How can I create an exception for a security recommendation for a specific device?

cssnsand Tim Beer Thanks for your replies.

What happens if I make an exception for a security recommendation and then later new CVEs are released that are related to that security recommendation I created an exception for? For example, if I have the security recommendation "Update Microsoft .Net" and I create an exception for that but then a few days later a new CVE is released that affects devices in my environment, what does Defender do to ensure I review the security recommendation based on the newest CVE information?

If you particular on endpoint security policies, then only option for exception is to have a separate Azure/Intune device group created for the exclusion devices. Because policies assignment can be only enforced on device groups either as 'Include' or 'Exclude'. 

Not sure if this helps at all? but you should be able to most exceptions with device groups i.e

Lets say I go to  - Endpoints - Recommendations

Here it finds 4 servers it recommends doing an update

If I go to Exceptions options I can add a device group and exclude

Even though its a device group that could be used for multiple devices there is nothing stopping you creating a device group with just say 1 machine   So create a device Group here in Settings - Endpoints - Device Groups and then in Filter by Device Group Above just add your Device group to the exception