Applicability rules for device configuration profiles

This week a new blog post about a little nice, but quite unknown, feature. Applicability rules for device configuration profiles. The nice thing about applicability rules is that those rules can be used to target devices in a group that meet specific criteria. That enables an administrator to assign a device configuration profile to all users, or all Windows 10 devices, but only actually apply to Windows 10 devices of a specific version or edition. In this post I’ll go through the configuration of applicability rules (including a few important details) and the administrator experience.

Configure applicability rule

Let’s start by looking at applicability rules. Applicability rules can be configured for every device configuration profile type with Windows 10 and later as Platform, with the exception of Administrative Templates as Profile Type. It enables the administrator to only assign the device configuration profile to a specific version or edition of Windows 10.

Before looking at the configuration of applicability rules, it’s good to be familiar with a few important notes about assigning a device configuration profile including applicability rules. When assigning such a device configuration profile, keep the following in mind:

  • When two device configuration profiles are assigned with the exact same settings, and only one of those profiles has an applicability rule configured, then the profile without an applicability rule is applied.
  • When assigning device configuration profiles to groups, the applicability rules act as a filter, and only target the devices that meet the specified criteria.

Now let’s have a look at the actual configuration of applicability rules. The following steps walk through the configuration of applicability rules in device configuration profiles for Windows 10 devices.

  1. Open the Microsoft 365 Device Management portal and navigate to Devices > Windows Configuration profiles to open the Windows – Configuration profiles blade
  2. Select an existing device configuration profile, or create a new device configuration profile and navigate to Applicability Rules to open the Applicability Rules blade
  3. On the Applicability Rules blade, configure a rule click Add to add the rule and click Save
  • The Rule selection enables the administrator to either use Assign profile if – that will include users or groups that meet the specified criteria – or use Don’t assign profile if – that will exclude users or groups that meet the specified criteria –.
  • The Property selection enables the administrator to either use OS edition – that will enable a list to check the Windows 10 editions that must be included – or use OS version – that will enable fields to enter the min and max Windows 10 version numbers that must be included –. Both values (min and max) are required.

Administrator experience

Let’s end this post by shortly mentioning the administrator experience. The experience is not that exiting actually. When an applicability rule is applicable to a device, the device is targeted with the configuration profile. The device will try to assign the configuration profile and simply show the normal Succeeded, Error or Failed status. When an applicability rule is not applicable to a device, the device wil not be targeted with the configuration profile and the configuration profile will get the status of Not applicable.

More information

For more information regarding applicability rules for device configuration profiles, refer to the Applicability rules section of the Create a device profile in Microsoft Intune doc.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.