Dynamic Collection filter issue

I can't get the following to work:

Trying to create a dynamic collection that shows me clients that belong to a specific AD group, don't have BitLocker enabled on their local disk and also no PIN as a key protector.

Easy enough, I thought, I'll add those filters and voila.

The problem I then encountered was that the a client with the following device wouldn't leave the group, even tho the disk didn't match multiple filters.

This is possibly because of a second disk. Usually an SD card or USB drive. Obviously, these are not encrypted and surely have no protectors.

I want the filters only to look at disk drives of the media type 'Fixed hard disk media', so I've added that as well. Sadly, this still doesn't work. How do I apply the 2 Local Disk filters only to the 1 Disk Drive filter?