Configuration filters

  • Last update on September 27th, 2024

You can include/exclude:

Through these filters, the configurations excluded from the Sync will not be known to Configuration Manager at all. They won't be backed up, and Configuration Manager won't monitor them for changes.

Configuration filters vs. Hide

Configuration filters (in Sync) and Hide (in Reconcile) appear similar but have crucial differences:

  • Hide: configurations that are hidden in Reconcile are backed up, and Configuration Manager will monitor them for changes, but no changes will be made to them.
  • Configuration filters: configurations excluded from the Sync will not be known to Configuration Manager at all. They won't be backed up, and Configuration Manager won't monitor them for changes
 

Understanding Configuration filters

There are two Configuration filters:

Included

Include allows you to specify the only Configuration Types or individual configurations that you want Configuration Manager to Sync.

The include filter is essentially an absolute exclude filter. Everything not specified in the filter will be skipped.

 

This means that if you specify “Conditional access policies” in the include filter, Configuration Manager will ONLY include those configurations in the Sync, and all other configurations will be excluded. If you save this setting and run a Sync, every configuration in your tenant will be skipped except for “Conditional access policies”.

 
 

Excluded

These filters allow you to select either a Configuration Type or an individual configuration for Configuration Manager to exclude from the Sync. This means Configuration Manager will not sync it. All other configurations will be synced.

For example, if you do not want Configuration Manager to sync “Conditional access policies”, you can add an exclude filter for conditional access. During the Sync, Configuration Manager will detect the conditional access policies and skip them. No actions will be performed—Configuration Manager will neither back them up nor write changes to them.

You can use Exclude in the following situations:

  • If there is a specific configuration that is sensitive and you don't want that information going to a third-party tool. By excluding them, Configuration Manager won't have access to those configurations.
  • If a policy is causing the Sync to fail you can exclude that configuration to temporarily bypass the error. This allows the Sync to resume and continue using Configuration Manager while Support addresses the issue with that configuration. 
 
 

Please note that include filters take priority over exclude filters.

 

When use include/exclude filters together

Exclude filters can be used alongside Include filters to exclude individual configurations within the included Configuration Types in a Sync.

For example, if you include the following Configuration Type:

Intune > Apps

in the Sync, only Intune applications will be synced. To exclude a specific application like Google Chrome, you can add an Exclude filter for the individual configuration:

 Intune > Apps > Google Chrome

This setup will Sync all Intune applications except Google Chrome.

Filters set both in “Included resources” and in “Excluded resources.”

Apply Configuration filters to baselines

If configuration filters are applied to the baseline tenants, they also get applied to all downstream tenants under that baseline.

 
  • If you want to exclude a policy from all downstream tenants under a baseline, add that exclusion to the baseline, and all tenants under that baseline will also get that exclusion.
  • If you want to exclude a configuration from one specific downstream tenant, add it to that one tenant only.

Apply Configuration filters

Include/exclude a Configuration Type

Click on “+ ADD”

Click “Add button” or “+ ADD” to select configurations.

From the pop-up that appears, select the Configuration Type that you wish to include/exclude from the drop-down menu. You can select multiple items by checking the related checkboxes.

Select the Configuration Type from the dropdown menu.

If you include/exclude a Configuration Type, all the individual configurations under that Configuration Type will be included/excluded. If you want to include/exclude only specific configurations, proceed as follows:

Include/Exclude an individual configuration

To include/exclude only one or more individual configurations under a Configuration Type, first add the Configuration Type. 

Select the Configuration Type.

Then, click on “Add configuration” and type the name of the configuration.

Type the name of the configuration.