I'm trying to find information resources that can provide some insight as to how others have overcome the challenge with managing servers and their applied policy, when it comes to necessary exclusions and policy options. 

Presently I am using 1 policy = 1 group. Each server is a member of the group with the policy attached. Essentially, I am assigning policies directly to servers by way of the group.
This sort of negates any usefulness of the Groups and is messy and difficult to manage especially as more and more servers get Secure Endpoint deployed onto them and differing policies and exclusions are required.

In an ideal situation it would suit us to be able to group all of the eg Windows servers and apply them to a parent group where all of the base Windows policy settings are applied. And then any Windows Application servers can be assigned to the Child group where only those application rules are present within the child policy. And then the server obtains a combined resultant set of policy based on the Parent and additional Child settings. Secure Endpoint does NOT work this way and so this is not possible.

I’ve searched the support forum and found some info which describes organising the groups based on geographic location as one idea. Another idea is to just use one group as per the comments. However, this wont overcome our challenge, this must be a secure deployment and having one group and consequently one OS policy will mean we must apply all of the exclusions to one policy and therefore, systems will obtain a policy which has unnecessary and risk exclusion rules.

Can anyone offer any further insight as to how to tackle this? I have an customer that is a bit unhappy with this product because of these challenges which are not present with the incumbent solution, even though the incumbent is a much-less-capable product in terms of “endpoint protection”, so any information that could help is most appreciated.