List of platforms, policies, and app types supported by filters in Microsoft Intune
When you create an app, compliance policy, configuration profile, or app configuration policy, you assign the policy to groups (users or devices). When you assign the policy, you can also use filters. For example, you can assign policies to Windows client devices running a specific OS version. For more information, see Use filters when assigning your apps, policies, and profiles.
Filters support some of the different workloads available in Microsoft Intune. This article lists the app types, compliance policies, device configuration profiles, and app configuration policies that support filters. It also lists the workloads that aren't supported.
Before you begin
- This article assume you're familiar with filters. If not, you can learn more at Use filters when assigning your apps, policies, and profiles.
- ✔️: Supports filters.
- ❌: Doesn't support filters
- N/A: Doesn't apply to the platform.
App types
You can use filters for some common app policies on the following platforms. For a list of what's not supported, see not supported (in this article).
Android device administrator
| App type | Supported |
|---|---|
| Store app | ✔️ |
| Microsoft 365 apps | N/A |
| Microsoft Edge version 77 and newer | N/A |
| Microsoft Defender for Endpoint | N/A |
| Web link | ❌ |
| Line-of-business apps | ✔️ |
Android Enterprise
| App type | Supported |
|---|---|
| Store app | N/A |
| Microsoft 365 apps | N/A |
| Microsoft Edge version 77 and newer | N/A |
| Microsoft Defender for Endpoint | N/A |
| Web link | N/A |
| Line-of-business apps | N/A |
| Android Enterprise system app | ✔️ |
| Managed Google Play store app | ✔️ |
| Managed Google Play web link | ✔️ |
| Managed Android line-of-business app | ✔️ |
Note
Filters aren't supported on Android Enterprise personally-owned devices with work profile (BYOD) when used in "Available" app assignments. If users are targeted with an "Available" app intent, then the app continues to show as available to install from the Google managed play store. Any include or exclude filtering is ignored.
iOS/iPadOS
| App type | Supported |
|---|---|
| Store app | ✔️ |
| Microsoft 365 apps | N/A |
| Microsoft Edge version 77 and newer | N/A |
| Microsoft Defender for Endpoint | N/A |
| Web link | ❌ |
| Line-of-business apps | ✔️ |
| iOS/iPadOS volume purchase program (VPP) app | ✔️ |
macOS
| App type | Supported |
|---|---|
| Store app | N/A |
| Microsoft 365 apps | ✔️ |
| Microsoft Edge version 77 and newer | ✔️ |
| Microsoft Defender for Endpoint | ✔️ |
| Web link | ❌ |
| Line-of-business apps | ✔️ |
Windows 10/11
| App type | Supported |
|---|---|
| Store app | ✔️ |
| Microsoft 365 apps | ✔️ |
| Microsoft Edge version 77 and newer | ✔️ |
| Microsoft Defender for Endpoint | N/A |
| Web link | ❌ |
| Line-of-business apps | ✔️ |
| Windows app (Win32) | ✔️ |
| Microsoft Store for Business | ✔️ |
App configuration policies
You can use filters for app configuration policies for managed devices on the following platforms:
- Android Enterprise
- iOS/iPadOS
Compliance policies
You can use filters for all compliance policies on the following platforms:
- Android device administrator
- Android Enterprise
- iOS/iPadOS
- macOS
- Windows 10 and later
Device configuration profiles and Endpoint security
You can use filters for some common device configuration policies on the following platforms. For a list of what's not supported, see not supported (in this article).
Note
Some profile types are only available for specific platforms. For example, the Device features profile type includes settings that are only available for iOS/iPadOS and macOS devices.
For a list of all device configuration profiles, and the platforms they apply to, see Apply features and settings on your devices.
Android device administrator
| Profile type | Supported |
|---|---|
| Device configuration profile | |
| Custom | ✔️ |
| Derived credential | N/A |
| Device restrictions | ✔️ |
| Device restrictions (Windows 10 Team) | N/A |
| Device features | N/A |
| N/A | |
| Email (Samsung KNOX only) | ✔️ |
| Endpoint Protection | N/A |
| Enrollment device platform restrictions | ❌ |
| MX profile (Zebra only) | ✔️ |
| PKCS certificate | ✔️ |
| PKCS imported certificate | ✔️ |
| SCEP certificate | ✔️ |
| Settings catalog | N/A |
| Trusted certificate | ✔️ |
| VPN | ✔️ |
| Wi-Fi | ✔️ |
| Endpoint Security profile | |
| Account protection | N/A |
| Antivirus | N/A |
| Attack surface reduction | N/A |
| Disk encryption | N/A |
| Endpoint detection and response | N/A |
| Firewall | N/A |
| Security Baselines | N/A |
Android Enterprise
| Profile type | Supported |
|---|---|
| Device configuration profile | |
| Custom | ✔️ |
| Derived credential | ✔️ |
| Device restrictions | ✔️ |
| Device Restrictions (Windows 10 Team) | N/A |
| Device Features | N/A |
| ✔️ | |
| Endpoint Protection | N/A |
| Enrollment device platform restrictions | ❌ |
| OEMConfig | ✔️ |
| PKCS certificate | ✔️ |
| PKCS imported certificate | ✔️ |
| SCEP certificate | ✔️ |
| Settings catalog | N/A |
| Trusted certificate | ✔️ |
| VPN | ✔️ |
| Wi-Fi | ✔️ |
| Endpoint Security profile | |
| Account protection | N/A |
| Antivirus | N/A |
| Attack surface reduction | N/A |
| Disk encryption | N/A |
| Endpoint detection and response | N/A |
| Firewall | N/A |
| Security Baselines | N/A |
iOS/iPadOS
| Profile type | Supported |
|---|---|
| Device configuration profile | |
| Custom | ✔️ |
| Derived credential | ✔️ |
| Device restrictions | ✔️ |
| Device Restrictions (Windows 10 Team) | N/A |
| Device Features | ✔️ |
| ✔️ | |
| Endpoint Protection | N/A |
| Enrollment device platform restrictions | ✔️ |
| PKCS certificate | ✔️ |
| PKCS imported certificate | ✔️ |
| SCEP certificate | ✔️ |
| Settings catalog | N/A |
| Trusted certificate | ✔️ |
| VPN | ✔️ |
| Wi-Fi | ✔️ |
| Endpoint Security profile | |
| Account protection | N/A |
| Antivirus | N/A |
| Attack surface reduction | N/A |
| Disk encryption | N/A |
| Endpoint detection and response | N/A |
| Firewall | N/A |
| Security Baselines | N/A |
macOS
| Profile type | Supported |
|---|---|
| Device configuration profile | |
| Custom | ✔️ |
| Derived credential | N/A |
| Device restrictions | ✔️ |
| Device restrictions (Windows 10 Team) | N/A |
| Device features | ✔️ |
| N/A | |
| Endpoint Protection | ✔️ |
| Enrollment device platform restrictions | ✔️ |
| Extensions | ✔️ |
| PKCS certificate | ✔️ |
| PKCS imported certificate | ✔️ |
| Preference file | ✔️ |
| SCEP certificate | ✔️ |
| Settings catalog | ✔️ |
| Trusted certificate | ✔️ |
| VPN | ✔️ |
| Wi-Fi | ✔️ |
| Wired network | ✔️ |
| Endpoint Security profile | |
| Account protection | N/A |
| Antivirus | ❌ |
| Attack surface reduction | N/A |
| Disk encryption | ❌ |
| Endpoint detection and response | N/A |
| Firewall | ❌ |
| Security Baselines | N/A |
Windows 10/11
| Profile type | Supported |
|---|---|
| Update rings for Windows 10/11 | ✔️ |
| Device configuration profile | |
| Administrative Templates | ✔️ |
| Custom | ✔️ |
| Derived credential | N/A |
| Delivery optimization | ✔️ |
| Device restrictions | ✔️ |
| Device Restrictions (Windows 10 Team) | ✔️ |
| Device Features | N/A |
| Device Firmware Configuration Interface (DFCI) on Windows 11 and Windows 10 RS5 (1809)+ on supported UEFI | ✔️ |
| Domain Join | ✔️ |
| Edition upgrade and S mode switch | ✔️ |
| ✔️ | |
| Endpoint analytics proactive remediations scripts | ✔️ |
| Endpoint Protection | ✔️ |
| Enrollment device platform restrictions | ✔️ Support for a subset of filter properties including device osVersion, operatingSystemSKU, and enrollmentProfileName |
| Identity Protection | ✔️ |
| Kiosk | ✔️ |
| Microsoft Defender for Endpoint (Windows 10/11 Desktop) | ✔️ |
| Network boundary | ✔️ |
| PKCS certificate | ✔️ |
| PKCS imported certificate | ✔️ |
| SCEP certificate | ✔️ |
| Secure assessment (Education) | ✔️ |
| Settings catalog | ✔️ |
| Shared multi-user device | ✔️ |
| Trusted certificate | ✔️ |
| VPN | ✔️ |
| Wi-Fi | ✔️ |
| Windows health monitoring | ✔️ |
| Endpoint Security profile | |
| Account protection | ✔️ Local user group membership only |
| Antivirus | ✔️ |
| Attack surface reduction | ✔️ Excludes Web protection (Microsoft Edge Legacy), Application control, App and browser isolation, and Device control |
| Disk encryption | ❌ |
| Endpoint detection and response | ✔️ |
| Firewall | ✔️ |
| Security Baselines | ❌ |
Not supported
The following features don't support using filters:
- Custom compliance policies for Windows 10/11 (preview)
- App protection policies for Android, iOS/iPadOS, and Windows
- End user experiences customization policies
- iOS/iPadOS app provisioning profiles
- Partner device management
- Policies for Office apps
- Policy sets
- PowerShell scripts for Windows
- S mode supplemental policies for Windows 10
- Shell scripts for macOS
- Terms and conditions
- Update policies for iOS/iPadOS
- Feature updates for Windows
- Enrollment notifications
- Android AOSP platform workloads
- Linux platform workloads
Next steps
Feedback
Submit and view feedback for