Forum Discussion

Ion Zubia's avatar
Ion Zubia
Copper Contributor
Mar 07, 2018
Solved

How to exclude specific machines from Intune compliance policy?

Hi,

 

I need a few virtual machines to be excluded from the Intune compliance policy, I thought that the following setup would be sufficient to accomplish this and be able to access corporate data without the need to make these virtual machines compliant (they all have fixed IPs):

 

 

Unfortunately this isn't working and I'm wondering how could I exclude this machines from enrolment.

 

Thank you,

 

Ion

  • Hi Ion,

     

    I totally understand and agree that this would be great to have. User assignment and exclusion of devices. This would solve this problem and many more I think. I don't see any other solution than using device groups in total for compliance policy. Gather your devices via a dynamic group and assign the compliance policy. But there is another side effect if you assign users compliance policies and devices compliance policies. When a user is now target of a policy and his device also, the overall status of compliance policy is not calculated as an logical AND it's an logical OR. let me give an example:

    user A -> user policy A

    user A uses device A and has device policy B

    then it might be like this:

    user policy A is evaluated as compliant and device policy B is evaluated as non-compliant. Now because of the logical OR the user will get IsCompliant=True

    So mixing is not a great idea. At the moment we need to decide to go for user assignments or device assignments imho. this leads to various restrictions.

    Best way imho is to exclude them from the Conditional Access policy...

     

    best,

    Oliver

10 Replies

  • Hi Ion,

     

    it's not really clear for me what you like to achieve from the description. Your screenshot shows the Conditional Access policy and you are talking about Compliance policy. Do you want to exclude devices from CA or from the Compliance policy itself? If you want to exclude from Compliance policy you need to be aware how the Compliance policy is assigned. If the Compliance policy is assigned to users than you can use the exclude feature only with user groups. If assigned to a device group the exclude can only contain device groups. You can't mix user and device groups when using include/exclude, this is the current implementation and by design.

    Regarding your CA policy you need to specify IP ranges. To specify a single IP address you need to use 192.168.1.1/32, the /32 at the end is important to specify a single IP address.

     

    Hope this helps.

    best,

    Oliver

    • Ion Zubia's avatar
      Ion Zubia
      Copper Contributor

      Hi Oliver,

       

      Sorry if it wasn't very clear, but it is as you describe.

       

      I'm trying to exclude this machines from the compliance policy itself, but this policy applies to user groups. I was aware that the issue was here, but I was hoping there was a way to say "with the exception of these machines regardless of the user", which I think it would be a very useful and sensible option to have.

       

      I want users to be able to access corporate data as long as they are using a device under Intune's umbrella, therefor I'm applying the group policy to the users. This virtual machines are hosts to sessions that some of our users connect to and work from with the use of thin clients. 

       

      I understand it won't be possible to achieve this on this scenario?

       

      Thank you,

      Ion

      • Hi Ion,

         

        I totally understand and agree that this would be great to have. User assignment and exclusion of devices. This would solve this problem and many more I think. I don't see any other solution than using device groups in total for compliance policy. Gather your devices via a dynamic group and assign the compliance policy. But there is another side effect if you assign users compliance policies and devices compliance policies. When a user is now target of a policy and his device also, the overall status of compliance policy is not calculated as an logical AND it's an logical OR. let me give an example:

        user A -> user policy A

        user A uses device A and has device policy B

        then it might be like this:

        user policy A is evaluated as compliant and device policy B is evaluated as non-compliant. Now because of the logical OR the user will get IsCompliant=True

        So mixing is not a great idea. At the moment we need to decide to go for user assignments or device assignments imho. this leads to various restrictions.

        Best way imho is to exclude them from the Conditional Access policy...

         

        best,

        Oliver

  • RuudGijsbers's avatar
    RuudGijsbers
    Iron Contributor

    Hello Ion,

     

    Can you create a device group with the virtual machines and exclude the group from the Compliance Policy? See if that works like expected?

     

    Best regards,

    Ruud Gijsbers

    • Ion Zubia's avatar
      Ion Zubia
      Copper Contributor

      Hi Ruud,

      Thank you for your reply.

      It looks like it might not be possible to exclude them (see Oliver's reply above). At the moment the way I'm trying to exclude this machines is by using their public IPs, which I understand should have the same effect (I've use them to exclude them from other policies in the past successfully).

      Kind regards,

      Ion

Resources