such as a compliance check.
121
+
- Filters are evaluated at enrollment and device check-in. The evaluation can also run at other times, such as a compliance check. You may experience race conditions in some scenarios, for example consider this sequence of events (with T representing different points in time):
122
+
- T1 - You assign an App to a group of users using a filter based on the "Category" property.
123
+
- T2 - A targeted user enrolls a new device. The device enrolls and checks-in, evaluating the associated category filter. Since there was no category set on the device, filter evaluation is based on a null category string. In the case where a filter was working in "Exclude" mode, the app could be installed having not matched the criteria for exclusion.
124
+
- T3 - The user is then prompted to choose a device category in the Company Portal app but enrollment and check-in has already completed.
125
+
- T4 - On the next device check-in, the category property has been updated in the system and now returns a different filter evaluation result, however the app was already installed and will not be automatically removed.
117
126
- The latest filter evaluation results are stored for 30 days. If the logs are expired, you may see a **We were not able to retrieve any filter evaluation results** message.
Copy file name to clipboardExpand all lines: memdocs/intune/protect/remove-certificates.md
+3Lines changed: 3 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -49,6 +49,9 @@ Manual deletion of a certificate is a scenario that applies across platforms and
49
49
50
50
In this scenario, after the certificate is deleted, the next time the device checks in with Intune it's found to be out of compliance as it is missing the expected certificate. Intune then issues a new certificate to restore the device to compliance. No other action is needed to restore the certificate.
51
51
52
+
> [!NOTE]
53
+
> SCEP certificates are [removed but not revoked](../certificate-authority-add-scep-overview#removing-certificates) when using a third-party certification authority.
0 commit comments