Intune Device configuration Device Restrictions Policy

Create 2 policies
Create a dynamic group based on enrollment profile
Create an 'exception' group for your less restricted people

Policy A
Dynamic Group - Include
Exception Group - Exclude

Policy B
Exceotion Group - Include

Policy B will need to get all of the policy settings as Policy A minus the exclusions.

Correct on your last point. You cannot 'layer' policies in Intune like GPO's.

There is another more complex option where you set a 'baseline' policy that has your settings that wil never change and then create multiple policies for each individual setting. This is terrible to try and manage as you get more and more outliers. I simply started with a policy names iOS - Configuration Policy - Baseline. In your case above, i would then create a nre policy called iOS Configuration Policy - Allow USB_TimeZone and do the include / exclude as described above.

You can create multiple policies. I did the same at one of my customers. They wanted to block usb Storage device but can make exceptions.

I created a device restriction policy with all settings except block usb storage devices, and a second device restriction policy with only block usb storage devices.

Assign the 2 profiles to the same group, so both will applied and add to the policy with the deviation an exclude group. So the users in that group will not receive the policy and they can change the time zone or use usb for example

I hope that this help you,

Kind regards,

Rene

Subrahmanya,
Are saying that you want to block all USB and also force one specific time zone on all devices?