Forum Discussion
Unsanctioned to all, exclude to some
Hi AWulle,
I faced the same issue. Unfortunately, the only way to exclude certain devices is by using a Device Group, and the challenge here is that a single device can only belong to one Device Group at a time (either the WIN11 Device Group or the Exclude Group in your case). What other policies are currently applied to your WIN11 Device Group? Could you apply those same policies to the Exclusion Group as well? That's what we did when we had a similar exclusion scenario.
That is indeed very unnatural and convoluted.
The single device group membership is also strange concept unique to MCAS compared to other M365 products.
Moreover you do not easily see what exceptions a SaaS app has applied.
Then there is that include/exclude concept, tags, etc.
Some alignment with other M365 products - Intune, AAD … would be welcome.- Hi Matej,
Thank you for your response. Web content filtering is another policy where I am encountering challenges due to the need to create exceptions for specific departments or device groups.
I'm glad I didn't overlook anything, as this is indeed how defender works. Personally, I find it to be a shortcoming.
