This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 9%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Devices are not clearing from previous security baselines.
Are you assigning to device or user objects? If Devices, then be mindful that the policies will apply to all logged in user profiles.
Best practice is to assign to devices only?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@MarketShare, Thanks for posting in Q&A. From your description, it seems some devices are not working when we configure exclude in policy assignment. For the Include, it seems we configure All devices. For the exclude group, we need to configure a device group. Could you confirm if the exclude group is only with devices as the members?
After we set the exclude, then please go to the affected device side, Accounts->Access Work or School, find the account, info, choose Sync to see if it can sync successfully. After the sync is completed, wait some time to see if the conflict disappears in Intune portal.
Meanwhile, you mentioned "Devices are not clearing from previous security baselines.". Could you confirm if you mean the setting kept on the device side? If yes, this can be that the CSP keep the setting. In fact, Intune settings are based on the Windows configuration service provider (CSPs). The behavior depends on the CSP. Some CSPs remove the setting, and some CSPs keep the setting, also called tattooing.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@MarketShare, Hope things are going well. If there's anything else we can help, feel free to let us know.