If you want to exclude specific device(s) from Application Group deployment, you need to create a separate Azure AD group for the devices to be excluded and add an exclude type deployment for it. Exclude deployment will exclude the installation of all applications that have been selected to the deployment process.
- Create an application specific Azure AD group for devices that you want to exclude from other deployments of the selected application
- Add device objects to the group
- Navigate to AM portal -> AM for Intune -> Administration -> Deployment processes page
- Find a deployment process where you have added Application Groups maintained group
- Add the new Azure AD group to the deployment process and change its Assignment mode to Exclude
- Click Start deployment now to create the exclude deployment into Intune
An example deployment process for WinSCP:
- IT Global Pilot Devices
- Required installation for pilot devices
- All Users
- Makes the application visible in Company Portal for all end users
- AM - WinSCP Required
- Required deployment for a group that's maintained by Application Groups feature
- AM - Exclude WinSCP
- Devices in this group will be excluded from other deployments in this deployment process