Device Configuration Profile Exclusion Group Not Working

New Contributor

There is a device configuration profile that is set up to push two local security policies to machines through Azure/Intune:
Interactive Logon Message Text For Users Attempting To Log On

Interactive Logon Message Title For Users Attempting To Log On

It was set to push to all devices when it was set up, and it has worked flawlessly at that. However, I needed to disable that for some kiosks. If I try to add them through an exclusion filter, nothing shows up as an option. I'm assuming this is because it is a policy applying to the "all devices" category and not a group. So, I instead added the dynamic security group of devices into the excluded groups (instead of the filter). We do also have an on-prem AD, but none of the GPOs are configured for this policy through that.

I don't know why this isn't working, but it isn't. I figured maybe Intune was just taking a long time to update, but it's been a few days and it's still applying the policy. Underneath that configuration profile it has since added 3 of the devices from that group to the non-applicable status for the policy, but it is still applying the policy to them as well, and won't add the other devices in that group as non-applicable. I even manually deleted the policy through GPEdit on the devices, and it reapplied the policy, despite it saying it is not applicable.

5 Replies


All devices is a virtual device group. So you can use an azure device group as an exclusions.

are those devices with the non applicable status already rebooted? 

did you set the config via Intune or gpo? Are the kiosk device ad joined/azure joined or standalone?

Kind regards,


@Mr_Helaas They are AAD joined devices, and should not be getting any policies from the on-prem AD. The only thing the on-prem AD is really managing are systems that can't be AAD joined, and the initial hosting and creation of user accounts. Then they are synced to AAD where they are actually used (no idea why it was set up this way, one of the things I'm trying to fix).

I wrote a script for all of the kiosks to run on logon, and while I was setting them up I repeatedly rebooted them while in the exclusion group, with no real luck.

The config is setup through Intune. I only mention the on-prem just in case there could be some strange interference, but it isn't managing anything on the devices. I also tend to use the on-prem terminology for things being done in Intune, simply because I'm so much more used to that terminology. So I'm very sorry for any possible confusion there.

Another bit of oddity, is that one of the three devices actually getting the non-applicable status keeps changing. What I mean is, two of them have remained in the non-applicable status for that device config profile. The third has changed between a few different devices in that same group, never remaining the same device for more than a few hours. I don't understand why all of them aren't showing in the config as non-applicable. I've also run an Intune sync on all of the devices, on multiple occasions thinking that would help. It didn't.

Is the exclusion not working or the policy settings remain configured? Both are 2 different things. Once a device is no longer targeted, Intune will stop targeting the device for that specific policy. Which means if it was applied earlier, the setting will remain configured. To revert the setting you will need to create another policy with the settings that you want to be removed and target the existing devices meant to be excluded.

If the policy revert to original state depends on the csp what has been used.

Check Microsoft doc:
Thanks for the share. Although in my experience this is a hit or miss and the behavior is not consistent.