Intune Device configuration Device Restrictions Policy

Copper Contributor

In Our Environment we have one requirement We have Policy which will block all the user control ( USB,Time Zone Change) and we have requirement to exclude few users to allow time zone change .


In above requirement how we can  exclude one to Time Zone.We cant add user to first policy where user will get access to USB and also Time Zone 


If we try to create one more policy to allow only Time Zone there is no option in policy to allow only block or Not configured.

4 Replies
Are saying that you want to block all USB and also force one specific time zone on all devices?

@BraulioCulcay No We have already blocked USB for all and one specific time zone but we need to allow only few user to change Time Zone without allowing USB.

You can create multiple policies. I did the same at one of my customers. They wanted to block usb Storage device but can make exceptions.

I created a device restriction policy with all settings except block usb storage devices, and a second device restriction policy with only block usb storage devices.

Assign the 2 profiles to the same group, so both will applied and add to the policy with the deviation an exclude group. So the users in that group will not receive the policy and they can change the time zone or use usb for example

I hope that this help you,

Kind regards,


Create 2 policies
Create a dynamic group based on enrollment profile
Create an 'exception' group for your less restricted people

Policy A
Dynamic Group - Include
Exception Group - Exclude

Policy B
Exceotion Group - Include

Policy B will need to get all of the policy settings as Policy A minus the exclusions.

Correct on your last point. You cannot 'layer' policies in Intune like GPO's.

There is another more complex option where you set a 'baseline' policy that has your settings that wil never change and then create multiple policies for each individual setting. This is terrible to try and manage as you get more and more outliers. I simply started with a policy names iOS - Configuration Policy - Baseline. In your case above, i would then create a nre policy called iOS Configuration Policy - Allow USB_TimeZone and do the include / exclude as described above.