You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/intune/fundamentals/filters-reports-troubleshoot.md
+10-1Lines changed: 10 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -70,6 +70,10 @@ In the following example, you can see this information for the **TestDevice**:
70
70
71
71
:::image type="content" source="./media/filters-reports-troubleshoot/filter-properties-single-device.png" alt-text="See the date, time, evaluation results, and other device filter assignment properties in Microsoft Endpoint Manager and Microsoft Intune.":::
72
72
73
+
> [!IMPORTANT]
74
+
>
75
+
> Filter evaluation reports for devices do not show the results of Azure AD Conditional Access evaluation. Use Azure AD sign-in logs for troubleshooting conditional access issues.
76
+
73
77
### Workload filter evaluation reports
74
78
75
79
These reports show filter information for each device that's evaluated in an app or policy assignment. For each device, you can see the device's overall applicability for a workload, and get more detailed information about the filter evaluation.
@@ -97,6 +101,7 @@ In the following example, you can see this information for the **Microsoft Word*
97
101
> - When assigning a policy, you can add devices to the "Excluded groups". These excluded devices aren't shown in the workload device status reports.
98
102
> - In the **Apps** and **Settings Catalog** device status reports, there's a column that shows any filter evaluation. Currently, the filter evaluation information isn't available for all Intune workloads.
99
103
104
+
100
105
## Include vs. Exclude
101
106
102
107
When you create a filter, you choose to include or exclude devices based on some properties, such as `device.model -equals “Surface pro”`, or `device.model -notEquals “Surface pro”`. It can be difficult to understand the evaluation results, especially when including or excluding devices.
@@ -113,7 +118,11 @@ Use the following table to help understand when you include or exclude devices:
113
118
### What you need to know
114
119
115
120
- A **Not evaluated** filter result may show when a policy has a conflicting assignment on the device. For more information, see [Filters and assignment conflict resolution](#filters-and-assignment-conflict-resolution) (in this article).
116
-
- Filters are evaluated at enrollment and device check-in. The evaluation can also run at other times, such as a compliance check.
121
+
- Filters are evaluated at enrollment and device check-in. The evaluation can also run at other times, such as a compliance check. You may experience race conditions in some scenarios, for example consider this sequence of events (with T representing different points in time):
122
+
- T1 - You assign an App to a group of users using a filter based on the "Category" property.
123
+
- T2 - A targeted user enrolls a new device. The device enrolls and checks-in, evaluating the associated category filter. Since there was no category set on the device, filter evaluation is based on a null category string. In the case where a filter was working in "Exclude" mode, the app could be installed having not matched the criteria for exclusion.
124
+
- T3 - The user is then prompted to choose a device category in the Company Portal app but enrollment and check-in has already completed.
125
+
- T4 - On the next device check-in, the category property has been updated in the system and now returns a different filter evaluation result, however the app was already installed and will not be automatically removed.
117
126
- The latest filter evaluation results are stored for 30 days. If the logs are expired, you may see a **We were not able to retrieve any filter evaluation results** message.
0 commit comments