Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
The new profile assignment and channel experience is rolling out gradually and might not be available in your tenant right away. If this experience isn’t available in your tenant, see Channel to profile mapping and Switch device update channel for profile assignment and channel management.
Exclude groups allow you to exclude specific users or devices from cloud update management. Use exclusions when devices shouldn't be managed by any cloud update profile, even if the devices or users are included through profile assignment. Exclude groups take the highest priority.
This article explains how exclude groups work, how they differ from profile assignment, and when to use them with cloud update deployment.
Understand exclude groups
Exclude groups are configured at the tenant level and apply to all cloud update profiles. When a device or user is included in an exclude group, cloud update excludes the device from profile management instead of evaluating it for assignment to a profile.
This behavior is different from not including a device or user in profile assignment. If a device or user isn't included in profile assignment, the device isn't onboarded to that profile. However, the device can still be onboarded later if it's added to another assigned group or matches a built-in channel group. If a device or user is included in an exclude group, cloud update doesn't manage the device from any profile until the exclusion no longer applies.
- Exclude groups require Microsoft Entra groups. Review group requirements.
- Exclude groups apply across all profiles, not to a single profile.
- Cloud update evaluates group membership at least once per day.
- Excluded devices appear as excluded in Inventory within 24 hours. To confirm that a device was excluded, review the Cloud Update Status column.
Configure exclude groups
To add or update an exclude group, follow these steps:
- Sign in to the Microsoft 365 Apps admin center with an account that has permission to manage cloud update.
- In the left navigation, expand Cloud Update, and then select Settings.
- On the Settings page, select Exclude groups.
- Select Exclude specific groups of devices and/or users.
- Select + Add group to list.
- In the flyout, add the Microsoft Entra group that contains the users or devices that you want to exclude, and then select Add to list.
- Select Save.
Common scenarios
Exclude devices that must stay outside cloud update management
Use an exclude group when specific devices must remain outside cloud update management, even if those devices are included in profile assignment. This approach is useful for devices that are managed through a separate update process or that must remain on an update channel that cloud update doesn't currently support.
For example, Contoso has 100 non-persistent virtual machines running Monthly Enterprise Channel in a virtual desktop environment. These virtual machines receive updates through a monthly image update process. The Monthly Enterprise Channel built-in group is assigned to the Monthly Enterprise profile, which would otherwise onboard all devices on that channel. To prevent cloud update from managing the virtual machines, the admin adds them to a Microsoft Entra group and then adds that group to the exclude groups list. As a result, cloud update doesn't manage those virtual machines.