Forum Discussion
AWulle
Jun 25, 2024Copper Contributor
Unsanctioned to all, exclude to some
Dear reader,
I have configured the asset rules en device tagging.
I need to deploy certain apps as unsanctioned to all W11 devices and exclude the same apps to certain devices who have a device tag I configured for exclusion.
The problem i am having is that the devices that need to be excluded, with the device tag "Exclude"
Are also part of the device tag "W11"
I could exclude them from the W11 device tagging but that would mean they would be excluded from all other policies that are targeted to the W11 tag. Which is not desirable.
I was hoping for a solution as how you would deploy in Intune, with includes and exludes groups, but it doenst look like the defender platform supports this.
I have been testing with exclude entities but this does not give the result i am looking for.
Can someone help me?
Maybe you had the same issue and found something smart way around this? 🙂
Thank you in advance!
- BHug032763Copper Contributor
Try using scoping https://learn.microsoft.com/en-us/defender-cloud-apps/scoped-deployment
- MatejKlemencicBrass Contributor
Hi AWulle,
I faced the same issue. Unfortunately, the only way to exclude certain devices is by using a Device Group, and the challenge here is that a single device can only belong to one Device Group at a time (either the WIN11 Device Group or the Exclude Group in your case). What other policies are currently applied to your WIN11 Device Group? Could you apply those same policies to the Exclusion Group as well? That's what we did when we had a similar exclusion scenario.
- ArtSofM365Copper Contributor
That is indeed very unnatural and convoluted.
The single device group membership is also strange concept unique to MCAS compared to other M365 products.
Moreover you do not easily see what exceptions a SaaS app has applied.
Then there is that include/exclude concept, tags, etc.
Some alignment with other M365 products - Intune, AAD … would be welcome. - AWulleCopper ContributorHi Matej,
Thank you for your response. Web content filtering is another policy where I am encountering challenges due to the need to create exceptions for specific departments or device groups.
I'm glad I didn't overlook anything, as this is indeed how defender works. Personally, I find it to be a shortcoming.