If the administrator has SEPM in Hybrid deployment and the enrollment option in ICDm/SES cloud doesn't have the option "Manage Policies from the Cloud" enabled, the allow list policy applied to the group in the cloud account will take precedence over the exclusion policy applied to the same group in SEPM client groups, resulting in having the clients with non-functional SEPM exception policy.

SEPM in hybrid environment, and disabled "Manage Policies from the Cloud" option at the ICDm/SES cloud portal.

ICDm allow list policy applied to hybrid group will take precedence over the SEPM applied exception policy by design.

Remove any allow list policy applied at the Hybrid client groups synchronized from SEPM side.

Upon a sync of the change between SEPM and the cloud, the client should detect the change, and they should remove the cloud allow list policy, resulting in exception policy provided from SEPM being enforced.