Forum Discussion
How to exclude specific machines from Intune compliance policy?
Hi Ion,
I totally understand and agree that this would be great to have. User assignment and exclusion of devices. This would solve this problem and many more I think. I don't see any other solution than using device groups in total for compliance policy. Gather your devices via a dynamic group and assign the compliance policy. But there is another side effect if you assign users compliance policies and devices compliance policies. When a user is now target of a policy and his device also, the overall status of compliance policy is not calculated as an logical AND it's an logical OR. let me give an example:
user A -> user policy A
user A uses device A and has device policy B
then it might be like this:
user policy A is evaluated as compliant and device policy B is evaluated as non-compliant. Now because of the logical OR the user will get IsCompliant=True
So mixing is not a great idea. At the moment we need to decide to go for user assignments or device assignments imho. this leads to various restrictions.
Best way imho is to exclude them from the Conditional Access policy...
best,
Oliver
Hi Oliver,
Sorry if it wasn't very clear, but it is as you describe.
I'm trying to exclude this machines from the compliance policy itself, but this policy applies to user groups. I was aware that the issue was here, but I was hoping there was a way to say "with the exception of these machines regardless of the user", which I think it would be a very useful and sensible option to have.
I want users to be able to access corporate data as long as they are using a device under Intune's umbrella, therefor I'm applying the group policy to the users. This virtual machines are hosts to sessions that some of our users connect to and work from with the use of thin clients.
I understand it won't be possible to achieve this on this scenario?
Thank you,
Ion
Hi Ion,
I totally understand and agree that this would be great to have. User assignment and exclusion of devices. This would solve this problem and many more I think. I don't see any other solution than using device groups in total for compliance policy. Gather your devices via a dynamic group and assign the compliance policy. But there is another side effect if you assign users compliance policies and devices compliance policies. When a user is now target of a policy and his device also, the overall status of compliance policy is not calculated as an logical AND it's an logical OR. let me give an example:
user A -> user policy A
user A uses device A and has device policy B
then it might be like this:
user policy A is evaluated as compliant and device policy B is evaluated as non-compliant. Now because of the logical OR the user will get IsCompliant=True
So mixing is not a great idea. At the moment we need to decide to go for user assignments or device assignments imho. this leads to various restrictions.
Best way imho is to exclude them from the Conditional Access policy...
best,
Oliver
Hi Oliver,
It looks like I'm going to have to re-think how to approach this and adapt our desired outcome to using device groups to apply the policies then.
My thanks for your assistance on this matter.
Kind regards,
IonHi Ion,
sure no problem. Another effect to mention when using device assignment is, that it might take long to apply. Imagine the situation. Using Windows 10 and OOBE + AAD join + Intune auto enrollment. Then the device is not instantly available and needs to be registered first by the enrollment process. This needs some time. Then the dynamic group needs some time to pick up the device and then the device must sync to get the new policy to evaluate. So it might be (depending on the scenario) that you face delays which might be a problem. For example when you have a conditional access policy which requires compliant devices, then the device needs some time to get compliant and as long as it is non-compliant it can't access corporate data protected by conditional access.
best,
Oliver
Hi Oliver,
It just occurred to me; since we have absolutely no connection between our on-premises infrastructure and our Azure and 365 users and devices (thus not using Hybrid Azure AD), I believe this path isn't going to work either.
I can create a group (or groups) and add all of our company own devices there to then force compliance upon it. However, I see no policies within conditional access that will allow me to deny access to company data to any device outside of that hypothetical group.
Regards,
Ion