Forum Discussion
How to exclude specific machines from Intune compliance policy?
Hi Ion,
I totally understand and agree that this would be great to have. User assignment and exclusion of devices. This would solve this problem and many more I think. I don't see any other solution than using device groups in total for compliance policy. Gather your devices via a dynamic group and assign the compliance policy. But there is another side effect if you assign users compliance policies and devices compliance policies. When a user is now target of a policy and his device also, the overall status of compliance policy is not calculated as an logical AND it's an logical OR. let me give an example:
user A -> user policy A
user A uses device A and has device policy B
then it might be like this:
user policy A is evaluated as compliant and device policy B is evaluated as non-compliant. Now because of the logical OR the user will get IsCompliant=True
So mixing is not a great idea. At the moment we need to decide to go for user assignments or device assignments imho. this leads to various restrictions.
Best way imho is to exclude them from the Conditional Access policy...
best,
Oliver
Hello Ion,
Can you create a device group with the virtual machines and exclude the group from the Compliance Policy? See if that works like expected?
Best regards,
Ruud Gijsbers
Hi Ruud,
Thank you for your reply.
It looks like it might not be possible to exclude them (see Oliver's reply above). At the moment the way I'm trying to exclude this machines is by using their public IPs, which I understand should have the same effect (I've use them to exclude them from other policies in the past successfully).
Kind regards,
Ion
