Issue
Wildcards used as criteria in Device Group filters do not seem to be applying to correct endpoints.
Environment
Microsoft Defender for Endpoint
Device Groups
Resolution
When using a single wildcard (*) for a condition value, the endpoints must have a value in that field. Example:
Condition | Operator | Value |
Tag | contains | * |
For an endpoint to match this example Device Group criteria, the endpoint must have a tag of any value. Endpoints with no tags will not meet this criteria nor filter into the corresponding Device Group.
To filter endpoints with no tags into this Device Group, another set of criteria must be used.
Cause
Endpoints with null values for a given field will not meet any wildcard criteria for that same field. This is expected wildcard logic.
Comments
0 comments
Please sign in to leave a comment.