Intune Filters vs Assignment Groups: Stop Treating Them as Interchangeable

If your Intune estate has grown past a couple of hundred devices, you’ve probably built a forest of dynamic groups that only you understand. You don’t need another group. You need a filter. Here’s where each one earns its keep, and where MSPs keep getting the split wrong.

The mental model

Groups answer who the policy targets. Filters answer which subset of that assignment it actually applies to at evaluation time. A group is resolved at assignment and refreshed on Entra’s schedule. A filter is evaluated per device, per policy, at the point of applicability. That timing difference is the entire reason filters exist — and the reason swapping one for the other silently changes behaviour.

Use groups for ownership of the assignment (department, site, client tenant, pilot ring). Use filters for device traits that change underneath you: OS version, model, enrollment profile, personal vs corporate, join type.

Prerequisites people miss

Filters only work on managed devices and managed apps — the supported workload matrix matters. Not every policy type honours filters, and app assignment filters for MAM are a different object from device assignment filters. Check the reference before assuming your policy can be filtered.
Dynamic device groups require at least one Entra ID P1 licence in the tenant. Business Premium covers you, but confirm before promising dynamic membership to an M365 Standard client.
The “All users” and “All devices” virtual groups bypass normal targeting logic. If a client’s environment feels “haunted”, check whether a legacy assignment is hitting All devices with no filter.

Where to configure

In the Intune admin center, filters live under Tenant administration → Filters. Build the rule, pick the platform, and save — the filter itself has no targets. You apply it at assignment time on any supported policy (Devices → Configuration → your profile → Assignments → Edit filter).

Groups are managed in the same console under Groups, but remember these are Entra ID security groups — any change you make is tenant-wide, not Intune-only.

The rollout pattern that actually works

Ring by group, scope by filter. Three device groups (Pilot, Early, Broad) assigned by user or device attribute. Apply the same policy to all three with different filters (e.g. deviceOwnership -eq "Corporate" plus osVersion -startsWith "10.0.22").
Exclude filters beat exclusion groups. If you’re excluding kiosks from a CA-backed compliance policy, a filter keyed on enrollmentProfileName is faster to audit than a stale exclusion group nobody refreshes.
Name everything for future-you. FLT-Win11-Corp-NotKiosk beats Filter1. Same for groups: prefix by purpose (INT- for Intune-only, SEC- for CA), include platform, include intent.
Test in report-only. Every new filter goes onto one profile assigned to a lab group first. Confirm the Assignment status report matches expectation before widening.

The pitfalls that will bite you

Filter evaluation is not group membership. A filter excluding “personal” devices won’t retroactively remove a policy from a device that was previously “corporate” until the device checks in and the assignment re-evaluates. Plan for the delay during ownership changes.
Negation logic is deceptively literal. -notEquals treats a null property as “not equal”, so filters on sparsely populated properties (custom enrollment profile names, model on older hardware) can match devices you didn’t intend. Test with -eq plus include/exclude to lock it down.
Overlapping filters on the same assignment don’t AND. If you add a filter and also use include/exclude groups, precedence rules apply — exclude always wins, then filters, then includes. Map this out before complaining about “Intune not applying my policy.”

References

Revisiting Copilot image generation analysis

A while back I shared the results of an identical image prompt in a number of AI tools. That article is here:

https://blog.ciaops.com/2026/03/07/image-generation-analysis/

Now that Copilot has access to OpenAI Image 2 model I thought I’d re-run and share the results.

This is the result from the previous test with Copilot chat:

This is the updated response using the identical prompt as before with Copilot Chat again:

This is the same prompt with Copilot Chat again BUT with ‘Create a detailed infographic using the new openAI image 2 model’ added at the beginning of the prompt:

This is the original prompt but used in the dedicated ‘Create Image’ part of Copilot:

Still not perfect if you examine each closely but a significant improvement from the last round.

BitLocker Silent Enablement via Intune: The Deployment Pattern That Actually Sticks

Every MSP ends up doing BitLocker. Very few do it silently on the first attempt. Between TPM quirks, third-party encryption leftovers, and the three different Intune policy surfaces that all claim to configure BitLocker, the difference between “encrypted fleet with recoverable keys” and “2am call from a locked-out CEO” is a handful of settings. Here’s the pattern to deploy in production under Microsoft 365 Business Premium.

Prerequisites people skip

Silent means standard user, no prompts, no elevation — which is a higher bar than “BitLocker on.”

TPM 2.0, ready state, UEFI, Secure Boot on. If the TPM reports “not ready” or is owned by a prior OEM image, silent encryption aborts. Check with Get-Tpm before blaming policy.
Entra joined or Hybrid joined. Workgroup and AD-only devices have no key escrow target and will not silently encrypt.
No third-party encryption agent. McAfee DE, Sophos SafeGuard, legacy Dell Data Protection — all block BitLocker takeover until fully decrypted and uninstalled.
No startup PIN or startup key requirement. Silent mode and pre-boot authentication are mutually exclusive. Pick one.
WinRE present and healthy. BitLocker uses it for recovery.

If any of those are wrong, don’t touch policy yet. Fix the device first.

Where to configure it

Ignore the Settings Catalog for this one. Microsoft is explicit that the Settings Catalog does not expose the TPM startup authentication controls silent enablement depends on (docs).

Use the Endpoint security path:

Intune admin center → Endpoint security → Disk encryption → Create Policy → Platform: Windows → Profile: BitLocker.

The settings that actually matter for silent:

Enable full disk encryption for OS and fixed data drives: Yes
Hide prompt about third-party encryption: Yes
Allow standard users to enable encryption during Autopilot: Yes
Require device to back up recovery information to Azure AD: Yes (gates encryption on successful escrow — this is the setting that saves you)
Recovery password rotation: Enable on Entra and Hybrid-joined devices
OS and fixed drive: XTS-AES 256, TPM-only protector, no PIN

Full setting reference: Disk encryption profile settings.

The rollout pattern

Do not target All Devices. Ever.

Pilot ring (5–10 devices): your own, one per client hardware family. Watch the Endpoint security → Disk encryption report for “Encrypted” status and a recovery key present in Entra. If the key isn’t there, the device isn’t safe, regardless of what Windows says.
Early ring (10–20% by dynamic group): let this soak for a week. Check the encryption report daily. Anything stuck in “Waiting for response” usually means TPM readiness or a WinRE issue — remediate per device, don’t loosen policy.
Broad rollout: remaining corporate devices via a dynamic group filtered on deviceOwnership eq "Company". Never include BYO.
New builds: bake the policy into Autopilot so encryption completes during ESP. Standard-user silent enablement only works if “Allow standard users to enable encryption during Autopilot” is Yes — double-check before you cut a new image.

The help desk also needs the recovery-key retrieval flow documented before you go broad, not after the first lockout.

The pitfalls that bite

Silent and startup PIN are incompatible. If compliance demands pre-boot auth, you’re running standard BitLocker, not silent. Decide once.
Recovery key escrow failures hide in plain sight. Without “Require device to back up recovery information to Azure AD = Yes”, devices encrypt, keys never land in Entra, and you discover it the day a laptop gets stolen. Audit the encryption report monthly — the ground truth is “Recovery key: Yes/No” per device, not policy compliance.
Don’t mix endpoint protection + disk encryption profiles targeting the same devices. Conflicts resolve unpredictably. Pick the Disk encryption profile and delete the legacy Endpoint protection one (policy comparison).

Get those three right and BitLocker becomes a checkbox — exactly what your clients are paying for.

CIAOPS Need to Know Microsoft 365 Webinar – May

laptop-eyes-technology-computer_thumb

Now in our tenth year!

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at Copilot Cowork.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

May Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2605 )

The details are:

CIAOPS Need to Know Webinar – May 2026
Friday 29th of May 2026
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Youtube channel.

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

CIAOPS AI Dojo 012

What’s the session about?

This month we will be focusing on new Copilot features and updates as well as optimising AI for Small Business.

Who should attend?

This session is perfect for:

IT administrators and support staff
Business owners
People looking to get more done with Microsoft 365
Anyone looking to automate their daily grind

Save the Date

Date: Friday the 29th of May 2026

Time: 9:30 AM Sydney AU time

Location: Online (link will be provided upon registration)

Cost: $80 per attendee (free for Dojo subscribers)

DSPM: The End of Guessing About Your Sensitive Data

Most Microsoft 365 tenants I walk into are flying blind on data.

The sensitivity labels exist. A couple of DLP policies exist. Someone once turned on Insider Risk Management because a consultant said so. And then nothing. Nobody knows what’s working, what’s exposed, or which sensitive files are sitting wide open in a SharePoint site shared with half the planet.

That’s not a security posture. That’s a guess.

The tool that finally ends the guessing is Microsoft Purview Data Security Posture Management. If you’ve got E5 or the Purview Suite and you’re not showing this to your clients, you’re leaving value on the table.

What is DSPM, really?

DSPM is the dashboard that tells you, in plain English, where your sensitive data is sitting unprotected and which users are handling it carelessly. It pulls signals from the tools you already pay for — DLP, Information Protection, Insider Risk Management, Adaptive Protection — and stitches them into one view.

The clever bit is the correlation. Before DSPM, you’d open five different blades, cross-reference three different reports, and still miss half of it. Now the findings and recommendations land on one page, with a one-click path to spin up the matching policy.

That’s not a report. That’s a to-do list with context.

Step-by-Step: turning DSPM on

Portal only. Stay in the GUI — easier for you, easier to hand off to the next admin.

Open the Purview portal

Sign in to the Microsoft Purview portal as a member of the Data Security Management role group, an Insider Risk Admin, or a Compliance Administrator. Global Admin works too, but please don’t use it if you can help it.

Open the DSPM solution

From the home page, go to Solutions → Data Security Posture Management → Overview.

Turn on analytics

On the Overview page, click Turn on analytics. That one switch also enables DLP analytics and Insider Risk analytics behind the scenes if they aren’t already on. One click, three switches. The full checklist is in the Get started with DSPM article.

Wait

Yes, really. The automated scan across your tenant can take up to three days on anything larger than a handful of users. Walk away. Brew a coffee. Come back on Thursday.

Review the recommendations

Back on the DSPM dashboard, open Recommendations. Each one tells you what was found, why it matters, and offers a one-click path to create the DLP or Insider Risk policy that fixes it. You don’t start from a blank policy screen anymore — you start from your tenant’s real gaps.

Track trends over time

Use the Analytics and Reports tabs in client reviews. A trend line of risky activity going down beats any invoice justification I’ve ever tried to write.

Why this actually changes behaviour

“Are we protected?”

That’s the question every SMB owner asks. Most of us have been answering with vibes. Good vibes, educated vibes, but vibes.

DSPM changes the answer. You can point at a number. You can point at a recommendation you actioned last month and the unprotected file count that dropped because of it. You can show, not tell.

For MSPs, that’s a QBR slide that sells itself. For internal IT, it’s the evidence you need when the CFO asks what the Microsoft Purview licence is actually doing for the business.

And if Copilot is already in the tenant — which, let’s be honest, it increasingly is — then DSPM for AI is your next stop. Same lens, pointed at what people are pasting into Copilot prompts and what’s flowing back out.

Copilot doesn’t slow down. Neither does your data sprawl. Use something that keeps up.

DSPM isn’t there to create more work. It’s there to stop the guessing.

Autopilot + ESP: The Deployment Pattern That Actually Survives Contact With Real Users

If you’re still PXE-booting laptops in the back room in 2026, you owe your techs a better life. Windows Autopilot with a properly configured Enrollment Status Page (ESP) is the MSP deployment pattern that scales — but only if you stop treating ESP as a tick-box and start treating it as the gate that enforces your security posture before the user ever sees a desktop. Here’s the deploy-it-well version.

Prerequisites People Miss

Business Premium gets you the licensing — Entra ID P1, Intune, and Windows 11 Pro/Enterprise entitlements. The bits that actually bite:

Automatic MDM enrollment must be on. Entra admin center → Mobility (MDM and WIP) → Microsoft Intune → MDM user scope = All (or a group). Miss this and the device joins Entra but never enrols into Intune, and the ESP just hangs.
Hardware hash registration path. For anything beyond a one-off, get the reseller to register devices to your tenant at purchase. Manual CSV uploads at OOBE are fine for a test VM; they’re a tax on your L1 team in production.
TPM 2.0 + device attestation are non-negotiable for self-deploying and pre-provisioning scenarios. VMs won’t cut it, and attestation needs outbound HTTPS to vendor-specific endpoints.
Cloud-native over hybrid join. Microsoft’s own guidance is explicit: deploy new devices as Entra-joined. If you’re still standing up the Intune Connector for AD in 2026, have a very good reason written down.

Full list: Windows Autopilot requirements.

Where To Configure

Everything lives in the Microsoft Intune admin center. Two paths you’ll wear out:

Deployment profile — Devices → Windows → Device onboarding → Enrollment → Windows Autopilot → Deployment Profiles → Create profile → Windows PC. User-driven, Entra-joined, Standard user account type, hide EULA and privacy settings, set a device name template, allow pre-provisioned deployment.
ESP profile — Devices → Device onboarding → Enrollment → Windows tab → Enrollment Status Page → Create. Do not edit the default “All users and all devices” profile — create your own and give it a higher priority.

References: Configure Windows Autopilot profiles and Set up the Enrollment Status Page.

The Rollout Pattern That Works

Three rings, same as your update rings. Don’t skip this.

Pilot (IT / internal). Loose ESP — Block device use = No, timeout 90 minutes, log collection on. You want visibility, not gates.
Early adopters. ESP enforced at the device phase only. Block device use = Yes, timeout 60 minutes, custom error message with your service desk number. Turn off the User / Account Setup phase — the overwhelming majority of ESP failures happen there, and device-targeted apps have already installed by that point.
Production. Lock it. Required blocking apps = your EDR (Defender), BitLocker initiation, and one small “canary” Win32 app that proves apps are actually flowing. No more than five blocking apps total.

Assign both profiles to a dynamic device group filtered on (device.devicePhysicalIDs -any _ -contains "[ZTDId]") so Autopilot-registered devices land automatically.

Top Pitfalls

Too many blocking apps. Every blocking app is a potential ESP timeout. Keep it to security essentials; let the rest stream in post-desktop via required assignments.
User-phase ESP left enabled. User-targeted apps plus Known Folder Move plus OneDrive sync at first login is a timeout factory. Disable the account setup phase unless you have a specific, measured reason to keep it.
Dynamic group latency. Group membership can take minutes to evaluate and devices race ahead of policy. Mitigation: move to Autopilot device preparation (enrollment-time grouping) for new greenfield tenants, or accept the ring-one pilot friction as the cost of dynamic groups.

For the broader lifecycle picture, start at Overview of Windows Autopilot.

Deploy it once, deploy it tight, and your zero-touch goes from aspirational to boring — which is exactly what production should be.

Attack Surface Reduction Rules in Microsoft 365 Business Premium: A Practical Deep Dive

If you manage Business Premium tenants for SMB clients, Attack Surface Reduction (ASR) rules are arguably the highest-leverage defensive control you’re not fully exploiting. They ship with Defender for Business (included in Business Premium), they cost nothing extra to enable, and they block the precise behaviours that commodity ransomware and living-off-the-land attacks depend on — Office spawning child processes, Win32 API calls from macros, credential theft from LSASS, and PSExec-style lateral movement. This post assumes you already know what ASR is. The goal here is to help L2/L3 engineers deploy it without breaking line-of-business apps.

Prerequisites the documentation underplays

ASR has hard dependencies that silently downgrade rules to “not configured” if missed. Microsoft Defender Antivirus must be the active AV (not passive, not disabled by a third-party product), real-time protection must be on, and cloud-delivered protection must be on — several rules won’t evaluate without cloud lookups. Verify these under Microsoft Defender portal → Endpoints → Configuration management → Device configuration, and confirm the device shows as “Active” in the device inventory. Tamper Protection must also be enabled tenant-wide; without it, local admins or malware can disable ASR in seconds.

Where to configure in Business Premium

Business Premium gives you two supported paths. The simplified experience lives at security.microsoft.com → Device configuration → Next-generation protection / Firewall, but ASR rules specifically are configured through Intune. In the Microsoft Intune admin center, go to Endpoint security → Attack surface reduction and create an “Attack surface reduction rules” profile targeting Windows 10/11. Avoid mixing this with legacy Endpoint Protection templates or Group Policy — conflicting sources result in the classic “last writer wins” behaviour, and you will spend hours chasing phantom rules. If a device is co-managed or has stale GPOs, check Event Viewer → Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational (event IDs 1121, 1122, 5007) to confirm which source applied.

The rollout pattern that works

Do not flip rules straight to Block. The proven pattern is: enable every rule in Audit mode, leave it for two to four weeks, then review the ASR report at security.microsoft.com → Reports → Attack surface reduction rules. Filter by rule and by device, identify the noisy ones, and build per-rule exclusions before switching to Block. Where available, use Warn mode as a staged step — the user gets a toast and can unblock once, which is invaluable for finance teams running macro-heavy spreadsheets. Warn mode is Windows 10 1809+ only; older builds silently treat it as Block.

Start with the “standard protection” set Microsoft recommends: Block credential stealing from LSASS, Block abuse of exploited vulnerable signed drivers, and Block persistence through WMI event subscription. These have the lowest false-positive rate and the highest return. The two rules that most commonly break things are “Block Office applications from creating child processes” (breaks legitimate mail-merge and older add-ins) and “Block executable content from email client and webmail” (breaks zipped installers).

Pitfalls to pre-empt

Exclusions are path-based and case-sensitive on the file name portion — wildcards work on folders, not extensions. Per-rule exclusions (added in later releases) are preferred over global Defender exclusions; use them so you don’t inadvertently hole-punch the whole AV. If a rule appears to do nothing, check whether the device is in EDR block mode and whether Defender is the active AV — ASR is silently disabled under third-party AV. Finally, ASR events do not always surface as alerts; plumb them into your SIEM via the Defender API or Advanced Hunting (DeviceEvents where ActionType startswith "Asr").