Hybrid AD security computer groups in Intune - Exceptions not working

StephanG 811

Hi everyone,

we are using rings to test out settings. These are defined by computer groups in the local AD that is synced with AD Connect.
We came across an issue when applying ASRs on some notebooks show an error.
ASRs can only applied in one policy.

So we have a Test, Ring1, Ring2, All computers group

The NB is in
Test
Ring1
Group

Ring1 Policy has
Ring 1 Group assigned. Test Group excepted.
Assignment overruled by exception you would think but no.

It is statet like this here:
https://learn.microsoft.com/en-us/mem/intune/apps/apps-inc-exl-assignments

Ring1 AND Test Policy are getting assigned and throw an error.

Anyone else having these problems? In the group there are only computers it is not mixed.

BR
Stephan

Crystal-MSFT 44,421 Reputation points Microsoft Vendor

2022-07-18T01:26:28.167+00:00
@StephanG ，From your description, it seems we get error "ASRs can only applied in one policy." when apply policy. If there's any misunderstanding, please let us know.

To clarify the issue, could you collect the following information to us.

For the error, it seems we have multiple ASR policies apply to the same device. Could you let us know if we have multiple ASR policies apply to these group?

Please check the the assignment failure report to see if there's any conflict.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/reports#assignment-failures-report-operational

For the exception, could you let us know if we assign exception on all other ASRs,, but it is not working? Please get the screen shots of the assignments for the ASR policies to know it better.

Please collect the above information and if there's any update, feel free to let us know.

2 answers

StephanG 811 Reputation points

2022-07-18T07:11:57.097+00:00

1 not to the same group
2 yes we have - our test client
3

This shows our testclient which is in Ring0 and Test_ATP.
In the 2nd screenshot you see that Ring0 is included but Test_ATP is excluded - so why does it says "succeeded" while the TEST Baseline which has only the Test_ATP group - is in Error.
Please sign in to rate this answer.
Crystal-MSFT 44,421 Reputation points Microsoft Vendor

2022-07-18T07:59:51.613+00:00

@StephanG , Thanks for the reply. From the pictures you provided, it seems 3 policies are assigned to the test client.

For the policy "Ring 0 xxx Defender ATP Baseline". it has CompGRP_xxxRing0 included and CompGRPxxTest_ATP excluded. For the two groups, they are two device group. And both with the affected notebook in. Based on my research, I find some partially supported scenarios. Could you let us know are they dynamic or static?
https://learn.microsoft.com/en-gb/mem/intune/configuration/device-profile-assign#support-matrix
Sign in to comment
StephanG 811 Reputation points

2022-07-18T08:03:33.343+00:00

Ring1 has CompGRP_Ring1 assigned where this client is not a member.
They are static device groups - synced from our AD (if this makes a difference).

To make sure: A device group gets a device group if there are not users in it? :)
Please sign in to rate this answer.
Crystal-MSFT 44,421 Reputation points Microsoft Vendor

2022-07-18T08:11:07.95+00:00

@StephanG , Thanks for the confirmation. If they are all static device groups, it is supported according the official article. But this still not working. This is strange. Here, we suggest to open case to check in the background to see if there's any finding. Here is a link with the steps to open case:
https://learn.microsoft.com/en-us/mem/get-support

Thanks for your understanding.
Sign in to comment

Share via

Hybrid AD security computer groups in Intune - Exceptions not working

2 answers