diff --git a/changes/18849-config-profiles-exclude-labels b/changes/18849-config-profiles-exclude-labels
new file mode 100644
index 0000000000..4c1d41ecfb
--- /dev/null
+++ b/changes/18849-config-profiles-exclude-labels
@@ -0,0 +1,5 @@
+* Added the database migrations to create the new `exclude` column for labels associated with MDM profiles (and declarations).
+* Added the API changes to support the `labels_include_all` and `labels_exclude_any` fields (and accept the deprecated `labels` field as an alias for `labels_include_all`).
+* Added `fleetctl gitops` and `fleetctl apply` support for `labels_include_all` and `labels_exclude_any` to configure a custom setting.
+* Updated the profile reconciliation logic to handle the new "exclude any" labels.
+* Fix bug where macOS declarations were stuck in "to be removed" state indefinitely.
diff --git a/changes/issue-18848-include-all-exclude-any-custom-profile b/changes/issue-18848-include-all-exclude-any-custom-profile
new file mode 100644
index 0000000000..ef065303f3
--- /dev/null
+++ b/changes/issue-18848-include-all-exclude-any-custom-profile
@@ -0,0 +1,2 @@
+- add UI for uploading custom profiles with a target of hosts that include all/exclude
+  any selected labels
diff --git a/cmd/fleetctl/gitops_test.go b/cmd/fleetctl/gitops_test.go
index e8569360ea..d59af1bd5a 100644
--- a/cmd/fleetctl/gitops_test.go
+++ b/cmd/fleetctl/gitops_test.go
@@ -1088,6 +1088,53 @@ func TestTeamSofwareInstallersGitOps(t *testing.T) {
 	}
 }
 
+func TestCustomSettingsGitOps(t *testing.T) {
+	cases := []struct {
+		file    string
+		wantErr string
+	}{
+		{"testdata/gitops/global_macos_windows_custom_settings_valid.yml", ""},
+		{"testdata/gitops/global_macos_custom_settings_valid_deprecated.yml", ""},
+		{"testdata/gitops/global_windows_custom_settings_invalid_label_mix.yml", `For each profile, only one of "labels_exclude_any", "labels_include_all" or "labels" can be included`},
+		{"testdata/gitops/global_windows_custom_settings_unknown_label.yml", `some or all the labels provided don't exist`},
+		{"testdata/gitops/team_macos_windows_custom_settings_valid.yml", ""},
+		{"testdata/gitops/team_macos_custom_settings_valid_deprecated.yml", ""},
+		{"testdata/gitops/team_macos_windows_custom_settings_invalid_labels_mix.yml", `For each profile, only one of "labels_exclude_any", "labels_include_all" or "labels" can be included.`},
+		{"testdata/gitops/team_macos_windows_custom_settings_unknown_label.yml", `some or all the labels provided don't exist`},
+	}
+	for _, c := range cases {
+		t.Run(filepath.Base(c.file), func(t *testing.T) {
+			ds, appCfgPtr, _ := setupFullGitOpsPremiumServer(t)
+			(*appCfgPtr).MDM.EnabledAndConfigured = true
+			(*appCfgPtr).MDM.WindowsEnabledAndConfigured = true
+			labelToIDs := map[string]uint{
+				fleet.BuiltinLabelMacOS14Plus: 1,
+				"A":                           2,
+				"B":                           3,
+				"C":                           4,
+			}
+			ds.LabelIDsByNameFunc = func(ctx context.Context, labels []string) (map[string]uint, error) {
+				// for this test, recognize labels A, B and C (as well as the built-in macos 14+ one)
+				ret := make(map[string]uint)
+				for _, lbl := range labels {
+					id, ok := labelToIDs[lbl]
+					if ok {
+						ret[lbl] = id
+					}
+				}
+				return ret, nil
+			}
+
+			_, err := runAppNoChecks([]string{"gitops", "-f", c.file})
+			if c.wantErr == "" {
+				require.NoError(t, err)
+			} else {
+				require.ErrorContains(t, err, c.wantErr)
+			}
+		})
+	}
+}
+
 func startSoftwareInstallerServer(t *testing.T) {
 	// start the web server that will serve the installer
 	b, err := os.ReadFile(filepath.Join("..", "..", "server", "service", "testdata", "software-installers", "ruby.deb"))
diff --git a/cmd/fleetctl/testdata/gitops/global_macos_custom_settings_valid_deprecated.yml b/cmd/fleetctl/testdata/gitops/global_macos_custom_settings_valid_deprecated.yml
new file mode 100644
index 0000000000..177c1c80cf
--- /dev/null
+++ b/cmd/fleetctl/testdata/gitops/global_macos_custom_settings_valid_deprecated.yml
@@ -0,0 +1,93 @@
+controls:
+  macos_settings:
+    custom_settings:
+      - path: ./lib/macos-password.mobileconfig
+        labels:
+          - A
+  scripts:
+  enable_disk_encryption: false
+  macos_migration:
+    enable: false
+    mode: ""
+    webhook_url: ""
+  macos_setup:
+    bootstrap_package: null
+    enable_end_user_authentication: false
+    macos_setup_assistant: null
+  macos_updates:
+    deadline: null
+    minimum_version: null
+  windows_enabled_and_configured: true
+  windows_updates:
+    deadline_days: null
+    grace_period_days: null
+queries:
+policies:
+agent_options:
+  command_line_flags:
+    distributed_denylist_duration: 0
+  config:
+    options:
+      disable_distributed: false
+      distributed_interval: 10
+      distributed_plugin: tls
+      distributed_tls_max_attempts: 3
+      logger_tls_endpoint: /api/v1/osquery/log
+      pack_delimiter: /
+org_settings:
+  server_settings:
+    deferred_save_host: false
+    enable_analytics: true
+    live_query_disabled: false
+    query_report_cap: 2000
+    query_reports_disabled: false
+    scripts_disabled: false
+    server_url: $FLEET_SERVER_URL
+    ai_features_disabled: true
+  org_info:
+    contact_url: https://fleetdm.com/company/contact
+    org_logo_url: ""
+    org_logo_url_light_background: ""
+    org_name: $ORG_NAME
+  smtp_settings:
+    authentication_method: authmethod_plain
+    authentication_type: authtype_username_password
+    configured: false
+    domain: ""
+    enable_smtp: false
+    enable_ssl_tls: true
+    enable_start_tls: true
+    password: ""
+    port: 587
+    sender_address: ""
+    server: ""
+    user_name: ""
+    verify_ssl_certs: true
+  sso_settings:
+    enable_jit_provisioning: false
+    enable_jit_role_sync: false
+    enable_sso: true
+    enable_sso_idp_login: false
+    entity_id: https://saml.example.com/entityid
+    idp_image_url: ""
+    idp_name: MockSAML
+    issuer_uri: ""
+    metadata: ""
+    metadata_url: https://mocksaml.com/api/saml/metadata
+  integrations:
+  mdm:
+  webhook_settings:
+  fleet_desktop:
+    transparency_url: https://fleetdm.com/transparency
+  host_expiry_settings:
+    host_expiry_enabled: false
+  activity_expiry_settings:
+    activity_expiry_enabled: true
+    activity_expiry_window: 60
+  features:
+    enable_host_users: true
+    enable_software_inventory: true
+  vulnerability_settings:
+    databases_path: ""
+  secrets:
+    - secret: ABC
diff --git a/cmd/fleetctl/testdata/gitops/global_macos_windows_custom_settings_valid.yml b/cmd/fleetctl/testdata/gitops/global_macos_windows_custom_settings_valid.yml
new file mode 100644
index 0000000000..da75847cd5
--- /dev/null
+++ b/cmd/fleetctl/testdata/gitops/global_macos_windows_custom_settings_valid.yml
@@ -0,0 +1,99 @@
+controls:
+  macos_settings:
+    custom_settings:
+      - path: ./lib/macos-password.mobileconfig
+        labels_include_all:
+          - A
+          - B
+  windows_settings:
+    custom_settings:
+      - path: ./lib/windows-screenlock.xml
+        labels_exclude_any:
+          - C
+  scripts:
+  enable_disk_encryption: false
+  macos_migration:
+    enable: false
+    mode: ""
+    webhook_url: ""
+  macos_setup:
+    bootstrap_package: null
+    enable_end_user_authentication: false
+    macos_setup_assistant: null
+  macos_updates:
+    deadline: null
+    minimum_version: null
+  windows_enabled_and_configured: true
+  windows_updates:
+    deadline_days: null
+    grace_period_days: null
+queries:
+policies:
+agent_options:
+  command_line_flags:
+    distributed_denylist_duration: 0
+  config:
+    options:
+      disable_distributed: false
+      distributed_interval: 10
+      distributed_plugin: tls
+      distributed_tls_max_attempts: 3
+      logger_tls_endpoint: /api/v1/osquery/log
+      pack_delimiter: /
+org_settings:
+  server_settings:
+    deferred_save_host: false
+    enable_analytics: true
+    live_query_disabled: false
+    query_report_cap: 2000
+    query_reports_disabled: false
+    scripts_disabled: false
+    server_url: $FLEET_SERVER_URL
+    ai_features_disabled: true
+  org_info:
+    contact_url: https://fleetdm.com/company/contact
+    org_logo_url: ""
+    org_logo_url_light_background: ""
+    org_name: $ORG_NAME
+  smtp_settings:
+    authentication_method: authmethod_plain
+    authentication_type: authtype_username_password
+    configured: false
+    domain: ""
+    enable_smtp: false
+    enable_ssl_tls: true
+    enable_start_tls: true
+    password: ""
+    port: 587
+    sender_address: ""
+    server: ""
+    user_name: ""
+    verify_ssl_certs: true
+  sso_settings:
+    enable_jit_provisioning: false
+    enable_jit_role_sync: false
+    enable_sso: true
+    enable_sso_idp_login: false
+    entity_id: https://saml.example.com/entityid
+    idp_image_url: ""
+    idp_name: MockSAML
+    issuer_uri: ""
+    metadata: ""
+    metadata_url: https://mocksaml.com/api/saml/metadata
+  integrations:
+  mdm:
+  webhook_settings:
+  fleet_desktop: 
+    transparency_url: https://fleetdm.com/transparency
+  host_expiry_settings: 
+    host_expiry_enabled: false
+  activity_expiry_settings:
+    activity_expiry_enabled: true
+    activity_expiry_window: 60
+  features: 
+    enable_host_users: true
+    enable_software_inventory: true
+  vulnerability_settings:
+    databases_path: ""
+  secrets: 
+    - secret: ABC
diff --git a/cmd/fleetctl/testdata/gitops/global_windows_custom_settings_invalid_label_mix.yml b/cmd/fleetctl/testdata/gitops/global_windows_custom_settings_invalid_label_mix.yml
new file mode 100644
index 0000000000..9d2ac6e69f
--- /dev/null
+++ b/cmd/fleetctl/testdata/gitops/global_windows_custom_settings_invalid_label_mix.yml
@@ -0,0 +1,95 @@
+controls:
+  windows_settings:
+    custom_settings:
+      - path: ./lib/windows-screenlock.xml
+        labels_include_all:
+          - B
+        labels_exclude_any:
+          - C
+  scripts:
+  enable_disk_encryption: false
+  macos_migration:
+    enable: false
+    mode: ""
+    webhook_url: ""
+  macos_setup:
+    bootstrap_package: null
+    enable_end_user_authentication: false
+    macos_setup_assistant: null
+  macos_updates:
+    deadline: null
+    minimum_version: null
+  windows_enabled_and_configured: true
+  windows_updates:
+    deadline_days: null
+    grace_period_days: null
+queries:
+policies:
+agent_options:
+  command_line_flags:
+    distributed_denylist_duration: 0
+  config:
+    options:
+      disable_distributed: false
+      distributed_interval: 10
+      distributed_plugin: tls
+      distributed_tls_max_attempts: 3
+      logger_tls_endpoint: /api/v1/osquery/log
+      pack_delimiter: /
+org_settings:
+  server_settings:
+    deferred_save_host: false
+    enable_analytics: true
+    live_query_disabled: false
+    query_report_cap: 2000
+    query_reports_disabled: false
+    scripts_disabled: false
+    server_url: $FLEET_SERVER_URL
+    ai_features_disabled: true
+  org_info:
+    contact_url: https://fleetdm.com/company/contact
+    org_logo_url: ""
+    org_logo_url_light_background: ""
+    org_name: $ORG_NAME
+  smtp_settings:
+    authentication_method: authmethod_plain
+    authentication_type: authtype_username_password
+    configured: false
+    domain: ""
+    enable_smtp: false
+    enable_ssl_tls: true
+    enable_start_tls: true
+    password: ""
+    port: 587
+    sender_address: ""
+    server: ""
+    user_name: ""
+    verify_ssl_certs: true
+  sso_settings:
+    enable_jit_provisioning: false
+    enable_jit_role_sync: false
+    enable_sso: true
+    enable_sso_idp_login: false
+    entity_id: https://saml.example.com/entityid
+    idp_image_url: ""
+    idp_name: MockSAML
+    issuer_uri: ""
+    metadata: ""
+    metadata_url: https://mocksaml.com/api/saml/metadata
+  integrations:
+  mdm:
+  webhook_settings:
+  fleet_desktop:
+    transparency_url: https://fleetdm.com/transparency
+  host_expiry_settings:
+    host_expiry_enabled: false
+  activity_expiry_settings:
+    activity_expiry_enabled: true
+    activity_expiry_window: 60
+  features:
+    enable_host_users: true
+    enable_software_inventory: true
+  vulnerability_settings:
+    databases_path: ""
+  secrets:
+    - secret: ABC
diff --git a/cmd/fleetctl/testdata/gitops/global_windows_custom_settings_unknown_label.yml b/cmd/fleetctl/testdata/gitops/global_windows_custom_settings_unknown_label.yml
new file mode 100644
index 0000000000..ba1d06f784
--- /dev/null
+++ b/cmd/fleetctl/testdata/gitops/global_windows_custom_settings_unknown_label.yml
@@ -0,0 +1,93 @@
+controls:
+  windows_settings:
+    custom_settings:
+      - path: ./lib/windows-screenlock.xml
+        labels_include_all:
+          - ZZZ
+  scripts:
+  enable_disk_encryption: false
+  macos_migration:
+    enable: false
+    mode: ""
+    webhook_url: ""
+  macos_setup:
+    bootstrap_package: null
+    enable_end_user_authentication: false
+    macos_setup_assistant: null
+  macos_updates:
+    deadline: null
+    minimum_version: null
+  windows_enabled_and_configured: true
+  windows_updates:
+    deadline_days: null
+    grace_period_days: null
+queries:
+policies:
+agent_options:
+  command_line_flags:
+    distributed_denylist_duration: 0
+  config:
+    options:
+      disable_distributed: false
+      distributed_interval: 10
+      distributed_plugin: tls
+      distributed_tls_max_attempts: 3
+      logger_tls_endpoint: /api/v1/osquery/log
+      pack_delimiter: /
+org_settings:
+  server_settings:
+    deferred_save_host: false
+    enable_analytics: true
+    live_query_disabled: false
+    query_report_cap: 2000
+    query_reports_disabled: false
+    scripts_disabled: false
+    server_url: $FLEET_SERVER_URL
+    ai_features_disabled: true
+  org_info:
+    contact_url: https://fleetdm.com/company/contact
+    org_logo_url: ""
+    org_logo_url_light_background: ""
+    org_name: $ORG_NAME
+  smtp_settings:
+    authentication_method: authmethod_plain
+    authentication_type: authtype_username_password
+    configured: false
+    domain: ""
+    enable_smtp: false
+    enable_ssl_tls: true
+    enable_start_tls: true
+    password: ""
+    port: 587
+    sender_address: ""
+    server: ""
+    user_name: ""
+    verify_ssl_certs: true
+  sso_settings:
+    enable_jit_provisioning: false
+    enable_jit_role_sync: false
+    enable_sso: true
+    enable_sso_idp_login: false
+    entity_id: https://saml.example.com/entityid
+    idp_image_url: ""
+    idp_name: MockSAML
+    issuer_uri: ""
+    metadata: ""
+    metadata_url: https://mocksaml.com/api/saml/metadata
+  integrations:
+  mdm:
+  webhook_settings:
+  fleet_desktop:
+    transparency_url: https://fleetdm.com/transparency
+  host_expiry_settings:
+    host_expiry_enabled: false
+  activity_expiry_settings:
+    activity_expiry_enabled: true
+    activity_expiry_window: 60
+  features:
+    enable_host_users: true
+    enable_software_inventory: true
+  vulnerability_settings:
+    databases_path: ""
+  secrets:
+    - secret: ABC
diff --git a/cmd/fleetctl/testdata/gitops/team_macos_custom_settings_valid_deprecated.yml b/cmd/fleetctl/testdata/gitops/team_macos_custom_settings_valid_deprecated.yml
new file mode 100644
index 0000000000..f6b6bf1051
--- /dev/null
+++ b/cmd/fleetctl/testdata/gitops/team_macos_custom_settings_valid_deprecated.yml
@@ -0,0 +1,21 @@
+name: "${TEST_TEAM_NAME}"
+team_settings:
+  secrets:
+    - secret: "ABC"
+  features:
+    enable_host_users: true
+    enable_software_inventory: true
+  host_expiry_settings:
+    host_expiry_enabled: true
+    host_expiry_window: 30
+agent_options:
+controls:
+  macos_settings:
+    custom_settings:
+      - path: ./lib/macos-password.mobileconfig
+        labels:
+          - A
+          - B
+policies:
+queries:
+software:
diff --git a/cmd/fleetctl/testdata/gitops/team_macos_windows_custom_settings_invalid_labels_mix.yml b/cmd/fleetctl/testdata/gitops/team_macos_windows_custom_settings_invalid_labels_mix.yml
new file mode 100644
index 0000000000..8e136a2bed
--- /dev/null
+++ b/cmd/fleetctl/testdata/gitops/team_macos_windows_custom_settings_invalid_labels_mix.yml
@@ -0,0 +1,29 @@
+name: "${TEST_TEAM_NAME}"
+team_settings:
+  secrets:
+    - secret: "ABC"
+  features:
+    enable_host_users: true
+    enable_software_inventory: true
+  host_expiry_settings:
+    host_expiry_enabled: true
+    host_expiry_window: 30
+agent_options:
+controls:
+  macos_settings:
+    custom_settings:
+      - path: ./lib/macos-password.mobileconfig
+        labels_include_all:
+          - A
+        labels:
+          - B
+  windows_settings:
+    custom_settings:
+      - path: ./lib/windows-screenlock.xml
+        labels_include_all:
+          - A
+        labels_exclude_any:
+          - C
+policies:
+queries:
+software:
diff --git a/cmd/fleetctl/testdata/gitops/team_macos_windows_custom_settings_unknown_label.yml b/cmd/fleetctl/testdata/gitops/team_macos_windows_custom_settings_unknown_label.yml
new file mode 100644
index 0000000000..37aa4a8aa9
--- /dev/null
+++ b/cmd/fleetctl/testdata/gitops/team_macos_windows_custom_settings_unknown_label.yml
@@ -0,0 +1,25 @@
+name: "${TEST_TEAM_NAME}"
+team_settings:
+  secrets:
+    - secret: "ABC"
+  features:
+    enable_host_users: true
+    enable_software_inventory: true
+  host_expiry_settings:
+    host_expiry_enabled: true
+    host_expiry_window: 30
+agent_options:
+controls:
+  macos_settings:
+    custom_settings:
+      - path: ./lib/macos-password.mobileconfig
+        labels_include_all:
+          - ZZZ
+  windows_settings:
+    custom_settings:
+      - path: ./lib/windows-screenlock.xml
+        labels_exclude_any:
+          - ZZZ
+policies:
+queries:
+software:
diff --git a/cmd/fleetctl/testdata/gitops/team_macos_windows_custom_settings_valid.yml b/cmd/fleetctl/testdata/gitops/team_macos_windows_custom_settings_valid.yml
new file mode 100644
index 0000000000..9f46ab2576
--- /dev/null
+++ b/cmd/fleetctl/testdata/gitops/team_macos_windows_custom_settings_valid.yml
@@ -0,0 +1,26 @@
+name: "${TEST_TEAM_NAME}"
+team_settings:
+  secrets:
+    - secret: "ABC"
+  features:
+    enable_host_users: true
+    enable_software_inventory: true
+  host_expiry_settings:
+    host_expiry_enabled: true
+    host_expiry_window: 30
+agent_options:
+controls:
+  macos_settings:
+    custom_settings:
+      - path: ./lib/macos-password.mobileconfig
+        labels_include_all:
+          - A
+          - B
+  windows_settings:
+    custom_settings:
+      - path: ./lib/windows-screenlock.xml
+        labels_exclude_any:
+          - C
+policies:
+queries:
+software:
diff --git a/ee/server/service/mdm.go b/ee/server/service/mdm.go
index cfaae9d50d..d433f5d246 100644
--- a/ee/server/service/mdm.go
+++ b/ee/server/service/mdm.go
@@ -1119,7 +1119,7 @@ func (svc *Service) mdmAppleEditedMacOSUpdates(ctx context.Context, teamID *uint
 	if err != nil {
 		return err
 	}
-	d.Labels = []fleet.ConfigurationProfileLabel{
+	d.LabelsIncludeAll = []fleet.ConfigurationProfileLabel{
 		{LabelName: fleet.BuiltinLabelMacOS14Plus, LabelID: lblIDs[fleet.BuiltinLabelMacOS14Plus]},
 	}
 
diff --git a/ee/server/service/teams.go b/ee/server/service/teams.go
index 85e628f1af..ebdb716a07 100644
--- a/ee/server/service/teams.go
+++ b/ee/server/service/teams.go
@@ -950,6 +950,9 @@ func (svc *Service) createTeamFromSpec(
 		)
 	}
 
+	validateTeamCustomSettings(invalid, "macos", macOSSettings.CustomSettings)
+	validateTeamCustomSettings(invalid, "windows", spec.MDM.WindowsSettings.CustomSettings.Value)
+
 	var hostExpirySettings fleet.HostExpirySettings
 	if spec.HostExpirySettings != nil {
 		if spec.HostExpirySettings.HostExpiryEnabled && spec.HostExpirySettings.HostExpiryWindow <= 0 {
@@ -1006,6 +1009,7 @@ func (svc *Service) createTeamFromSpec(
 				WindowsUpdates:       spec.MDM.WindowsUpdates,
 				MacOSSettings:        macOSSettings,
 				MacOSSetup:           macOSSetup,
+				WindowsSettings:      spec.MDM.WindowsSettings,
 			},
 			HostExpirySettings: hostExpirySettings,
 			WebhookSettings: fleet.TeamWebhookSettings{
@@ -1183,6 +1187,9 @@ func (svc *Service) editTeamFromSpec(
 		team.Config.HostExpirySettings = *spec.HostExpirySettings
 	}
 
+	validateTeamCustomSettings(invalid, "macos", team.Config.MDM.MacOSSettings.CustomSettings)
+	validateTeamCustomSettings(invalid, "windows", team.Config.MDM.WindowsSettings.CustomSettings.Value)
+
 	// If host status webhook is not provided, do not change it
 	if spec.WebhookSettings.HostStatusWebhook != nil {
 		fleet.ValidateEnabledHostStatusIntegrations(*spec.WebhookSettings.HostStatusWebhook, invalid)
@@ -1282,6 +1289,25 @@ func (svc *Service) editTeamFromSpec(
 	return nil
 }
 
+func validateTeamCustomSettings(invalid *fleet.InvalidArgumentError, prefix string, customSettings []fleet.MDMProfileSpec) {
+	for i, prof := range customSettings {
+		count := 0
+		for _, b := range []bool{len(prof.Labels) > 0, len(prof.LabelsIncludeAll) > 0, len(prof.LabelsExcludeAny) > 0} {
+			if b {
+				count++
+			}
+		}
+		if count > 1 {
+			invalid.Append(fmt.Sprintf("%s_settings.custom_settings", prefix),
+				fmt.Sprintf(`Couldn't edit %s_settings.custom_settings. For each profile, only one of "labels_exclude_any", "labels_include_all" or "labels" can be included.`, prefix))
+		}
+		if len(prof.Labels) > 0 {
+			customSettings[i].LabelsIncludeAll = customSettings[i].Labels
+			customSettings[i].Labels = nil
+		}
+	}
+}
+
 func (svc *Service) validateTeamCalendarIntegrations(
 	calendarIntegration *fleet.TeamGoogleCalendarIntegration,
 	appCfg *fleet.AppConfig, dryRun bool, invalid *fleet.InvalidArgumentError,
diff --git a/frontend/interfaces/config.ts b/frontend/interfaces/config.ts
index 2cca3ea365..f52cfd3925 100644
--- a/frontend/interfaces/config.ts
+++ b/frontend/interfaces/config.ts
@@ -29,6 +29,12 @@ export interface IMacOsMigrationSettings {
   webhook_url: string;
 }
 
+interface ICustomSetting {
+  path: string;
+  labels_include_all?: string[];
+  labels_exclude_any?: string[];
+}
+
 export interface IMdmConfig {
   enable_disk_encryption: boolean;
   enabled_and_configured: boolean;
@@ -42,7 +48,7 @@ export interface IMdmConfig {
     deadline: string | null;
   };
   macos_settings: {
-    custom_settings: null;
+    custom_settings: null | ICustomSetting[];
     enable_disk_encryption: boolean;
   };
   macos_setup: {
diff --git a/frontend/interfaces/dropdownOption.ts b/frontend/interfaces/dropdownOption.ts
index a8895d48b9..67b1bacd4d 100644
--- a/frontend/interfaces/dropdownOption.ts
+++ b/frontend/interfaces/dropdownOption.ts
@@ -1,3 +1,4 @@
+import { ReactNode } from "react";
 import PropTypes from "prop-types";
 
 export default PropTypes.shape({
@@ -10,6 +11,7 @@ export interface IDropdownOption {
   disabled?: boolean;
   label: string | JSX.Element;
   value: string | number;
+  helpText?: ReactNode;
   premiumOnly?: boolean;
   tooltipContent?: string | JSX.Element;
 }
diff --git a/frontend/interfaces/mdm.ts b/frontend/interfaces/mdm.ts
index 4b3a8791e6..a911f0c9e7 100644
--- a/frontend/interfaces/mdm.ts
+++ b/frontend/interfaces/mdm.ts
@@ -71,7 +71,8 @@ export type ProfilePlatform = "darwin" | "windows";
 
 export interface IProfileLabel {
   name: string;
-  broken: boolean;
+  id?: number; // id is only present when the label is not broken
+  broken?: boolean;
 }
 
 export interface IMdmProfile {
@@ -83,7 +84,8 @@ export interface IMdmProfile {
   created_at: string;
   updated_at: string;
   checksum: string | null; // null for windows profiles
-  labels?: IProfileLabel[];
+  labels_include_all?: IProfileLabel[];
+  labels_exclude_any?: IProfileLabel[];
 }
 
 export type MdmProfileStatus = "verified" | "verifying" | "pending" | "failed";
diff --git a/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/CustomSettings.tsx b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/CustomSettings.tsx
index 8298a10647..89887e9b83 100644
--- a/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/CustomSettings.tsx
+++ b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/CustomSettings.tsx
@@ -20,7 +20,7 @@ import Pagination from "pages/ManageControlsPage/components/Pagination";
 import UploadList from "../../../components/UploadList";
 
 import AddProfileCard from "./components/ProfileUploader/components/AddProfileCard";
-import AddProfileModal from "./components/ProfileUploader/components/AddProfileModal";
+import AddProfileModal from "./components/ProfileUploader/components/AddProfileModal/AddProfileModal";
 import DeleteProfileModal from "./components/DeleteProfileModal/DeleteProfileModal";
 import ProfileLabelsModal from "./components/ProfileLabelsModal/ProfileLabelsModal";
 import ProfileListItem from "./components/ProfileListItem";
@@ -101,7 +101,7 @@ const CustomSettings = ({
       onMutation();
       renderFlash("success", "Successfully deleted!");
     } catch (e) {
-      renderFlash("error", "Couldn’t delete. Please try again.");
+      renderFlash("error", "Couldn't delete. Please try again.");
     } finally {
       selectedProfile.current = null;
       setShowDeleteProfileModal(false);
@@ -169,6 +169,10 @@ const CustomSettings = ({
     );
   };
 
+  const hasLabels =
+    !!profileLabelsModalData?.labels_include_all?.length ||
+    !!profileLabelsModalData?.labels_exclude_any?.length;
+
   return (
     <div className={baseClass}>
       <SectionHeader title="Custom settings" />
@@ -189,7 +193,6 @@ const CustomSettings = ({
       )}
       {showAddProfileModal && (
         <AddProfileModal
-          baseClass="add-profile"
           currentTeamId={currentTeamId}
           isPremiumTier={!!isPremiumTier}
           onUpload={onUploadProfile}
@@ -204,7 +207,7 @@ const CustomSettings = ({
           onDelete={onDeleteProfile}
         />
       )}
-      {!!isPremiumTier && !!profileLabelsModalData?.labels?.length && (
+      {isPremiumTier && hasLabels && (
         <ProfileLabelsModal
           baseClass={baseClass}
           profile={profileLabelsModalData}
diff --git a/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/_styles.scss b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/_styles.scss
index 9f6c3eef81..4e56c438b7 100644
--- a/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/_styles.scss
+++ b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/_styles.scss
@@ -94,136 +94,11 @@
       padding: 28.5px 0;
     }
 
-    &__modal-content-wrap {
-      margin-top: $pad-large;
-
-      .add-profile__file {
-        padding: $pad-medium $pad-large;
-      }
-    }
-
-    &__upload-button {
-      margin-top: 8px;
-      padding: 0;
-    }
-
-    &__file-chooser {
-      display: flex;
-      flex-direction: column;
-      align-items: center;
-      padding-top: $pad-medium;
-
-      input {
-        display: none;
-      }
-
-      &--button-wrap {
-        display: flex;
-        justify-content: center;
-        gap: $pad-small;
-        cursor: pointer;
-        height: 38px;
-        align-items: center;
-      }
-    }
-
-    &__selected-file {
-      display: flex;
-      gap: 16px;
-
-      &--details {
-        display: flex;
-        flex-direction: column;
-
-        &--name {
-          font-size: $x-small;
-          font-weight: $bold;
-        }
-        &--platform {
-          font-size: $xx-small;
-          color: $ui-fleet-black-75;
-        }
-      }
-    }
-
     &__profile-graphic {
       display: flex;
       flex-direction: column;
       align-items: center;
       gap: $pad-small;
     }
-
-    &__button-wrap {
-      display: flex;
-      justify-content: flex-end;
-      padding-top: $pad-medium;
-    }
-
-    &__target {
-      margin: $pad-large 0 $pad-small 0;
-    }
-
-    &__description {
-      margin: $pad-medium 0;
-    }
-
-    &__no-labels {
-      display: flex;
-      height: 187px;
-      flex-direction: column;
-      align-items: center;
-      gap: $pad-small;
-      justify-content: center;
-
-      span {
-        color: $ui-fleet-black-75;
-      }
-    }
-
-    &__checkboxes {
-      display: flex;
-      max-height: 187px;
-      flex-direction: column;
-      border-radius: $border-radius;
-      border: 1px solid $ui-fleet-black-10;
-      overflow-y: auto;
-
-      .loading-spinner {
-        margin: 69.5px auto;
-      }
-    }
-
-    &__label {
-      width: 100%;
-      padding: $pad-small $pad-medium;
-      box-sizing: border-box;
-      display: flex;
-      align-items: center;
-
-      &:not(:last-child) {
-        border-bottom: 1px solid $ui-fleet-black-10;
-      }
-
-      .form-field--checkbox {
-        width: auto;
-      }
-    }
-
-    &__label-name {
-      padding-left: $pad-large;
-    }
-
-    .fleet-checkbox {
-      height: 20px;
-      display: flex;
-      align-items: center;
-
-      &__label {
-        width: 490px;
-        overflow: hidden;
-        text-overflow: ellipsis;
-        white-space: nowrap;
-      }
-    }
   }
 }
diff --git a/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileLabelsModal/ProfileLabelsModal.tsx b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileLabelsModal/ProfileLabelsModal.tsx
index f2fe03944d..4128a5e826 100644
--- a/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileLabelsModal/ProfileLabelsModal.tsx
+++ b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileLabelsModal/ProfileLabelsModal.tsx
@@ -6,25 +6,42 @@ import InfoBanner from "components/InfoBanner";
 import TooltipWrapper from "components/TooltipWrapper";
 import Icon from "components/Icon";
 
+interface IModalDescriptionProps {
+  baseClass: string;
+  profileName: string;
+  targetType: "includeAll" | "excludeAny";
+}
+
 const ModalDescription = ({
   baseClass,
   profileName,
-}: {
-  baseClass: string;
-  profileName: string;
-}) => (
-  <div className={`${baseClass}__description`}>
-    <b>{profileName}</b> will only be applied to hosts that have all these
-    labels:
-  </div>
-);
+  targetType,
+}: IModalDescriptionProps) => {
+  const targetTypeText =
+    targetType === "includeAll" ? (
+      <>
+        have <b>all</b>
+      </>
+    ) : (
+      <>
+        don&apos;t have <b>any</b>
+      </>
+    );
+
+  return (
+    <div className={`${baseClass}__description`}>
+      <b>{profileName}</b> profile only applies to hosts that {targetTypeText}{" "}
+      of these labels:
+    </div>
+  );
+};
 
 const BrokenLabelWarning = () => (
   <InfoBanner color="yellow">
     <span>
       The configuration profile is{" "}
       <TooltipWrapper
-        tipContent={`It won’t be applied to new hosts because one or more labels are deleted. To apply the profile to new hosts, please delete it and upload a new profile.`}
+        tipContent={`It won't be applied to new hosts because one or more labels are deleted. To apply the profile to new hosts, please delete it and upload a new profile.`}
         underline
       >
         broken
@@ -67,7 +84,14 @@ const ProfileLabelsModal = ({
   profile,
   setModalData,
 }: IProfileLabelsModalProps) => {
-  if (!profile?.labels?.length) {
+  if (!profile) {
+    return null;
+  }
+
+  const { name, labels_include_all, labels_exclude_any } = profile;
+  const labels = labels_include_all || labels_exclude_any;
+
+  if (!labels?.length) {
     // caller ensures this never happens
     return null;
   }
@@ -75,9 +99,13 @@ const ProfileLabelsModal = ({
   return (
     <Modal title="Custom target" onExit={() => setModalData(null)}>
       <div className={`${baseClass}__modal-content-wrap`}>
-        {profile.labels.some((label) => label.broken) && <BrokenLabelWarning />}
-        <ModalDescription baseClass={baseClass} profileName={profile.name} />
-        <LabelsList baseClass={baseClass} labels={profile.labels} />
+        {labels.some((label) => label.broken) && <BrokenLabelWarning />}
+        <ModalDescription
+          baseClass={baseClass}
+          profileName={name}
+          targetType={labels_include_all ? "includeAll" : "excludeAny"}
+        />
+        <LabelsList baseClass={baseClass} labels={labels} />
         <div className="modal-cta-wrap">
           <Button variant="brand" onClick={() => setModalData(null)}>
             Done
diff --git a/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileListItem/ProfileListItem.tsx b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileListItem/ProfileListItem.tsx
index b61ea7c2f0..ea83ddfd5a 100644
--- a/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileListItem/ProfileListItem.tsx
+++ b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileListItem/ProfileListItem.tsx
@@ -83,7 +83,13 @@ const ProfileListItem = ({
   onDelete,
   setProfileLabelsModalData,
 }: IProfileListItemProps) => {
-  const { created_at, labels, name, platform } = profile;
+  const {
+    created_at,
+    labels_include_all,
+    labels_exclude_any,
+    name,
+    platform,
+  } = profile;
   const subClass = "list-item";
 
   const onClickDownload = async () => {
@@ -95,6 +101,21 @@ const ProfileListItem = ({
     FileSaver.saveAs(file);
   };
 
+  const labels = labels_include_all || labels_exclude_any;
+
+  const renderLabelInfo = () => {
+    if (!isPremium || labels === undefined || labels.length === 0) {
+      return null;
+    }
+
+    return (
+      <div className={`${subClass}__labels`}>
+        {labels?.some((label) => label.broken) && <Icon name="warning" />}
+        <LabelCount className={subClass} count={labels.length} />
+      </div>
+    );
+  };
+
   return (
     <div className={classnames(subClass, baseClass)}>
       <div className={`${subClass}__main-content`}>
@@ -111,14 +132,9 @@ const ProfileListItem = ({
         </div>
       </div>
       <div className={`${subClass}__actions-wrap`}>
-        {isPremium && !!labels?.length && (
-          <div className={`${subClass}__labels`}>
-            {labels?.some((l) => l.broken) && <Icon name="warning" />}
-            <LabelCount className={subClass} count={labels.length} />
-          </div>
-        )}
+        {renderLabelInfo()}
         <div className={`${subClass}__actions`}>
-          {isPremium && !!labels?.length && (
+          {isPremium && labels !== undefined && labels.length && (
             <Button
               className={`${subClass}__action-button`}
               variant="text-icon"
diff --git a/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/components/AddProfileModal.tsx b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/components/AddProfileModal/AddProfileModal.tsx
similarity index 71%
rename from frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/components/AddProfileModal.tsx
rename to frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/components/AddProfileModal/AddProfileModal.tsx
index b948e9d9dd..88b7e96ed9 100644
--- a/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/components/AddProfileModal.tsx
+++ b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/components/AddProfileModal/AddProfileModal.tsx
@@ -10,6 +10,8 @@ import { ILabelSummary } from "interfaces/label";
 import labelsAPI from "services/entities/labels";
 import mdmAPI from "services/entities/mdm";
 
+// @ts-ignore
+import Dropdown from "components/forms/fields/Dropdown";
 import Button from "components/buttons/Button";
 import Card from "components/Card";
 import Checkbox from "components/forms/fields/Checkbox";
@@ -19,24 +21,28 @@ import Modal from "components/Modal";
 import Radio from "components/forms/fields/Radio";
 import Spinner from "components/Spinner";
 
-import ProfileGraphic from "./AddProfileGraphic";
+import ProfileGraphic from "../AddProfileGraphic";
 
 import {
   DEFAULT_ERROR_MESSAGE,
   getErrorMessage,
   parseFile,
+} from "../../helpers";
+import {
+  CUSTOM_TARGET_OPTIONS,
+  CustomTargetOption,
+  generateLabelKey,
   listNamesFromSelectedLabels,
-} from "../helpers";
+} from "./helpers";
 
-const FileChooser = ({
-  baseClass,
-  isLoading,
-  onFileOpen,
-}: {
-  baseClass: string;
+const baseClass = "add-profile-modal";
+
+interface IFileChooserProps {
   isLoading: boolean;
   onFileOpen: (files: FileList | null) => void;
-}) => (
+}
+
+const FileChooser = ({ isLoading, onFileOpen }: IFileChooserProps) => (
   <div className={`${baseClass}__file-chooser`}>
     <ProfileGraphic baseClass={baseClass} showMessage />
     <Button
@@ -62,19 +68,17 @@ const FileChooser = ({
   </div>
 );
 
-// TODO: if we reuse this one more time, we should consider moving this
-// into FileUploader as a default preview. Currently we have this in
-// AddSoftwareForm.tsx and here.
-const FileDetails = ({
-  baseClass,
-  details: { name, platform },
-}: {
-  baseClass: string;
+interface IFileDetailsProps {
   details: {
     name: string;
     platform: string;
   };
-}) => (
+}
+
+// TODO: if we reuse this one more time, we should consider moving this
+// into FileUploader as a default preview. Currently we have this in
+// AddSoftwareForm.tsx and here.
+const FileDetails = ({ details: { name, platform } }: IFileDetailsProps) => (
   <div className={`${baseClass}__selected-file`}>
     <ProfileGraphic baseClass={baseClass} />
     <div className={`${baseClass}__selected-file--details`}>
@@ -86,15 +90,15 @@ const FileDetails = ({
   </div>
 );
 
-const TargetChooser = ({
-  baseClass,
-  selectedTarget,
-  setSelectedTarget,
-}: {
-  baseClass: string;
+interface ITargetChooserProps {
   selectedTarget: string;
   setSelectedTarget: React.Dispatch<React.SetStateAction<string>>;
-}) => {
+}
+
+const TargetChooser = ({
+  selectedTarget,
+  setSelectedTarget,
+}: ITargetChooserProps) => {
   return (
     <div className={`form-field`}>
       <div className="form-field__label">Target</div>
@@ -120,67 +124,95 @@ const TargetChooser = ({
   );
 };
 
-const LabelChooser = ({
-  baseClass,
-  isError,
-  isLoading,
-  labels,
-  selectedLabels,
-  setSelectedLabels,
-}: {
-  baseClass: string;
+interface ILabelChooserProps {
   isError: boolean;
   isLoading: boolean;
   labels: ILabelSummary[];
   selectedLabels: Record<string, boolean>;
+  customTargetOption: CustomTargetOption;
   setSelectedLabels: React.Dispatch<
     React.SetStateAction<Record<string, boolean>>
   >;
-}) => {
+  onSelectCustomTargetOption: (val: CustomTargetOption) => void;
+}
+
+const LabelChooser = ({
+  isError,
+  isLoading,
+  labels,
+  selectedLabels,
+  customTargetOption,
+  setSelectedLabels,
+  onSelectCustomTargetOption,
+}: ILabelChooserProps) => {
   const updateSelectedLabels = useCallback(
     ({ name, value }: { name: string; value: boolean }) => {
       setSelectedLabels((prevItems) => ({ ...prevItems, [name]: value }));
     },
     [setSelectedLabels]
   );
+
+  const descriptionText =
+    customTargetOption === "labelsIncludeAll" ? (
+      <>
+        Profile will only be applied to hosts that have <b>all</b> these labels:
+      </>
+    ) : (
+      <>
+        Profile will be applied to hosts that don&apos;t have <b>any</b> of
+        these labels:{" "}
+      </>
+    );
+
+  const renderLabels = () => {
+    if (isLoading) {
+      return <Spinner centered={false} />;
+    }
+
+    if (isError) {
+      return <DataError />;
+    }
+
+    if (!labels.length) {
+      return (
+        <div className={`${baseClass}__no-labels`}>
+          <b>No labels exist in Fleet</b>
+          <span>Add labels to target specific hosts.</span>
+        </div>
+      );
+    }
+
+    return labels.map((label) => {
+      return (
+        <div className={`${baseClass}__label`} key={label.name}>
+          <Checkbox
+            className={`${baseClass}__checkbox`}
+            name={label.name}
+            value={!!selectedLabels[label.name]}
+            onChange={updateSelectedLabels}
+            parseTarget
+          />
+          <div className={`${baseClass}__label-name`}>{label.name}</div>
+        </div>
+      );
+    });
+  };
+
   return (
-    <>
-      <div className={`${baseClass}__description`}>
-        Profile will only be applied to hosts that have all these labels:
-      </div>
-      <div className={`${baseClass}__checkboxes`}>
-        {isLoading && <Spinner centered={false} />}
-        {!isLoading && isError && <DataError />}
-        {!isLoading && !isError && !labels.length && (
-          <div className={`${baseClass}__no-labels`}>
-            <b>No labels exist in Fleet</b>
-            <span>Add labels to target specific hosts.</span>
-          </div>
-        )}
-        {!isLoading &&
-          !isError &&
-          !!labels.length &&
-          labels.map((label) => {
-            return (
-              <div className={`${baseClass}__label`} key={label.name}>
-                <Checkbox
-                  className={`${baseClass}__checkbox`}
-                  name={label.name}
-                  value={!!selectedLabels[label.name]}
-                  onChange={updateSelectedLabels}
-                  parseTarget
-                />
-                <div className={`${baseClass}__label-name`}>{label.name}</div>
-              </div>
-            );
-          })}
-      </div>
-    </>
+    <div className={`${baseClass}__custom-label-chooser`}>
+      <Dropdown
+        value={customTargetOption}
+        options={CUSTOM_TARGET_OPTIONS}
+        searchable={false}
+        onChange={onSelectCustomTargetOption}
+      />
+      <div className={`${baseClass}__description`}>{descriptionText}</div>
+      <div className={`${baseClass}__checkboxes`}>{renderLabels()}</div>
+    </div>
   );
 };
 
 interface IAddProfileModalProps {
-  baseClass: string;
   currentTeamId: number;
   isPremiumTier: boolean;
   onUpload: () => void;
@@ -188,7 +220,6 @@ interface IAddProfileModalProps {
 }
 
 const AddProfileModal = ({
-  baseClass,
   currentTeamId,
   isPremiumTier,
   onUpload,
@@ -205,18 +236,20 @@ const AddProfileModal = ({
   const [selectedLabels, setSelectedLabels] = useState<Record<string, boolean>>(
     {}
   );
+  const [
+    customTargetOption,
+    setCustomTargetOption,
+  ] = useState<CustomTargetOption>("labelsIncludeAll");
 
   const fileRef = useRef<File | null>(null);
 
-  // NOTE: labels are not automatically refetched in the current implementation
   const {
     data: labels,
     isLoading: isLoadingLabels,
     isFetching: isFetchingLabels,
     isError: isErrorLabels,
-    // refetch: refetchLabels,
   } = useQuery<ILabelSummary[], Error>(
-    ["custom_labels"], // NOTE: consider adding selectedTarget to the queryKey to refetch labels when target changes
+    ["custom_labels"],
     () =>
       labelsAPI
         .summary()
@@ -246,10 +279,15 @@ const AddProfileModal = ({
 
     setIsLoading(true);
     try {
+      const labelKey = generateLabelKey(
+        selectedTarget,
+        customTargetOption,
+        selectedLabels
+      );
       await mdmAPI.uploadProfile({
         file,
         teamId: currentTeamId,
-        labels: listNamesFromSelectedLabels(selectedLabels),
+        ...labelKey,
       });
       renderFlash("success", "Successfully uploaded!");
       onUpload();
@@ -282,6 +320,10 @@ const AddProfileModal = ({
     }
   };
 
+  const onSelectCustomTargetOption = (val: CustomTargetOption) => {
+    setCustomTargetOption(val);
+  };
+
   return (
     <Modal title="Add profile" onExit={onDone}>
       <>
@@ -291,30 +333,26 @@ const AddProfileModal = ({
           <div className={`${baseClass}__modal-content-wrap`}>
             <Card color="gray" className={`${baseClass}__file`}>
               {!fileDetails ? (
-                <FileChooser
-                  baseClass={baseClass}
-                  isLoading={isLoading}
-                  onFileOpen={onFileOpen}
-                />
+                <FileChooser isLoading={isLoading} onFileOpen={onFileOpen} />
               ) : (
-                <FileDetails baseClass={baseClass} details={fileDetails} />
+                <FileDetails details={fileDetails} />
               )}
             </Card>
             {isPremiumTier && (
               <div className={`${baseClass}__target`}>
                 <TargetChooser
-                  baseClass={baseClass}
                   selectedTarget={selectedTarget}
                   setSelectedTarget={setSelectedTarget}
                 />
                 {selectedTarget === "Custom" && (
                   <LabelChooser
-                    baseClass={baseClass}
+                    customTargetOption={customTargetOption}
                     isError={isErrorLabels}
                     isLoading={isFetchingLabels}
                     labels={labels || []}
                     selectedLabels={selectedLabels}
                     setSelectedLabels={setSelectedLabels}
+                    onSelectCustomTargetOption={onSelectCustomTargetOption}
                   />
                 )}
               </div>
@@ -326,7 +364,6 @@ const AddProfileModal = ({
                 onClick={onFileUpload}
                 isLoading={isLoading}
                 disabled={
-                  // TODO: consider adding tooltip to explain why button is disabled
                   (selectedTarget === "Custom" &&
                     !listNamesFromSelectedLabels(selectedLabels).length) ||
                   !fileDetails
diff --git a/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/components/AddProfileModal/_styles.scss b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/components/AddProfileModal/_styles.scss
new file mode 100644
index 0000000000..261799fe73
--- /dev/null
+++ b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/components/AddProfileModal/_styles.scss
@@ -0,0 +1,138 @@
+.add-profile-modal {
+  &__modal-content-wrap {
+    margin-top: $pad-large;
+
+    .add-profile__file {
+      padding: $pad-medium $pad-large;
+    }
+  }
+
+  &__upload-button {
+    margin-top: 8px;
+    padding: 0;
+  }
+
+  &__file-chooser {
+    display: flex;
+    flex-direction: column;
+    align-items: center;
+    padding-top: $pad-medium;
+
+    input {
+      display: none;
+    }
+
+    &--button-wrap {
+      display: flex;
+      justify-content: center;
+      gap: $pad-small;
+      cursor: pointer;
+      height: 38px;
+      align-items: center;
+    }
+  }
+
+  &__selected-file {
+    display: flex;
+    gap: 16px;
+
+    &--details {
+      display: flex;
+      flex-direction: column;
+
+      &--name {
+        font-size: $x-small;
+        font-weight: $bold;
+      }
+
+      &--platform {
+        font-size: $xx-small;
+        color: $ui-fleet-black-75;
+      }
+    }
+  }
+
+  &__profile-graphic {
+    display: flex;
+    flex-direction: column;
+    align-items: center;
+    gap: $pad-small;
+  }
+
+  &__button-wrap {
+    display: flex;
+    justify-content: flex-end;
+    padding-top: $pad-medium;
+  }
+
+  &__target {
+    margin: $pad-large 0;
+  }
+
+  &__custom-label-chooser {
+    margin-top: $pad-medium;
+  }
+
+  &__description {
+    margin: $pad-medium 0;
+  }
+
+  &__no-labels {
+    display: flex;
+    height: 187px;
+    flex-direction: column;
+    align-items: center;
+    gap: $pad-small;
+    justify-content: center;
+
+    span {
+      color: $ui-fleet-black-75;
+    }
+  }
+
+  &__checkboxes {
+    display: flex;
+    max-height: 187px;
+    flex-direction: column;
+    border-radius: $border-radius;
+    border: 1px solid $ui-fleet-black-10;
+    overflow-y: auto;
+
+    .loading-spinner {
+      margin: 69.5px auto;
+    }
+  }
+
+  &__label {
+    width: 100%;
+    padding: $pad-small $pad-medium;
+    box-sizing: border-box;
+    display: flex;
+    align-items: center;
+
+    &:not(:last-child) {
+      border-bottom: 1px solid $ui-fleet-black-10;
+    }
+
+    .form-field--checkbox {
+      width: auto;
+    }
+  }
+
+  &__label-name {
+    padding-left: $pad-large;
+  }
+
+  .fleet-checkbox {
+    height: 20px;
+    display: flex;
+    align-items: center;
+
+    &__label {
+      width: 490px;
+      overflow: hidden;
+      text-overflow: ellipsis;
+      white-space: nowrap;
+    }
+  }
+}
diff --git a/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/components/AddProfileModal/helpers.tsx b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/components/AddProfileModal/helpers.tsx
new file mode 100644
index 0000000000..e8ff573ece
--- /dev/null
+++ b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/components/AddProfileModal/helpers.tsx
@@ -0,0 +1,54 @@
+import React from "react";
+
+import { IDropdownOption } from "interfaces/dropdownOption";
+import { snakeCase } from "lodash";
+
+export const CUSTOM_TARGET_OPTIONS: IDropdownOption[] = [
+  {
+    value: "labelsIncludeAll",
+    label: "Include all ",
+    helpText: (
+      <>
+        Profile will only be applied to hosts that have <b>all</b> of these
+        labels{" "}
+      </>
+    ),
+    disabled: false,
+  },
+  {
+    value: "labelsExcludeAny",
+    label: "Exclude all",
+    helpText: (
+      <>
+        Profile will be applied to hosts that don&apos;t have <b>any</b> of
+        these labels{" "}
+      </>
+    ),
+    disabled: false,
+  },
+];
+
+export const listNamesFromSelectedLabels = (dict: Record<string, boolean>) => {
+  return Object.entries(dict).reduce((acc, [labelName, isSelected]) => {
+    if (isSelected) {
+      acc.push(labelName);
+    }
+    return acc;
+  }, [] as string[]);
+};
+
+export type CustomTargetOption = "labelsIncludeAll" | "labelsExcludeAny";
+
+export const generateLabelKey = (
+  target: string,
+  customTargetOption: CustomTargetOption,
+  selectedLabels: Record<string, boolean>
+) => {
+  if (target !== "Custom") {
+    return {};
+  }
+
+  return {
+    [customTargetOption]: listNamesFromSelectedLabels(selectedLabels),
+  };
+};
diff --git a/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/components/AddProfileModal/index.ts b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/components/AddProfileModal/index.ts
new file mode 100644
index 0000000000..4a6ac9c529
--- /dev/null
+++ b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/components/AddProfileModal/index.ts
@@ -0,0 +1 @@
+export { default } from "./AddProfileModal";
diff --git a/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/helpers.tsx b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/helpers.tsx
index bef5542e71..62727c9b2f 100644
--- a/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/helpers.tsx
+++ b/frontend/pages/ManageControlsPage/OSSettings/cards/CustomSettings/components/ProfileUploader/helpers.tsx
@@ -2,61 +2,6 @@ import React from "react";
 import { AxiosResponse } from "axios";
 import { IApiError } from "interfaces/errors";
 
-// TODO: mobileconfig parser is a work in progress and not yet used in production
-// https://developer.apple.com/documentation/devicemanagement/configuring_multiple_devices_using_profiles#3234127
-const parseMobileconfig = (file: File): Promise<string> => {
-  return new Promise((resolve, reject) => {
-    const reader = new FileReader();
-    reader.readAsText(file);
-    reader.onerror = (error) => {
-      reject(error);
-    };
-    reader.onabort = (error) => {
-      reject(error);
-    };
-    reader.onload = () => {
-      try {
-        // parse mobile as xml
-        const xmlDoc = new DOMParser().parseFromString(
-          reader.result as string,
-          "text/xml"
-        );
-        // check for any parser errors
-        const parserErrors = xmlDoc.getElementsByTagName("parsererror");
-        if (parserErrors.length > 0) {
-          console.warn("parserErrors", parserErrors);
-          throw new Error("Invalid file: parser error");
-        }
-        // get the top-level object, we assume it is the first `<dict>` element in the `<plist>`
-        // https://developer.apple.com/documentation/devicemanagement/toplevel
-        const tlo = xmlDoc.getElementsByTagName("dict")?.[0];
-        if (tlo?.parentElement?.tagName !== "plist") {
-          throw new Error("Invalid file: missing plist");
-        }
-        // get the payload display name from the top-level object, note that there may be other
-        // `<dict>` elements in the `<plist>`, some of which contain `<key>PayloadDisplayName</key>`
-        // elements, but we ignore those for now
-        const pdnKey = Array.from(tlo.children).find(
-          (child) =>
-            child.tagName === "key" &&
-            child.textContent === "PayloadDisplayName"
-        );
-        const pdnVal =
-          (pdnKey?.nextElementSibling?.tagName === "string" &&
-            pdnKey?.nextElementSibling?.textContent) ||
-          "";
-        // if the payload display name is empty, use the file name
-        const result = pdnVal || file.name;
-        console.log("parseMobileconfig result: ", result);
-        resolve(result);
-      } catch (error) {
-        console.error("error", error);
-        reject(error);
-      }
-    };
-  });
-};
-
 export const parseFile = async (file: File): Promise<[string, string]> => {
   // get the file name and extension
   const nameParts = file.name.split(".");
@@ -68,14 +13,6 @@ export const parseFile = async (file: File): Promise<[string, string]> => {
       return [name, "Windows"];
     }
     case "mobileconfig": {
-      // // TODO: enable this once mobileconfig parser is vetted
-      // try {
-      //   const parsedName = await parseMobileConfig(file);
-      //   return [parsedName, "macOS"];
-      // } catch (e) {
-      //   console.log("error", e);
-      //   return [name, "macOS"];
-      // }
       return [name, "macOS"];
     }
     case "json": {
@@ -87,15 +24,6 @@ export const parseFile = async (file: File): Promise<[string, string]> => {
   }
 };
 
-export const listNamesFromSelectedLabels = (dict: Record<string, boolean>) => {
-  return Object.entries(dict).reduce((acc, [labelName, isSelected]) => {
-    if (isSelected) {
-      acc.push(labelName);
-    }
-    return acc;
-  }, [] as string[]);
-};
-
 export const DEFAULT_ERROR_MESSAGE =
   "Couldn’t add configuration profile. Please try again.";
 
diff --git a/frontend/services/entities/mdm.ts b/frontend/services/entities/mdm.ts
index 7d9c0d9d6a..e9c288db09 100644
--- a/frontend/services/entities/mdm.ts
+++ b/frontend/services/entities/mdm.ts
@@ -1,4 +1,5 @@
 /* eslint-disable @typescript-eslint/explicit-module-boundary-types */
+import { createMockMdmProfile } from "__mocks__/mdmMock";
 import {
   DiskEncryptionStatus,
   IHostMdmProfile,
@@ -45,7 +46,8 @@ export interface IMdmProfilesResponse {
 export interface IUploadProfileApiParams {
   file: File;
   teamId?: number;
-  labels?: string[];
+  labelsIncludeAll?: string[];
+  labelsExcludeAny?: string[];
 }
 
 export const isDDMProfile = (profile: IMdmProfile | IHostMdmProfile) => {
@@ -62,7 +64,7 @@ export interface IAppleSetupEnrollmentProfileResponse {
   name: string;
   uploaded_at: string;
   // enrollment profile is an object with keys found here https://developer.apple.com/documentation/devicemanagement/profile.
-  enrollment_profile: Record<string, any>;
+  enrollment_profile: Record<string, unknown>;
 }
 
 const mdmService = {
@@ -97,7 +99,12 @@ const mdmService = {
     return sendRequest("GET", path);
   },
 
-  uploadProfile: ({ file, teamId, labels }: IUploadProfileApiParams) => {
+  uploadProfile: ({
+    file,
+    teamId,
+    labelsIncludeAll,
+    labelsExcludeAny,
+  }: IUploadProfileApiParams) => {
     const { MDM_PROFILES } = endpoints;
 
     const formData = new FormData();
@@ -107,9 +114,15 @@ const mdmService = {
       formData.append("team_id", teamId.toString());
     }
 
-    labels?.forEach((label) => {
-      formData.append("labels", label);
-    });
+    if (labelsIncludeAll || labelsExcludeAny) {
+      const labels = labelsIncludeAll || labelsExcludeAny;
+      const labelKey = labelsIncludeAll
+        ? "labels_include_all"
+        : "labels_exclude_any";
+      labels?.forEach((label) => {
+        formData.append(labelKey, label);
+      });
+    }
 
     return sendRequest("POST", MDM_PROFILES, formData);
   },
@@ -272,7 +285,7 @@ const mdmService = {
     return new Promise((resolve, reject) => {
       reader.addEventListener("load", () => {
         try {
-          const body: Record<string, any> = {
+          const body: Record<string, unknown> = {
             name: file.name,
             enrollment_profile: JSON.parse(reader.result as string),
           };
@@ -284,7 +297,7 @@ const mdmService = {
           );
         } catch {
           // catches invalid JSON
-          reject("Couldn’t upload. The file should include valid JSON.");
+          reject("Couldn't upload. The file should include valid JSON.");
         }
       });
     });
diff --git a/server/datastore/mysql/apple_mdm.go b/server/datastore/mysql/apple_mdm.go
index 1acda3adde..bdeb1a99f4 100644
--- a/server/datastore/mysql/apple_mdm.go
+++ b/server/datastore/mysql/apple_mdm.go
@@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"os"
 	"strings"
 	"time"
 
@@ -72,10 +73,17 @@ INSERT INTO
 		// filled in.
 		profileID, _ = res.LastInsertId()
 
-		for i := range cp.Labels {
-			cp.Labels[i].ProfileUUID = profUUID
+		labels := make([]fleet.ConfigurationProfileLabel, 0, len(cp.LabelsIncludeAll)+len(cp.LabelsExcludeAny))
+		for i := range cp.LabelsIncludeAll {
+			cp.LabelsIncludeAll[i].ProfileUUID = profUUID
+			labels = append(labels, cp.LabelsIncludeAll[i])
 		}
-		if err := batchSetProfileLabelAssociationsDB(ctx, tx, cp.Labels, "darwin"); err != nil {
+		for i := range cp.LabelsExcludeAny {
+			cp.LabelsExcludeAny[i].ProfileUUID = profUUID
+			cp.LabelsExcludeAny[i].Exclude = true
+			labels = append(labels, cp.LabelsExcludeAny[i])
+		}
+		if err := batchSetProfileLabelAssociationsDB(ctx, tx, labels, "darwin"); err != nil {
 			return ctxerr.Wrap(ctx, err, "inserting darwin profile label associations")
 		}
 
@@ -223,9 +231,12 @@ WHERE
 		if err != nil {
 			return nil, err
 		}
-		if len(labels) > 0 {
-			// ensure we leave Labels nil if there are none
-			res.Labels = labels
+		for _, lbl := range labels {
+			if lbl.Exclude {
+				res.LabelsExcludeAny = append(res.LabelsExcludeAny, lbl)
+			} else {
+				res.LabelsIncludeAll = append(res.LabelsIncludeAll, lbl)
+			}
 		}
 	}
 
@@ -262,9 +273,12 @@ WHERE
 	if err != nil {
 		return nil, err
 	}
-	if len(labels) > 0 {
-		// ensure we leave Labels nil if there are none
-		res.Labels = labels
+	for _, lbl := range labels {
+		if lbl.Exclude {
+			res.LabelsExcludeAny = append(res.LabelsExcludeAny, lbl)
+		} else {
+			res.LabelsIncludeAll = append(res.LabelsIncludeAll, lbl)
+		}
 	}
 
 	return &res, nil
@@ -1540,10 +1554,15 @@ ON DUPLICATE KEY UPDATE
 				return ctxerr.Wrapf(ctx, err, "profile %q is in the database but was not incoming", newlyInsertedProf.Identifier)
 			}
 
-			for _, label := range incomingProf.Labels {
+			for _, label := range incomingProf.LabelsIncludeAll {
 				label.ProfileUUID = newlyInsertedProf.ProfileUUID
 				incomingLabels = append(incomingLabels, label)
 			}
+			for _, label := range incomingProf.LabelsExcludeAny {
+				label.ProfileUUID = newlyInsertedProf.ProfileUUID
+				label.Exclude = true
+				incomingLabels = append(incomingLabels, label)
+			}
 		}
 	}
 
@@ -1665,12 +1684,12 @@ func (ds *Datastore) bulkSetPendingMDMAppleHostProfilesDB(
 		( hmap.profile_uuid IS NULL AND hmap.host_uuid IS NULL ) OR
 		-- profiles in A and B but with operation type "remove"
 		( hmap.host_uuid IS NOT NULL AND ( hmap.operation_type = ? OR hmap.operation_type IS NULL ) )
-`, fmt.Sprintf(appleMDMProfilesDesiredStateQuery, "h.uuid IN (?)", "h.uuid IN (?)"))
+`, fmt.Sprintf(appleMDMProfilesDesiredStateQuery, "h.uuid IN (?)", "h.uuid IN (?)", "h.uuid IN (?)"))
 
 	// TODO: if a very large number (~65K) of host uuids was matched (via
 	// uuids, teams or profile IDs), could result in too many placeholders (not
 	// an immediate concern).
-	stmt, args, err := sqlx.In(toInstallStmt, uuids, uuids, fleet.MDMOperationTypeRemove)
+	stmt, args, err := sqlx.In(toInstallStmt, uuids, uuids, uuids, fleet.MDMOperationTypeRemove)
 	if err != nil {
 		return ctxerr.Wrap(ctx, err, "building profiles to install statement")
 	}
@@ -1705,6 +1724,7 @@ func (ds *Datastore) bulkSetPendingMDMAppleHostProfilesDB(
 		-- except "remove" operations in any state
 		( hmap.operation_type IS NULL OR hmap.operation_type != ? ) AND
 		-- except "would be removed" profiles if they are a broken label-based profile
+		-- (regardless of if it is an include-all or exclude-any label)
 		NOT EXISTS (
 			SELECT 1
 			FROM mdm_configuration_profile_labels mcpl
@@ -1712,12 +1732,12 @@ func (ds *Datastore) bulkSetPendingMDMAppleHostProfilesDB(
 			mcpl.apple_profile_uuid = hmap.profile_uuid AND
 			mcpl.label_id IS NULL
 		)
-`, fmt.Sprintf(appleMDMProfilesDesiredStateQuery, "h.uuid IN (?)", "h.uuid IN (?)"))
+`, fmt.Sprintf(appleMDMProfilesDesiredStateQuery, "h.uuid IN (?)", "h.uuid IN (?)", "h.uuid IN (?)"))
 
 	// TODO: if a very large number (~65K) of host uuids was matched (via
 	// uuids, teams or profile IDs), could result in too many placeholders (not
 	// an immediate concern). Note that uuids are provided twice.
-	stmt, args, err = sqlx.In(toRemoveStmt, uuids, uuids, uuids, fleet.MDMOperationTypeRemove)
+	stmt, args, err = sqlx.In(toRemoveStmt, uuids, uuids, uuids, uuids, fleet.MDMOperationTypeRemove)
 	if err != nil {
 		return ctxerr.Wrap(ctx, err, "building profiles to remove statement")
 	}
@@ -1867,29 +1887,55 @@ func (ds *Datastore) bulkSetPendingMDMAppleHostProfilesDB(
 	return nil
 }
 
-// mdmEntityTypeToTable tracks what table should be used in the templates for
-// SQL statements based on the given entity type.
-var mdmEntityTypeToTable = map[string]string{
-	"declaration": "declaration",
-	"profile":     "configuration_profile",
+// mdmEntityTypeToDynamicNames tracks what names should be used in the
+// templates for SQL statements based on the given entity type. The dynamic
+// names are deliberately spelled out in full (instead of using an fmt.Sprintf
+// approach) so that they are greppable in the codebase.
+var mdmEntityTypeToDynamicNames = map[string]map[string]string{
+	"declaration": {
+		"entityUUIDColumn":        "declaration_uuid",
+		"entityIdentifierColumn":  "declaration_identifier",
+		"entityNameColumn":        "declaration_name",
+		"countEntityLabelsColumn": "count_declaration_labels",
+		"mdmAppleEntityTable":     "mdm_apple_declarations",
+		"mdmEntityLabelsTable":    "mdm_declaration_labels",
+		"appleEntityUUIDColumn":   "apple_declaration_uuid",
+		"hostMDMAppleEntityTable": "host_mdm_apple_declarations",
+	},
+	"profile": {
+		"entityUUIDColumn":        "profile_uuid",
+		"entityIdentifierColumn":  "profile_identifier",
+		"entityNameColumn":        "profile_name",
+		"countEntityLabelsColumn": "count_profile_labels",
+		"mdmAppleEntityTable":     "mdm_apple_configuration_profiles",
+		"mdmEntityLabelsTable":    "mdm_configuration_profile_labels",
+		"appleEntityUUIDColumn":   "apple_profile_uuid",
+		"hostMDMAppleEntityTable": "host_mdm_apple_profiles",
+	},
 }
 
 // generateDesiredStateQuery generates a query string that represents the
 // desired state of an Apple entity based on its type (profile or declaration)
 func generateDesiredStateQuery(entityType string) string {
-	return fmt.Sprintf(`
+	dynamicNames := mdmEntityTypeToDynamicNames[entityType]
+	if dynamicNames == nil {
+		panic(fmt.Sprintf("unknown entity type %q", entityType))
+	}
+
+	return os.Expand(`
 	-- non label-based entities
 	SELECT
-		mae.%[1]s_uuid,
+		mae.${entityUUIDColumn},
 		h.uuid as host_uuid,
 		h.platform as host_platform,
-		mae.identifier as %[1]s_identifier,
-		mae.name as %[1]s_name,
+		mae.identifier as ${entityIdentifierColumn},
+		mae.name as ${entityNameColumn},
 		mae.checksum as checksum,
-		0 as count_%[1]s_labels,
+		0 as ${countEntityLabelsColumn},
+		0 as count_non_broken_labels,
 		0 as count_host_labels
 	FROM
-		mdm_apple_%[2]ss mae
+		${mdmAppleEntityTable} mae
 			JOIN hosts h
 				ON h.team_id = mae.team_id OR (h.team_id IS NULL AND mae.team_id = 0)
 			JOIN nano_enrollments ne
@@ -1900,44 +1946,81 @@ func generateDesiredStateQuery(entityType string) string {
 		ne.type = 'Device' AND
 		NOT EXISTS (
 			SELECT 1
-			FROM mdm_%[2]s_labels mel
-			WHERE mel.apple_%[1]s_uuid = mae.%[1]s_uuid
+			FROM ${mdmEntityLabelsTable} mel
+			WHERE mel.${appleEntityUUIDColumn} = mae.${entityUUIDColumn}
 		) AND
-		( %[3]s )
+		( %s )
 
 	UNION
 
-	-- label-based entities where the host is a member of all the labels
+	-- label-based entities where the host is a member of all the labels (include-all).
+	-- by design, "include" labels cannot match if they are broken (the host cannot be
+	-- a member of a deleted label).
 	SELECT
-		mae.%[1]s_uuid,
+		mae.${entityUUIDColumn},
 		h.uuid as host_uuid,
 		h.platform as host_platform,
-		mae.identifier as %[1]s_identifier,
-		mae.name as %[1]s_name,
+		mae.identifier as ${entityIdentifierColumn},
+		mae.name as ${entityNameColumn},
 		mae.checksum as checksum,
-		COUNT(*) as count_%[1]s_labels,
+		COUNT(*) as ${countEntityLabelsColumn},
+		COUNT(mel.label_id) as count_non_broken_labels,
 		COUNT(lm.label_id) as count_host_labels
 	FROM
-		mdm_apple_%[2]ss mae
+		${mdmAppleEntityTable} mae
 			JOIN hosts h
 				ON h.team_id = mae.team_id OR (h.team_id IS NULL AND mae.team_id = 0)
 			JOIN nano_enrollments ne
 				ON ne.device_id = h.uuid
-			JOIN mdm_%[2]s_labels mel
-				ON mel.apple_%[1]s_uuid = mae.%[1]s_uuid
+			JOIN ${mdmEntityLabelsTable} mel
+				ON mel.${appleEntityUUIDColumn} = mae.${entityUUIDColumn} AND mel.exclude = 0
 			LEFT OUTER JOIN label_membership lm
 				ON lm.label_id = mel.label_id AND lm.host_id = h.id
 	WHERE
 		(h.platform = 'darwin' OR h.platform = 'ios' OR h.platform = 'ipados') AND
 		ne.enabled = 1 AND
 		ne.type = 'Device' AND
-		( %[3]s )
+		( %s )
 	GROUP BY
-		mae.%[1]s_uuid, h.uuid, h.platform, mae.identifier, mae.name, mae.checksum
+		mae.${entityUUIDColumn}, h.uuid, h.platform, mae.identifier, mae.name, mae.checksum
 	HAVING
-		count_%[1]s_labels > 0 AND count_host_labels = count_%[1]s_labels
+		${countEntityLabelsColumn} > 0 AND count_host_labels = ${countEntityLabelsColumn}
 
-	`, entityType, mdmEntityTypeToTable[entityType], "%s")
+	UNION
+
+	-- label-based entities where the host is NOT a member of any of the labels (exclude-any).
+	-- explicitly ignore profiles with broken excluded labels so that they are never applied.
+	SELECT
+		mae.${entityUUIDColumn},
+		h.uuid as host_uuid,
+		h.platform as host_platform,
+		mae.identifier as ${entityIdentifierColumn},
+		mae.name as ${entityNameColumn},
+		mae.checksum as checksum,
+		COUNT(*) as ${countEntityLabelsColumn},
+		COUNT(mel.label_id) as count_non_broken_labels,
+		COUNT(lm.label_id) as count_host_labels
+	FROM
+		${mdmAppleEntityTable} mae
+			JOIN hosts h
+				ON h.team_id = mae.team_id OR (h.team_id IS NULL AND mae.team_id = 0)
+			JOIN nano_enrollments ne
+				ON ne.device_id = h.uuid
+			JOIN ${mdmEntityLabelsTable} mel
+				ON mel.${appleEntityUUIDColumn} = mae.${entityUUIDColumn} AND mel.exclude = 1
+			LEFT OUTER JOIN label_membership lm
+				ON lm.label_id = mel.label_id AND lm.host_id = h.id
+	WHERE
+		(h.platform = 'darwin' OR h.platform = 'ios' OR h.platform = 'ipados') AND
+		ne.enabled = 1 AND
+		ne.type = 'Device' AND
+		( %s )
+	GROUP BY
+		mae.${entityUUIDColumn}, h.uuid, h.platform, mae.identifier, mae.name, mae.checksum
+	HAVING
+		-- considers only the profiles with labels, without any broken label, and with the host not in any label
+		${countEntityLabelsColumn} > 0 AND ${countEntityLabelsColumn} = count_non_broken_labels AND count_host_labels = 0
+	`, func(s string) string { return dynamicNames[s] })
 }
 
 // generateEntitiesToInstallQuery is a set difference between:
@@ -1977,20 +2060,25 @@ func generateDesiredStateQuery(entityType string) string {
 // where one of the labels does not exist anymore, will not be considered for
 // installation.
 func generateEntitiesToInstallQuery(entityType string) string {
-	return fmt.Sprintf(`
-	( %[3]s ) as ds
-		LEFT JOIN host_mdm_apple_%[1]ss hmae
-			ON hmae.%[1]s_uuid = ds.%[1]s_uuid AND hmae.host_uuid = ds.host_uuid
+	dynamicNames := mdmEntityTypeToDynamicNames[entityType]
+	if dynamicNames == nil {
+		panic(fmt.Sprintf("unknown entity type %q", entityType))
+	}
+
+	return fmt.Sprintf(os.Expand(`
+	( %s ) as ds
+		LEFT JOIN ${hostMDMAppleEntityTable} hmae
+			ON hmae.${entityUUIDColumn} = ds.${entityUUIDColumn} AND hmae.host_uuid = ds.host_uuid
 	WHERE
 		-- entity has been updated
 		( hmae.checksum != ds.checksum ) OR
 		-- entity in A but not in B
-		( hmae.%[1]s_uuid IS NULL AND hmae.host_uuid IS NULL ) OR
+		( hmae.${entityUUIDColumn} IS NULL AND hmae.host_uuid IS NULL ) OR
 		-- entities in A and B but with operation type "remove"
 		( hmae.host_uuid IS NOT NULL AND ( hmae.operation_type = ? OR hmae.operation_type IS NULL ) ) OR
 		-- entities in A and B with operation type "install" and NULL status
 		( hmae.host_uuid IS NOT NULL AND hmae.operation_type = ? AND hmae.status IS NULL )
-`, entityType, mdmEntityTypeToTable[entityType], fmt.Sprintf(generateDesiredStateQuery(entityType), "TRUE", "TRUE"))
+`, func(s string) string { return dynamicNames[s] }), fmt.Sprintf(generateDesiredStateQuery(entityType), "TRUE", "TRUE", "TRUE"))
 }
 
 // generateEntitiesToRemoveQuery is a set difference between:
@@ -2020,24 +2108,30 @@ func generateEntitiesToInstallQuery(entityType string) string {
 // entity but no longer does (and that label-based entity is not "broken"),
 // the entity will be removed from the host.
 func generateEntitiesToRemoveQuery(entityType string) string {
-	return fmt.Sprintf(`
-	( %[3]s ) as ds
-		RIGHT JOIN host_mdm_apple_%[1]ss hmae
-			ON hmae.%[1]s_uuid = ds.%[1]s_uuid AND hmae.host_uuid = ds.host_uuid
+	dynamicNames := mdmEntityTypeToDynamicNames[entityType]
+	if dynamicNames == nil {
+		panic(fmt.Sprintf("unknown entity type %q", entityType))
+	}
+
+	return fmt.Sprintf(os.Expand(`
+	( %s ) as ds
+		RIGHT JOIN ${hostMDMAppleEntityTable} hmae
+			ON hmae.${entityUUIDColumn} = ds.${entityUUIDColumn} AND hmae.host_uuid = ds.host_uuid
 	WHERE
 		-- entities that are in B but not in A
-		ds.%[1]s_uuid IS NULL AND ds.host_uuid IS NULL AND
+		ds.${entityUUIDColumn} IS NULL AND ds.host_uuid IS NULL AND
 		-- except "remove" operations in a terminal state or already pending
 		( hmae.operation_type IS NULL OR hmae.operation_type != ? OR hmae.status IS NULL ) AND
 		-- except "would be removed" entities if they are a broken label-based entities
+		-- (regardless of if it is an include-all or exclude-any label)
 		NOT EXISTS (
 			SELECT 1
-			FROM mdm_%[2]s_labels mcpl
+			FROM ${mdmEntityLabelsTable} mcpl
 			WHERE
-				mcpl.apple_%[1]s_uuid = hmae.%[1]s_uuid AND
+				mcpl.${appleEntityUUIDColumn} = hmae.${entityUUIDColumn} AND
 				mcpl.label_id IS NULL
 		)
-`, entityType, mdmEntityTypeToTable[entityType], fmt.Sprintf(generateDesiredStateQuery(entityType), "TRUE", "TRUE"))
+`, func(s string) string { return dynamicNames[s] }), fmt.Sprintf(generateDesiredStateQuery(entityType), "TRUE", "TRUE", "TRUE"))
 }
 
 func (ds *Datastore) ListMDMAppleProfilesToInstall(ctx context.Context) ([]*fleet.MDMAppleProfilePayload, error) {
@@ -3706,10 +3800,15 @@ WHERE
 				return nil, ctxerr.Wrapf(ctx, err, "declaration %q is in the database but was not incoming", newlyInsertedDecl.Name)
 			}
 
-			for _, label := range incomingDecl.Labels {
+			for _, label := range incomingDecl.LabelsIncludeAll {
 				label.ProfileUUID = newlyInsertedDecl.DeclarationUUID
 				incomingLabels = append(incomingLabels, label)
 			}
+			for _, label := range incomingDecl.LabelsExcludeAny {
+				label.ProfileUUID = newlyInsertedDecl.DeclarationUUID
+				label.Exclude = true
+				incomingLabels = append(incomingLabels, label)
+			}
 		}
 	}
 
@@ -3806,10 +3905,18 @@ func (ds *Datastore) insertOrUpsertMDMAppleDeclaration(ctx context.Context, insO
 			return ctxerr.Wrap(ctx, err, "reload apple mdm declaration")
 		}
 
-		for i := range declaration.Labels {
-			declaration.Labels[i].ProfileUUID = declUUID
+		labels := make([]fleet.ConfigurationProfileLabel, 0,
+			len(declaration.LabelsIncludeAll)+len(declaration.LabelsExcludeAny))
+		for i := range declaration.LabelsIncludeAll {
+			declaration.LabelsIncludeAll[i].ProfileUUID = declUUID
+			labels = append(labels, declaration.LabelsIncludeAll[i])
 		}
-		if err := batchSetDeclarationLabelAssociationsDB(ctx, tx, declaration.Labels); err != nil {
+		for i := range declaration.LabelsExcludeAny {
+			declaration.LabelsExcludeAny[i].ProfileUUID = declUUID
+			declaration.LabelsExcludeAny[i].Exclude = true
+			labels = append(labels, declaration.LabelsExcludeAny[i])
+		}
+		if err := batchSetDeclarationLabelAssociationsDB(ctx, tx, labels); err != nil {
 			return ctxerr.Wrap(ctx, err, "inserting mdm declaration label associations")
 		}
 
@@ -3839,11 +3946,12 @@ func batchSetDeclarationLabelAssociationsDB(ctx context.Context, tx sqlx.ExtCont
 
 	upsertStmt := `
 	  INSERT INTO mdm_declaration_labels
-              (apple_declaration_uuid, label_id, label_name)
+              (apple_declaration_uuid, label_id, label_name, exclude)
           VALUES
               %s
           ON DUPLICATE KEY UPDATE
-              label_id = VALUES(label_id)
+              label_id = VALUES(label_id),
+              exclude = VALUES(exclude)
 	`
 
 	var (
@@ -3859,9 +3967,9 @@ func batchSetDeclarationLabelAssociationsDB(ctx context.Context, tx sqlx.ExtCont
 			insertBuilder.WriteString(",")
 			deleteBuilder.WriteString(",")
 		}
-		insertBuilder.WriteString("(?, ?, ?)")
+		insertBuilder.WriteString("(?, ?, ?, ?)")
 		deleteBuilder.WriteString("(?, ?)")
-		insertParams = append(insertParams, pl.ProfileUUID, pl.LabelID, pl.LabelName)
+		insertParams = append(insertParams, pl.ProfileUUID, pl.LabelID, pl.LabelName, pl.Exclude)
 		deleteParams = append(deleteParams, pl.ProfileUUID, pl.LabelID)
 
 		setProfileUUIDs[pl.ProfileUUID] = struct{}{}
@@ -3907,10 +4015,18 @@ FROM
 	host_mdm_apple_declarations hmad
 	JOIN mdm_apple_declarations mad ON hmad.declaration_uuid = mad.declaration_uuid
 WHERE
-	hmad.host_uuid = ?`
+	hmad.host_uuid = ? AND hmad.operation_type = ?`
+
+	// NOTE: the token generated as part of this query decides if the DDM session
+	// proceeds with sending the declarations - if the token differs from what
+	// the host last applied, it will proceed. That's why we use only the "to be
+	// installed" declarations for the token generation. If some declarations get
+	// removed, then they will be ignored in the token generation, which will
+	// change the token and make the DDM session proceed (and declarations not
+	// sent get removed).
 
 	var res fleet.MDMAppleDDMDeclarationsToken
-	if err := sqlx.GetContext(ctx, ds.reader(ctx), &res, stmt, hostUUID); err != nil {
+	if err := sqlx.GetContext(ctx, ds.reader(ctx), &res, stmt, hostUUID, fleet.MDMOperationTypeInstall); err != nil {
 		return nil, ctxerr.Wrap(ctx, err, "get DDM declarations token")
 	}
 
diff --git a/server/datastore/mysql/apple_mdm_test.go b/server/datastore/mysql/apple_mdm_test.go
index 142cd81294..08b4ae68ff 100644
--- a/server/datastore/mysql/apple_mdm_test.go
+++ b/server/datastore/mysql/apple_mdm_test.go
@@ -158,7 +158,7 @@ func testNewMDMAppleConfigProfileLabels(t *testing.T, ds *Datastore) {
 		Identifier:   "DummyTestIdentifier",
 		Mobileconfig: dummyMC,
 		TeamID:       nil,
-		Labels: []fleet.ConfigurationProfileLabel{
+		LabelsIncludeAll: []fleet.ConfigurationProfileLabel{
 			{LabelName: "foo", LabelID: 1},
 		},
 	}
@@ -174,7 +174,7 @@ func testNewMDMAppleConfigProfileLabels(t *testing.T, ds *Datastore) {
 	}
 	label, err = ds.NewLabel(ctx, label)
 	require.NoError(t, err)
-	cp.Labels = []fleet.ConfigurationProfileLabel{
+	cp.LabelsIncludeAll = []fleet.ConfigurationProfileLabel{
 		{LabelName: label.Name, LabelID: label.ID},
 	}
 	prof, err := ds.NewMDMAppleConfigProfile(ctx, cp)
@@ -207,11 +207,11 @@ func testNewMDMAppleConfigProfileDuplicateIdentifier(t *testing.T, ds *Datastore
 	storedCP, err := ds.GetMDMAppleConfigProfileByDeprecatedID(ctx, newCP.ProfileID)
 	require.NoError(t, err)
 	checkConfigProfile(t, *newCP, *storedCP)
-	require.Nil(t, storedCP.Labels)
+	require.Nil(t, storedCP.LabelsIncludeAll)
 	storedCP, err = ds.GetMDMAppleConfigProfile(ctx, newCP.ProfileUUID)
 	require.NoError(t, err)
 	checkConfigProfile(t, *newCP, *storedCP)
-	require.Nil(t, storedCP.Labels)
+	require.Nil(t, storedCP.LabelsIncludeAll)
 
 	// create a label-based profile
 	lbl, err := ds.NewLabel(ctx, &fleet.Label{Name: "lbl", Query: "select 1"})
@@ -221,7 +221,7 @@ func testNewMDMAppleConfigProfileDuplicateIdentifier(t *testing.T, ds *Datastore
 		Name:         "label-based",
 		Identifier:   "label-based",
 		Mobileconfig: mobileconfig.Mobileconfig([]byte("LabelTestMobileconfigBytes")),
-		Labels: []fleet.ConfigurationProfileLabel{
+		LabelsIncludeAll: []fleet.ConfigurationProfileLabel{
 			{LabelName: lbl.Name, LabelID: lbl.ID},
 		},
 	}
@@ -232,21 +232,21 @@ func testNewMDMAppleConfigProfileDuplicateIdentifier(t *testing.T, ds *Datastore
 	// only included in the uuid one
 	prof, err := ds.GetMDMAppleConfigProfileByDeprecatedID(ctx, labelProf.ProfileID)
 	require.NoError(t, err)
-	require.Nil(t, prof.Labels)
+	require.Nil(t, prof.LabelsIncludeAll)
 	prof, err = ds.GetMDMAppleConfigProfile(ctx, labelProf.ProfileUUID)
 	require.NoError(t, err)
-	require.Len(t, prof.Labels, 1)
-	require.Equal(t, lbl.Name, prof.Labels[0].LabelName)
-	require.False(t, prof.Labels[0].Broken)
+	require.Len(t, prof.LabelsIncludeAll, 1)
+	require.Equal(t, lbl.Name, prof.LabelsIncludeAll[0].LabelName)
+	require.False(t, prof.LabelsIncludeAll[0].Broken)
 
 	// break the profile by deleting the label
 	require.NoError(t, ds.DeleteLabel(ctx, lbl.Name))
 
 	prof, err = ds.GetMDMAppleConfigProfile(ctx, labelProf.ProfileUUID)
 	require.NoError(t, err)
-	require.Len(t, prof.Labels, 1)
-	require.Equal(t, lbl.Name, prof.Labels[0].LabelName)
-	require.True(t, prof.Labels[0].Broken)
+	require.Len(t, prof.LabelsIncludeAll, 1)
+	require.Equal(t, lbl.Name, prof.LabelsIncludeAll[0].LabelName)
+	require.True(t, prof.LabelsIncludeAll[0].Broken)
 }
 
 func generateCP(name string, identifier string, teamID uint) *fleet.MDMAppleConfigProfile {
@@ -1094,7 +1094,7 @@ func expectAppleDeclarations(
 
 		require.Equal(t, wantD.Name, gotD.Name)
 		require.Equal(t, wantD.Identifier, gotD.Identifier)
-		require.Equal(t, wantD.Labels, gotD.Labels)
+		require.Equal(t, wantD.LabelsIncludeAll, gotD.LabelsIncludeAll)
 	}
 	return m
 }
@@ -1263,6 +1263,8 @@ func configProfileBytesForTest(name, identifier, uuid string) []byte {
 `, name, identifier, uuid))
 }
 
+// if the label name starts with "exclude-", the label is considered an "exclude-any", otherwise
+// it is an "include-all".
 func configProfileForTest(t *testing.T, name, identifier, uuid string, labels ...*fleet.Label) *fleet.MDMAppleConfigProfile {
 	prof := configProfileBytesForTest(name, identifier, uuid)
 	cp, err := fleet.NewMDMAppleConfigProfile(prof, nil)
@@ -1271,12 +1273,18 @@ func configProfileForTest(t *testing.T, name, identifier, uuid string, labels ..
 	cp.Checksum = sum[:]
 
 	for _, lbl := range labels {
-		cp.Labels = append(cp.Labels, fleet.ConfigurationProfileLabel{LabelName: lbl.Name, LabelID: lbl.ID})
+		if strings.HasPrefix(lbl.Name, "exclude-") {
+			cp.LabelsExcludeAny = append(cp.LabelsExcludeAny, fleet.ConfigurationProfileLabel{LabelName: lbl.Name, LabelID: lbl.ID})
+		} else {
+			cp.LabelsIncludeAll = append(cp.LabelsIncludeAll, fleet.ConfigurationProfileLabel{LabelName: lbl.Name, LabelID: lbl.ID})
+		}
 	}
 
 	return cp
 }
 
+// if the label name starts with "exclude-", the label is considered an "exclude-any", otherwise
+// it is an "include-all".
 func declForTest(name, identifier, payloadContent string, labels ...*fleet.Label) *fleet.MDMAppleDeclaration {
 	tmpl := `{
 		"Type": "com.apple.configuration.decl%s",
@@ -1295,7 +1303,11 @@ func declForTest(name, identifier, payloadContent string, labels ...*fleet.Label
 	}
 
 	for _, l := range labels {
-		decl.Labels = append(decl.Labels, fleet.ConfigurationProfileLabel{LabelName: l.Name, LabelID: l.ID})
+		if strings.HasPrefix(l.Name, "exclude-") {
+			decl.LabelsExcludeAny = append(decl.LabelsExcludeAny, fleet.ConfigurationProfileLabel{LabelName: l.Name, LabelID: l.ID})
+		} else {
+			decl.LabelsIncludeAll = append(decl.LabelsIncludeAll, fleet.ConfigurationProfileLabel{LabelName: l.Name, LabelID: l.ID})
+		}
 	}
 
 	return decl
@@ -4858,14 +4870,14 @@ func testSetOrUpdateMDMAppleDDMDeclaration(t *testing.T, ds *Datastore) {
 
 	d1Ori, err := ds.GetMDMAppleDeclaration(ctx, d1.DeclarationUUID)
 	require.NoError(t, err)
-	require.Empty(t, d1Ori.Labels)
+	require.Empty(t, d1Ori.LabelsIncludeAll)
 
 	// update d1 with different identifier and labels
 	d1, err = ds.SetOrUpdateMDMAppleDeclaration(ctx, &fleet.MDMAppleDeclaration{
-		Identifier: "i1b",
-		Name:       "d1",
-		RawJSON:    json.RawMessage(`{"Identifier": "i1b"}`),
-		Labels:     []fleet.ConfigurationProfileLabel{{LabelName: l1.Name, LabelID: l1.ID}},
+		Identifier:       "i1b",
+		Name:             "d1",
+		RawJSON:          json.RawMessage(`{"Identifier": "i1b"}`),
+		LabelsIncludeAll: []fleet.ConfigurationProfileLabel{{LabelName: l1.Name, LabelID: l1.ID}},
 	})
 	require.NoError(t, err)
 	require.Equal(t, d1.DeclarationUUID, d1Ori.DeclarationUUID)
@@ -4873,39 +4885,39 @@ func testSetOrUpdateMDMAppleDDMDeclaration(t *testing.T, ds *Datastore) {
 
 	d1B, err := ds.GetMDMAppleDeclaration(ctx, d1.DeclarationUUID)
 	require.NoError(t, err)
-	require.Len(t, d1B.Labels, 1)
-	require.Equal(t, l1.ID, d1B.Labels[0].LabelID)
+	require.Len(t, d1B.LabelsIncludeAll, 1)
+	require.Equal(t, l1.ID, d1B.LabelsIncludeAll[0].LabelID)
 
 	// update d1 with different label
 	d1, err = ds.SetOrUpdateMDMAppleDeclaration(ctx, &fleet.MDMAppleDeclaration{
-		Identifier: "i1b",
-		Name:       "d1",
-		RawJSON:    json.RawMessage(`{"Identifier": "i1b"}`),
-		Labels:     []fleet.ConfigurationProfileLabel{{LabelName: l2.Name, LabelID: l2.ID}},
+		Identifier:       "i1b",
+		Name:             "d1",
+		RawJSON:          json.RawMessage(`{"Identifier": "i1b"}`),
+		LabelsIncludeAll: []fleet.ConfigurationProfileLabel{{LabelName: l2.Name, LabelID: l2.ID}},
 	})
 	require.NoError(t, err)
 	require.Equal(t, d1.DeclarationUUID, d1Ori.DeclarationUUID)
 
 	d1C, err := ds.GetMDMAppleDeclaration(ctx, d1.DeclarationUUID)
 	require.NoError(t, err)
-	require.Len(t, d1C.Labels, 1)
-	require.Equal(t, l2.ID, d1C.Labels[0].LabelID)
+	require.Len(t, d1C.LabelsIncludeAll, 1)
+	require.Equal(t, l2.ID, d1C.LabelsIncludeAll[0].LabelID)
 
 	// update d1tm1 with different identifier and label
 	d1tm1B, err := ds.SetOrUpdateMDMAppleDeclaration(ctx, &fleet.MDMAppleDeclaration{
-		Identifier: "i1b",
-		Name:       "d1",
-		TeamID:     &tm1.ID,
-		RawJSON:    json.RawMessage(`{"Identifier": "i1b"}`),
-		Labels:     []fleet.ConfigurationProfileLabel{{LabelName: l1.Name, LabelID: l1.ID}},
+		Identifier:       "i1b",
+		Name:             "d1",
+		TeamID:           &tm1.ID,
+		RawJSON:          json.RawMessage(`{"Identifier": "i1b"}`),
+		LabelsIncludeAll: []fleet.ConfigurationProfileLabel{{LabelName: l1.Name, LabelID: l1.ID}},
 	})
 	require.NoError(t, err)
 	require.Equal(t, d1tm1B.DeclarationUUID, d1tm1.DeclarationUUID)
 
 	d1tm1B, err = ds.GetMDMAppleDeclaration(ctx, d1tm1B.DeclarationUUID)
 	require.NoError(t, err)
-	require.Len(t, d1tm1B.Labels, 1)
-	require.Equal(t, l1.ID, d1tm1B.Labels[0].LabelID)
+	require.Len(t, d1tm1B.LabelsIncludeAll, 1)
+	require.Equal(t, l1.ID, d1tm1B.LabelsIncludeAll[0].LabelID)
 
 	// delete no-team d1
 	err = ds.DeleteMDMAppleDeclarationByName(ctx, nil, "d1")
diff --git a/server/datastore/mysql/mdm.go b/server/datastore/mysql/mdm.go
index e31ee843a3..44eae46c7b 100644
--- a/server/datastore/mysql/mdm.go
+++ b/server/datastore/mysql/mdm.go
@@ -125,7 +125,6 @@ func (ds *Datastore) ListMDMConfigProfiles(ctx context.Context, teamID *uint, op
 
 	var profs []*fleet.MDMConfigProfilePayload
 
-	// TODO(roberto): Consider using UNION ALL here, as we know there won't be any duplicates between the tables.
 	const selectStmt = `
 SELECT
 	profile_uuid,
@@ -152,7 +151,7 @@ FROM (
 		team_id = ? AND
 		identifier NOT IN (?)
 
-	UNION
+	UNION ALL
 
 	SELECT
 		profile_uuid,
@@ -169,7 +168,7 @@ FROM (
 		team_id = ? AND
 		name NOT IN (?)
 
-	UNION
+	UNION ALL
 
 	SELECT
 		declaration_uuid AS profile_uuid,
@@ -249,7 +248,11 @@ FROM (
 	}
 	for _, label := range labels {
 		if prof, ok := profMap[label.ProfileUUID]; ok {
-			prof.Labels = append(prof.Labels, label)
+			if label.Exclude {
+				prof.LabelsExcludeAny = append(prof.LabelsExcludeAny, label)
+			} else {
+				prof.LabelsIncludeAll = append(prof.LabelsIncludeAll, label)
+			}
 		}
 	}
 
@@ -263,7 +266,8 @@ SELECT
 	COALESCE(apple_profile_uuid, windows_profile_uuid) as profile_uuid,
 	label_name,
 	COALESCE(label_id, 0) as label_id,
-	IF(label_id IS NULL, 1, 0) as broken
+	IF(label_id IS NULL, 1, 0) as broken,
+	exclude
 FROM
 	mdm_configuration_profile_labels mcpl
 WHERE
@@ -274,7 +278,8 @@ SELECT
 	apple_declaration_uuid as profile_uuid,
 	label_name,
 	COALESCE(label_id, 0) as label_id,
-	IF(label_id IS NULL, 1, 0) as broken
+	IF(label_id IS NULL, 1, 0) as broken,
+	exclude
 FROM
 	mdm_declaration_labels mdl
 WHERE
@@ -282,7 +287,6 @@ WHERE
 ORDER BY
 	profile_uuid, label_name
 `
-
 	// ensure there's at least one (non-matching) value in the slice so the IN
 	// clause is valid
 	if len(winProfUUIDs) == 0 {
@@ -678,49 +682,83 @@ func (ds *Datastore) GetHostMDMProfilesExpectedForVerification(ctx context.Conte
 
 func (ds *Datastore) getHostMDMWindowsProfilesExpectedForVerification(ctx context.Context, teamID, hostID uint) (map[string]*fleet.ExpectedMDMProfile, error) {
 	stmt := `
+-- profiles without labels
 SELECT
 	name,
 	syncml AS raw_profile,
 	min(mwcp.uploaded_at) AS earliest_install_date,
 	0 AS count_profile_labels,
+	0 AS count_non_broken_labels,
 	0 AS count_host_labels
 FROM
 	mdm_windows_configuration_profiles mwcp
 WHERE
-	mwcp.team_id = ?
-	AND NOT EXISTS (
+	mwcp.team_id = ? AND
+	NOT EXISTS (
 		SELECT
 			1
 		FROM
 			mdm_configuration_profile_labels mcpl
 		WHERE
-			mcpl.apple_profile_uuid = mwcp.profile_uuid)
-GROUP BY  name, syncml
-	UNION
-	SELECT
-		name,
-		syncml AS raw_profile,
-		min(mwcp.uploaded_at) AS earliest_install_date,
-		COUNT(*) AS count_profile_labels,
-		COUNT(lm.label_id) AS count_host_labels
-	FROM
-		mdm_windows_configuration_profiles mwcp
-		JOIN mdm_configuration_profile_labels mcpl ON mcpl.windows_profile_uuid = mwcp.profile_uuid
-		LEFT OUTER JOIN label_membership lm ON lm.label_id = mcpl.label_id
-			AND lm.host_id = ?
-	WHERE
-		mwcp.team_id = ?
-	GROUP BY
-		name, syncml
-	HAVING
-		count_profile_labels > 0
-		AND count_host_labels = count_profile_labels
+			mcpl.windows_profile_uuid = mwcp.profile_uuid
+	)
+GROUP BY name, syncml
 
-  `
+UNION
 
+-- label-based profiles where the host is a member of all the labels (include-all).
+-- by design, "include" labels cannot match if they are broken (the host cannot be
+-- a member of a deleted label).
+SELECT
+	name,
+	syncml AS raw_profile,
+	min(mwcp.uploaded_at) AS earliest_install_date,
+	COUNT(*) AS count_profile_labels,
+	COUNT(mcpl.label_id) as count_non_broken_labels,
+	COUNT(lm.label_id) AS count_host_labels
+FROM
+	mdm_windows_configuration_profiles mwcp
+	JOIN mdm_configuration_profile_labels mcpl
+		ON mcpl.windows_profile_uuid = mwcp.profile_uuid AND mcpl.exclude = 0
+	LEFT OUTER JOIN label_membership lm
+		ON lm.label_id = mcpl.label_id AND lm.host_id = ?
+WHERE
+	mwcp.team_id = ?
+GROUP BY
+	name, syncml
+HAVING
+	count_profile_labels > 0 AND
+	count_host_labels = count_profile_labels
+
+UNION
+
+-- label-based entities where the host is NOT a member of any of the labels (exclude-any).
+-- explicitly ignore profiles with broken excluded labels so that they are never applied.
+SELECT
+	name,
+	syncml AS raw_profile,
+	min(mwcp.uploaded_at) AS earliest_install_date,
+	COUNT(*) AS count_profile_labels,
+	COUNT(mcpl.label_id) as count_non_broken_labels,
+	COUNT(lm.label_id) AS count_host_labels
+FROM
+	mdm_windows_configuration_profiles mwcp
+	JOIN mdm_configuration_profile_labels mcpl
+		ON mcpl.windows_profile_uuid = mwcp.profile_uuid AND mcpl.exclude = 1
+	LEFT OUTER JOIN label_membership lm
+		ON lm.label_id = mcpl.label_id AND lm.host_id = ?
+WHERE
+	mwcp.team_id = ?
+GROUP BY
+	name, syncml
+HAVING
+	-- considers only the profiles with labels, without any broken label, and with the host not in any label
+	count_profile_labels > 0 AND
+	count_profile_labels = count_non_broken_labels AND
+	count_host_labels = 0
+`
 	var profiles []*fleet.ExpectedMDMProfile
-	// Note: teamID provided twice
-	err := sqlx.SelectContext(ctx, ds.reader(ctx), &profiles, stmt, teamID, hostID, teamID)
+	err := sqlx.SelectContext(ctx, ds.reader(ctx), &profiles, stmt, teamID, hostID, teamID, hostID, teamID)
 	if err != nil {
 		return nil, ctxerr.Wrap(ctx, err, "running query for windows profiles")
 	}
@@ -735,9 +773,11 @@ GROUP BY  name, syncml
 
 func (ds *Datastore) getHostMDMAppleProfilesExpectedForVerification(ctx context.Context, teamID, hostID uint) (map[string]*fleet.ExpectedMDMProfile, error) {
 	stmt := `
+-- profiles without labels
 SELECT
 	macp.identifier AS identifier,
 	0 AS count_profile_labels,
+	0 AS count_non_broken_labels,
 	0 AS count_host_labels,
 	earliest_install_date
 FROM
@@ -748,49 +788,89 @@ FROM
 			min(uploaded_at) AS earliest_install_date
 		FROM
 			mdm_apple_configuration_profiles
-		GROUP BY
-			checksum) cs ON macp.checksum = cs.checksum
+		GROUP BY checksum
+	) cs ON macp.checksum = cs.checksum
 WHERE
-	macp.team_id = ?
-	AND NOT EXISTS (
+	macp.team_id = ? AND 
+	NOT EXISTS (
 		SELECT
 			1
 		FROM
 			mdm_configuration_profile_labels mcpl
 		WHERE
-			mcpl.apple_profile_uuid = macp.profile_uuid)
-	UNION
-	-- label-based profiles where the host is a member of all the labels
-	SELECT
-		macp.identifier AS identifier,
-		COUNT(*) AS count_profile_labels,
-		COUNT(lm.label_id) AS count_host_labels,
-		min(earliest_install_date) AS earliest_install_date
-	FROM
-		mdm_apple_configuration_profiles macp
-		JOIN (
-			SELECT
-				checksum,
-				min(uploaded_at) AS earliest_install_date
-			FROM
-				mdm_apple_configuration_profiles
-			GROUP BY
-				checksum) cs ON macp.checksum = cs.checksum
-		JOIN mdm_configuration_profile_labels mcpl ON mcpl.apple_profile_uuid = macp.profile_uuid
-		LEFT OUTER JOIN label_membership lm ON lm.label_id = mcpl.label_id
-			AND lm.host_id = ?
-	WHERE
-		macp.team_id = ?
-	GROUP BY
-		identifier
-	HAVING
-		count_profile_labels > 0
-		AND count_host_labels = count_profile_labels
-	`
+			mcpl.apple_profile_uuid = macp.profile_uuid
+	)
+
+UNION
+
+-- label-based profiles where the host is a member of all the labels (include-all)
+-- by design, "include" labels cannot match if they are broken (the host cannot be
+-- a member of a deleted label).
+SELECT
+	macp.identifier AS identifier,
+	COUNT(*) AS count_profile_labels,
+	COUNT(mcpl.label_id) AS count_non_broken_labels,
+	COUNT(lm.label_id) AS count_host_labels,
+	min(earliest_install_date) AS earliest_install_date
+FROM
+	mdm_apple_configuration_profiles macp
+	JOIN (
+		SELECT
+			checksum,
+			min(uploaded_at) AS earliest_install_date
+		FROM
+			mdm_apple_configuration_profiles
+		GROUP BY checksum
+	) cs ON macp.checksum = cs.checksum
+	JOIN mdm_configuration_profile_labels mcpl 
+		ON mcpl.apple_profile_uuid = macp.profile_uuid AND mcpl.exclude = 0
+	LEFT OUTER JOIN label_membership lm 
+		ON lm.label_id = mcpl.label_id AND lm.host_id = ?
+WHERE
+	macp.team_id = ?
+GROUP BY
+	identifier
+HAVING
+	count_profile_labels > 0 AND 
+	count_host_labels = count_profile_labels
+
+UNION
+
+-- label-based entities where the host is NOT a member of any of the labels (exclude-any).
+-- explicitly ignore profiles with broken excluded labels so that they are never applied.
+SELECT
+	macp.identifier AS identifier,
+	COUNT(*) AS count_profile_labels,
+	COUNT(mcpl.label_id) AS count_non_broken_labels,
+	COUNT(lm.label_id) AS count_host_labels,
+	min(earliest_install_date) AS earliest_install_date
+FROM
+	mdm_apple_configuration_profiles macp
+	JOIN (
+		SELECT
+			checksum,
+			min(uploaded_at) AS earliest_install_date
+		FROM
+			mdm_apple_configuration_profiles
+		GROUP BY checksum
+	) cs ON macp.checksum = cs.checksum
+	JOIN mdm_configuration_profile_labels mcpl 
+		ON mcpl.apple_profile_uuid = macp.profile_uuid AND mcpl.exclude = 1
+	LEFT OUTER JOIN label_membership lm 
+		ON lm.label_id = mcpl.label_id AND lm.host_id = ?
+WHERE
+	macp.team_id = ?
+GROUP BY
+	identifier
+HAVING
+	-- considers only the profiles with labels, without any broken label, and with the host not in any label
+	count_profile_labels > 0 AND 
+	count_profile_labels = count_non_broken_labels AND
+	count_host_labels = 0
+`
 
 	var rows []*fleet.ExpectedMDMProfile
-	// Note: teamID provided twice
-	if err := sqlx.SelectContext(ctx, ds.reader(ctx), &rows, stmt, teamID, hostID, teamID); err != nil {
+	if err := sqlx.SelectContext(ctx, ds.reader(ctx), &rows, stmt, teamID, hostID, teamID, hostID, teamID); err != nil {
 		return nil, ctxerr.Wrap(ctx, err, fmt.Sprintf("getting expected profiles for host in team %d", teamID))
 	}
 
@@ -915,11 +995,12 @@ func batchSetProfileLabelAssociationsDB(
 
 	upsertStmt := `
 	  INSERT INTO mdm_configuration_profile_labels
-              (%s_profile_uuid, label_id, label_name)
+              (%s_profile_uuid, label_id, label_name, exclude)
           VALUES
               %s
           ON DUPLICATE KEY UPDATE
-              label_id = VALUES(label_id)
+              label_id = VALUES(label_id),
+              exclude = VALUES(exclude)
 	`
 
 	var (
@@ -935,9 +1016,9 @@ func batchSetProfileLabelAssociationsDB(
 			insertBuilder.WriteString(",")
 			deleteBuilder.WriteString(",")
 		}
-		insertBuilder.WriteString("(?, ?, ?)")
+		insertBuilder.WriteString("(?, ?, ?, ?)")
 		deleteBuilder.WriteString("(?, ?)")
-		insertParams = append(insertParams, pl.ProfileUUID, pl.LabelID, pl.LabelName)
+		insertParams = append(insertParams, pl.ProfileUUID, pl.LabelID, pl.LabelName, pl.Exclude)
 		deleteParams = append(deleteParams, pl.ProfileUUID, pl.LabelID)
 
 		setProfileUUIDs[pl.ProfileUUID] = struct{}{}
@@ -1045,7 +1126,7 @@ SELECT
     COALESCE(MAX(hm.fleet_enroll_ref), '') AS enroll_reference,
     ne.enrolled_from_migration
 FROM (
-    -- grab only the latest certificate associated with this device 
+    -- grab only the latest certificate associated with this device
     SELECT
         n1.id,
 	n1.sha256,
@@ -1162,14 +1243,14 @@ func (ds *Datastore) GetHostMDMProfileInstallStatus(ctx context.Context, hostUUI
 	}
 
 	selectStmt := fmt.Sprintf(`
-SELECT	
+SELECT
 	COALESCE(status, ?) as status
 	FROM
 	%s
 WHERE
 	operation_type = ?
 	AND host_uuid = ?
-	AND %s = ? 
+	AND %s = ?
 `, table, column)
 
 	var status fleet.MDMDeliveryStatus
diff --git a/server/datastore/mysql/mdm_test.go b/server/datastore/mysql/mdm_test.go
index c1f05dd0aa..0b749a6b2f 100644
--- a/server/datastore/mysql/mdm_test.go
+++ b/server/datastore/mysql/mdm_test.go
@@ -37,10 +37,7 @@ func TestMDMShared(t *testing.T) {
 		{"TestBulkSetPendingMDMHostProfiles", testBulkSetPendingMDMHostProfiles},
 		{"TestBulkSetPendingMDMHostProfilesBatch2", testBulkSetPendingMDMHostProfilesBatch2},
 		{"TestBulkSetPendingMDMHostProfilesBatch3", testBulkSetPendingMDMHostProfilesBatch3},
-		{
-			"TestGetHostMDMProfilesExpectedForVerification",
-			testGetHostMDMProfilesExpectedForVerification,
-		},
+		{"TestGetHostMDMProfilesExpectedForVerification", testGetHostMDMProfilesExpectedForVerification},
 		{"TestBatchSetProfileLabelAssociations", testBatchSetProfileLabelAssociations},
 		{"TestBatchSetProfilesTransactionError", testBatchSetMDMProfilesTransactionError},
 		{"TestMDMEULA", testMDMEULA},
@@ -49,6 +46,7 @@ func TestMDMShared(t *testing.T) {
 		{"TestMDMProfilesSummaryAndHostFilters", testMDMProfilesSummaryAndHostFilters},
 		{"TestIsHostConnectedToFleetMDM", testIsHostConnectedToFleetMDM},
 		{"TestAreHostsConnectedToFleetMDM", testAreHostsConnectedToFleetMDM},
+		{"TestBulkSetPendingMDMHostProfilesExcludeAny", testBulkSetPendingMDMHostProfilesExcludeAny},
 	}
 
 	for _, c := range cases {
@@ -476,7 +474,7 @@ func testListMDMConfigProfiles(t *testing.T, ds *Datastore) {
 		// create label-based profiles for i==0, meaning CDEF will be label-based
 		acp := *generateCP(string(rune('C'+inc)), string(rune('C'+inc)), 0)
 		if i == 0 {
-			acp.Labels = []fleet.ConfigurationProfileLabel{
+			acp.LabelsIncludeAll = []fleet.ConfigurationProfileLabel{
 				{LabelName: labels[0].Name, LabelID: labels[0].ID},
 				{LabelName: labels[1].Name, LabelID: labels[1].ID},
 			}
@@ -486,7 +484,7 @@ func testListMDMConfigProfiles(t *testing.T, ds *Datastore) {
 
 		acp = *generateCP(string(rune('C'+inc+1)), string(rune('C'+inc+1)), team.ID)
 		if i == 0 {
-			acp.Labels = []fleet.ConfigurationProfileLabel{
+			acp.LabelsIncludeAll = []fleet.ConfigurationProfileLabel{
 				{LabelName: labels[2].Name, LabelID: labels[2].ID},
 				{LabelName: labels[3].Name, LabelID: labels[3].ID},
 			}
@@ -500,7 +498,7 @@ func testListMDMConfigProfiles(t *testing.T, ds *Datastore) {
 			SyncML: winProf,
 		}
 		if i == 0 {
-			wcp.Labels = []fleet.ConfigurationProfileLabel{
+			wcp.LabelsIncludeAll = []fleet.ConfigurationProfileLabel{
 				{LabelName: labels[4].Name, LabelID: labels[4].ID},
 				{LabelName: labels[5].Name, LabelID: labels[5].ID},
 			}
@@ -514,7 +512,7 @@ func testListMDMConfigProfiles(t *testing.T, ds *Datastore) {
 			SyncML: winProf,
 		}
 		if i == 0 {
-			wcp.Labels = []fleet.ConfigurationProfileLabel{
+			wcp.LabelsIncludeAll = []fleet.ConfigurationProfileLabel{
 				{LabelName: labels[6].Name, LabelID: labels[6].ID},
 				{LabelName: labels[7].Name, LabelID: labels[7].ID},
 			}
@@ -723,14 +721,14 @@ func testListMDMConfigProfiles(t *testing.T, ds *Datastore) {
 				got[i] = p.Name
 
 				wantProfs := profLabels[p.Name]
-				require.Equal(t, len(wantProfs), len(p.Labels), "profile name: %s", p.Name)
+				require.Equal(t, len(wantProfs), len(p.LabelsIncludeAll), "profile name: %s", p.Name)
 				if len(wantProfs) > 0 {
 					// clear the profile uuids from the labels list
-					for i, l := range p.Labels {
+					for i, l := range p.LabelsIncludeAll {
 						l.ProfileUUID = ""
-						p.Labels[i] = l
+						p.LabelsIncludeAll[i] = l
 					}
-					require.ElementsMatch(t, wantProfs, p.Labels, "profile name: %s", p.Name)
+					require.ElementsMatch(t, wantProfs, p.LabelsIncludeAll, "profile name: %s", p.Name)
 				}
 			}
 			require.Equal(t, got, c.wantNames)
@@ -764,6 +762,91 @@ func testBulkSetPendingMDMHostProfilesBatch3(t *testing.T, ds *Datastore) {
 	testBulkSetPendingMDMHostProfiles(t, ds)
 }
 
+type anyProfile struct {
+	ProfileUUID      string
+	Status           *fleet.MDMDeliveryStatus
+	OperationType    fleet.MDMOperationType
+	IdentifierOrName string
+}
+
+// only asserts the profile ID, status and operation
+func assertHostProfiles(t *testing.T, ds *Datastore, want map[*fleet.Host][]anyProfile) {
+	ctx := context.Background()
+	for h, wantProfs := range want {
+		var gotProfs []anyProfile
+
+		switch h.Platform {
+		case "windows":
+			profs, err := ds.GetHostMDMWindowsProfiles(ctx, h.UUID)
+			require.NoError(t, err)
+			require.Equal(t, len(wantProfs), len(profs), "host uuid: %s", h.UUID)
+			for _, p := range profs {
+				gotProfs = append(gotProfs, anyProfile{
+					ProfileUUID:      p.ProfileUUID,
+					Status:           p.Status,
+					OperationType:    p.OperationType,
+					IdentifierOrName: p.Name,
+				})
+			}
+		default:
+			profs, err := ds.GetHostMDMAppleProfiles(ctx, h.UUID)
+			require.NoError(t, err)
+			require.Equal(t, len(wantProfs), len(profs), "host uuid: %s", h.UUID)
+			for _, p := range profs {
+				gotProfs = append(gotProfs, anyProfile{
+					ProfileUUID:      p.ProfileUUID,
+					Status:           p.Status,
+					OperationType:    p.OperationType,
+					IdentifierOrName: p.Identifier,
+				})
+			}
+		}
+
+		sortProfs := func(profs []anyProfile) []anyProfile {
+			sort.Slice(profs, func(i, j int) bool {
+				l, r := profs[i], profs[j]
+				if l.ProfileUUID == r.ProfileUUID {
+					return l.OperationType < r.OperationType
+				}
+
+				// default alphabetical comparison
+				return l.IdentifierOrName < r.IdentifierOrName
+			})
+			return profs
+		}
+
+		gotProfs = sortProfs(gotProfs)
+		wantProfs = sortProfs(wantProfs)
+		for i, wp := range wantProfs {
+			gp := gotProfs[i]
+			require.Equal(
+				t,
+				wp.ProfileUUID,
+				gp.ProfileUUID,
+				"host uuid: %s, prof id or name: %s",
+				h.UUID,
+				gp.IdentifierOrName,
+			)
+			require.Equal(
+				t,
+				wp.Status,
+				gp.Status,
+				"host uuid: %s, prof id or name: %s",
+				h.UUID,
+				gp.IdentifierOrName,
+			)
+			require.Equal(
+				t,
+				wp.OperationType,
+				gp.OperationType,
+				"host uuid: %s, prof id or name: %s",
+				h.UUID,
+				gp.IdentifierOrName,
+			)
+		}
+	}
+}
+
 func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	ctx := context.Background()
 
@@ -775,95 +858,6 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 		return ids
 	}
 
-	type anyProfile struct {
-		ProfileUUID      string
-		Status           *fleet.MDMDeliveryStatus
-		OperationType    fleet.MDMOperationType
-		IdentifierOrName string
-	}
-
-	// only asserts the profile ID, status and operation
-	assertHostProfiles := func(want map[*fleet.Host][]anyProfile) {
-		// TODO(mna): it would help readability of this test to capture the "last
-		// state" of this call and accept the diff as the expected result, merging
-		// them together before the assertions. Would need some hackery to clear a
-		// profile from the list.
-
-		for h, wantProfs := range want {
-			var gotProfs []anyProfile
-
-			switch h.Platform {
-			case "windows":
-				profs, err := ds.GetHostMDMWindowsProfiles(ctx, h.UUID)
-				require.NoError(t, err)
-				require.Equal(t, len(wantProfs), len(profs), "host uuid: %s", h.UUID)
-				for _, p := range profs {
-					gotProfs = append(gotProfs, anyProfile{
-						ProfileUUID:      p.ProfileUUID,
-						Status:           p.Status,
-						OperationType:    p.OperationType,
-						IdentifierOrName: p.Name,
-					})
-				}
-			default:
-				profs, err := ds.GetHostMDMAppleProfiles(ctx, h.UUID)
-				require.NoError(t, err)
-				require.Equal(t, len(wantProfs), len(profs), "host uuid: %s", h.UUID)
-				for _, p := range profs {
-					gotProfs = append(gotProfs, anyProfile{
-						ProfileUUID:      p.ProfileUUID,
-						Status:           p.Status,
-						OperationType:    p.OperationType,
-						IdentifierOrName: p.Identifier,
-					})
-				}
-			}
-
-			sortProfs := func(profs []anyProfile) []anyProfile {
-				sort.Slice(profs, func(i, j int) bool {
-					l, r := profs[i], profs[j]
-					if l.ProfileUUID == r.ProfileUUID {
-						return l.OperationType < r.OperationType
-					}
-
-					// default alphabetical comparison
-					return l.IdentifierOrName < r.IdentifierOrName
-				})
-				return profs
-			}
-
-			gotProfs = sortProfs(gotProfs)
-			wantProfs = sortProfs(wantProfs)
-			for i, wp := range wantProfs {
-				gp := gotProfs[i]
-				require.Equal(
-					t,
-					wp.ProfileUUID,
-					gp.ProfileUUID,
-					"host uuid: %s, prof id or name: %s",
-					h.UUID,
-					gp.IdentifierOrName,
-				)
-				require.Equal(
-					t,
-					wp.Status,
-					gp.Status,
-					"host uuid: %s, prof id or name: %s",
-					h.UUID,
-					gp.IdentifierOrName,
-				)
-				require.Equal(
-					t,
-					wp.OperationType,
-					gp.OperationType,
-					"host uuid: %s, prof id or name: %s",
-					h.UUID,
-					gp.IdentifierOrName,
-				)
-			}
-		}
-	}
-
 	getProfs := func(teamID *uint) []*fleet.MDMConfigProfilePayload {
 		// TODO(roberto): the docs says that you can pass a comma separated
 		// list of columns to OrderKey, but that doesn't seem to work
@@ -947,7 +941,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	allHosts = append(allHosts, windowsHosts...)
 	err = ds.BulkSetPendingMDMHostProfiles(ctx, hostIDsFromHosts(allHosts...), nil, nil, nil)
 	require.NoError(t, err)
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]:  {},
 		darwinHosts[1]:  {},
 		darwinHosts[2]:  {},
@@ -1007,7 +1001,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	// bulk set for all created hosts, enrolled hosts get the no-team profiles
 	err = ds.BulkSetPendingMDMHostProfiles(ctx, hostIDsFromHosts(allHosts...), nil, nil, nil)
 	require.NoError(t, err)
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:      globalProfiles[0].ProfileUUID,
@@ -1192,7 +1186,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 		nil,
 	)
 	require.NoError(t, err)
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:      globalProfiles[0].ProfileUUID,
@@ -1363,7 +1357,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 		[]string{darwinHosts[1].UUID, windowsHosts[1].UUID},
 	)
 	require.NoError(t, err)
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:      globalProfiles[0].ProfileUUID,
@@ -1519,7 +1513,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	// update status of the affected team
 	err = ds.BulkSetPendingMDMHostProfiles(ctx, nil, []uint{team1.ID}, nil, nil)
 	require.NoError(t, err)
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:      globalProfiles[0].ProfileUUID,
@@ -1710,7 +1704,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	err = ds.BulkSetPendingMDMHostProfiles(ctx, nil, []uint{team1.ID}, nil, nil)
 	require.NoError(t, err)
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:      tm1Profiles[0].ProfileUUID,
@@ -1871,7 +1865,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	err = ds.BulkSetPendingMDMHostProfiles(ctx, nil, []uint{team1.ID}, nil, nil)
 	require.NoError(t, err)
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:      newTm1Profiles[0].ProfileUUID,
@@ -2041,7 +2035,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	require.NoError(t, ds.MDMAppleStoreDDMStatusReport(ctx, darwinHosts[1].UUID, nil))
 	require.NoError(t, ds.MDMAppleStoreDDMStatusReport(ctx, darwinHosts[2].UUID, nil))
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:      globalProfiles[4].ProfileUUID,
@@ -2172,7 +2166,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	err = ds.BulkSetPendingMDMHostProfiles(ctx, nil, nil, []string{newDarwinProfileUUID}, nil)
 	require.NoError(t, err)
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:   globalProfiles[4].ProfileUUID,
@@ -2283,7 +2277,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	err = ds.BulkSetPendingMDMHostProfiles(ctx, nil, nil, []string{newWindowsProfileUUID}, nil)
 	require.NoError(t, err)
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:   globalProfiles[4].ProfileUUID,
@@ -2413,7 +2407,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	err = ds.BulkSetPendingMDMHostProfiles(ctx, nil, []uint{team2.ID, 0}, nil, nil)
 	require.NoError(t, err)
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:   globalProfiles[4].ProfileUUID,
@@ -2620,7 +2614,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	)
 	require.NoError(t, err)
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:   globalProfiles[4].ProfileUUID,
@@ -2795,7 +2789,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	)
 	require.NoError(t, err)
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:   globalProfiles[4].ProfileUUID,
@@ -2999,7 +2993,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	)
 	require.NoError(t, err)
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:   globalProfiles[4].ProfileUUID,
@@ -3218,7 +3212,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	require.NoError(t, err)
 
 	// nothing changes - broken label-based profiles are simply ignored
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:   globalProfiles[4].ProfileUUID,
@@ -3433,7 +3427,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	)
 	require.NoError(t, err)
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:   globalProfiles[4].ProfileUUID,
@@ -3646,7 +3640,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	)
 	require.NoError(t, err)
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:   globalProfiles[4].ProfileUUID,
@@ -3855,7 +3849,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	err = ds.BulkSetPendingMDMHostProfiles(ctx, nil, []uint{team2.ID}, nil, nil)
 	require.NoError(t, err)
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:   globalProfiles[4].ProfileUUID,
@@ -4054,7 +4048,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	err = ds.BulkSetPendingMDMHostProfiles(ctx, nil, []uint{team2.ID}, nil, nil)
 	require.NoError(t, err)
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:   globalProfiles[4].ProfileUUID,
@@ -4264,7 +4258,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	err = ds.BulkSetPendingMDMHostProfiles(ctx, nil, []uint{team2.ID}, nil, nil)
 	require.NoError(t, err)
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:   globalProfiles[4].ProfileUUID,
@@ -4479,7 +4473,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	err = ds.BulkSetPendingMDMHostProfiles(ctx, nil, []uint{team2.ID}, nil, nil)
 	require.NoError(t, err)
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:   globalProfiles[4].ProfileUUID,
@@ -4684,7 +4678,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	err = ds.BulkSetPendingMDMHostProfiles(ctx, nil, []uint{team2.ID}, nil, nil)
 	require.NoError(t, err)
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:   globalProfiles[4].ProfileUUID,
@@ -4886,7 +4880,7 @@ func testBulkSetPendingMDMHostProfiles(t *testing.T, ds *Datastore) {
 	)
 	require.NoError(t, err)
 
-	assertHostProfiles(map[*fleet.Host][]anyProfile{
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
 		darwinHosts[0]: {
 			{
 				ProfileUUID:   globalProfiles[4].ProfileUUID,
@@ -5824,8 +5818,9 @@ func testBatchSetProfileLabelAssociations(t *testing.T, ds *Datastore) {
 		t,
 		batchSetProfileLabelAssociationsDB(ctx, ds.writer(ctx), wantOtherWin, "windows"),
 	)
+	// make it an "exclude" label on the other macos profile
 	wantOtherMac := []fleet.ConfigurationProfileLabel{
-		{ProfileUUID: otherMacProfile.ProfileUUID, LabelName: label.Name, LabelID: label.ID},
+		{ProfileUUID: otherMacProfile.ProfileUUID, LabelName: label.Name, LabelID: label.ID, Exclude: true},
 	}
 	require.NoError(
 		t,
@@ -5839,17 +5834,13 @@ func testBatchSetProfileLabelAssociations(t *testing.T, ds *Datastore) {
 
 	for platform, uuid := range platforms {
 		expectLabels := func(t *testing.T, profUUID, platform string, want []fleet.ConfigurationProfileLabel) {
-			if len(want) == 0 {
-				return
-			}
-
 			p := platform
 			if p == "darwin" {
 				p = "apple"
 			}
 
 			query := fmt.Sprintf(
-				"SELECT %s_profile_uuid as profile_uuid, label_id, label_name FROM mdm_configuration_profile_labels WHERE %s_profile_uuid = ?",
+				"SELECT %s_profile_uuid as profile_uuid, label_id, label_name, exclude FROM mdm_configuration_profile_labels WHERE %s_profile_uuid = ?",
 				p,
 				p,
 			)
@@ -5888,6 +5879,19 @@ func testBatchSetProfileLabelAssociations(t *testing.T, ds *Datastore) {
 			// does not change other profiles
 			expectLabels(t, otherWinProfile.ProfileUUID, "windows", wantOtherWin)
 			expectLabels(t, otherMacProfile.ProfileUUID, "darwin", wantOtherMac)
+
+			// now set it with Exclude mode
+			profileLabels = []fleet.ConfigurationProfileLabel{
+				{ProfileUUID: uuid, LabelName: label.Name, LabelID: label.ID, Exclude: true},
+			}
+			err = ds.withTx(ctx, func(tx sqlx.ExtContext) error {
+				return batchSetProfileLabelAssociationsDB(ctx, tx, profileLabels, platform)
+			})
+			require.NoError(t, err)
+			expectLabels(t, uuid, platform, profileLabels)
+			// does not change other profiles
+			expectLabels(t, otherWinProfile.ProfileUUID, "windows", wantOtherWin)
+			expectLabels(t, otherMacProfile.ProfileUUID, "darwin", wantOtherMac)
 		})
 
 		t.Run("invalid profile UUID "+platform, func(t *testing.T) {
@@ -5933,8 +5937,8 @@ func testBatchSetProfileLabelAssociations(t *testing.T, ds *Datastore) {
 
 			// apply a batch set with the new label
 			profileLabels := []fleet.ConfigurationProfileLabel{
-				{ProfileUUID: uuid, LabelName: label.Name, LabelID: label.ID},
-				{ProfileUUID: uuid, LabelName: newLabel.Name, LabelID: newLabel.ID},
+				{ProfileUUID: uuid, LabelName: label.Name, LabelID: label.ID, Exclude: true},
+				{ProfileUUID: uuid, LabelName: newLabel.Name, LabelID: newLabel.ID, Exclude: true},
 			}
 			err = ds.withTx(ctx, func(tx sqlx.ExtContext) error {
 				return batchSetProfileLabelAssociationsDB(ctx, tx, profileLabels, platform)
@@ -5943,7 +5947,7 @@ func testBatchSetProfileLabelAssociations(t *testing.T, ds *Datastore) {
 			// both are stored in the DB
 			expectLabels(t, uuid, platform, profileLabels)
 
-			// batch apply again without the newLabel
+			// batch apply again without the newLabel, and without Exclude flag
 			profileLabels = []fleet.ConfigurationProfileLabel{
 				{ProfileUUID: uuid, LabelName: label.Name, LabelID: label.ID},
 			}
@@ -6911,3 +6915,263 @@ func testIsHostConnectedToFleetMDM(t *testing.T, ds *Datastore) {
 	require.NoError(t, err)
 	require.True(t, connected)
 }
+
+func testBulkSetPendingMDMHostProfilesExcludeAny(t *testing.T, ds *Datastore) {
+	ctx := context.Background()
+
+	// create some "exclude" labels
+	var labels []*fleet.Label
+	for i := 0; i < 6; i++ {
+		lbl, err := ds.NewLabel(ctx, &fleet.Label{Name: "exclude-label-" + strconv.Itoa(i), Query: "select 1"})
+		require.NoError(t, err)
+		labels = append(labels, lbl)
+	}
+
+	// create an Apple profile, a Windows profile and an Apple Declaration with excluded labels
+	appleProfs := []*fleet.MDMAppleConfigProfile{
+		configProfileForTest(t, "A1", "A1", uuid.NewString(), labels[0], labels[1]),
+	}
+	windowsProfs := []*fleet.MDMWindowsConfigProfile{
+		windowsConfigProfileForTest(t, "W1", "W1", labels[2]),
+	}
+	appleDecls := []*fleet.MDMAppleDeclaration{
+		declForTest("D1", "D1", "{}", labels[3], labels[4], labels[5]),
+	}
+
+	err := ds.BatchSetMDMProfiles(ctx, nil, appleProfs, windowsProfs, appleDecls)
+	require.NoError(t, err)
+
+	// must reload them to get the profile/declaration uuid
+	getProfs := func(teamID *uint) []*fleet.MDMConfigProfilePayload {
+		// TODO(roberto): the docs says that you can pass a comma separated
+		// list of columns to OrderKey, but that doesn't seem to work
+		profs, _, err := ds.ListMDMConfigProfiles(ctx, teamID, fleet.ListOptions{})
+		require.NoError(t, err)
+		sort.Slice(profs, func(i, j int) bool {
+			l, r := profs[i], profs[j]
+			if l.Platform != r.Platform {
+				return l.Platform < r.Platform
+			}
+
+			return l.Name < r.Name
+		})
+		return profs
+	}
+	allProfs := getProfs(nil)
+
+	// create an Apple and Windows hosts, not members of any host
+	var i int
+	winHost, err := ds.NewHost(ctx, &fleet.Host{
+		Hostname:      fmt.Sprintf("win-host%d-name", i),
+		OsqueryHostID: ptr.String(fmt.Sprintf("osquery-%d", i)),
+		NodeKey:       ptr.String(fmt.Sprintf("nodekey-%d", i)),
+		UUID:          fmt.Sprintf("win-uuid-%d", i),
+		Platform:      "windows",
+	})
+	require.NoError(t, err)
+	windowsEnroll(t, ds, winHost)
+
+	i++
+	appleHost, err := ds.NewHost(ctx, &fleet.Host{
+		Hostname:      fmt.Sprintf("apple-host%d-name", i),
+		OsqueryHostID: ptr.String(fmt.Sprintf("osquery-%d", i)),
+		NodeKey:       ptr.String(fmt.Sprintf("nodekey-%d", i)),
+		UUID:          fmt.Sprintf("apple-uuid-%d", i),
+		Platform:      "darwin",
+	})
+	require.NoError(t, err)
+	nanoEnroll(t, ds, appleHost, false)
+
+	// do a sync, they get all platform-specific profiles since they are not part
+	// of any label
+	err = ds.BulkSetPendingMDMHostProfiles(ctx, []uint{winHost.ID, appleHost.ID}, nil, nil, nil)
+	require.NoError(t, err)
+
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
+		appleHost: {
+			{
+				ProfileUUID:      allProfs[0].ProfileUUID,
+				Status:           &fleet.MDMDeliveryPending,
+				OperationType:    fleet.MDMOperationTypeInstall,
+				IdentifierOrName: allProfs[0].Identifier,
+			},
+			{
+				ProfileUUID:      allProfs[1].ProfileUUID,
+				Status:           &fleet.MDMDeliveryPending,
+				OperationType:    fleet.MDMOperationTypeInstall,
+				IdentifierOrName: allProfs[1].Identifier,
+			},
+		},
+		winHost: {
+			{
+				ProfileUUID:      allProfs[2].ProfileUUID,
+				Status:           &fleet.MDMDeliveryPending,
+				OperationType:    fleet.MDMOperationTypeInstall,
+				IdentifierOrName: allProfs[2].Name,
+			},
+		},
+	})
+
+	// make all hosts members of labels[1], [2], and [3] so that all profiles are
+	// excluded
+	err = ds.AsyncBatchInsertLabelMembership(ctx, [][2]uint{
+		{labels[1].ID, appleHost.ID},
+		{labels[2].ID, appleHost.ID},
+		{labels[3].ID, appleHost.ID},
+		{labels[1].ID, winHost.ID},
+		{labels[2].ID, winHost.ID},
+		{labels[3].ID, winHost.ID},
+	})
+	require.NoError(t, err)
+
+	err = ds.BulkSetPendingMDMHostProfiles(ctx, []uint{winHost.ID, appleHost.ID}, nil, nil, nil)
+	require.NoError(t, err)
+
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
+		appleHost: {
+			{
+				ProfileUUID:      allProfs[0].ProfileUUID,
+				Status:           &fleet.MDMDeliveryPending,
+				OperationType:    fleet.MDMOperationTypeRemove,
+				IdentifierOrName: allProfs[0].Identifier,
+			},
+			{
+				ProfileUUID:      allProfs[1].ProfileUUID,
+				Status:           &fleet.MDMDeliveryPending,
+				OperationType:    fleet.MDMOperationTypeRemove,
+				IdentifierOrName: allProfs[1].Identifier,
+			},
+		},
+		// windows profiles are directly deleted without a pending state (there's no on-host removal of profiles)
+		winHost: {},
+	})
+
+	// make apple host member of labels[2], and windows host member of [3], which are irrelevant
+	// for their platforms' profiles, so they get all profiles
+	err = ds.AsyncBatchDeleteLabelMembership(ctx, [][2]uint{
+		{labels[1].ID, appleHost.ID},
+		{labels[3].ID, appleHost.ID},
+		{labels[1].ID, winHost.ID},
+		{labels[2].ID, winHost.ID},
+	})
+	require.NoError(t, err)
+
+	err = ds.BulkSetPendingMDMHostProfiles(ctx, []uint{winHost.ID, appleHost.ID}, nil, nil, nil)
+	require.NoError(t, err)
+
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
+		appleHost: {
+			{
+				ProfileUUID:      allProfs[0].ProfileUUID,
+				Status:           &fleet.MDMDeliveryPending,
+				OperationType:    fleet.MDMOperationTypeInstall,
+				IdentifierOrName: allProfs[0].Identifier,
+			},
+			{
+				ProfileUUID:      allProfs[1].ProfileUUID,
+				Status:           &fleet.MDMDeliveryPending,
+				OperationType:    fleet.MDMOperationTypeInstall,
+				IdentifierOrName: allProfs[1].Identifier,
+			},
+		},
+		winHost: {
+			{
+				ProfileUUID:      allProfs[2].ProfileUUID,
+				Status:           &fleet.MDMDeliveryPending,
+				OperationType:    fleet.MDMOperationTypeInstall,
+				IdentifierOrName: allProfs[2].Name,
+			},
+		},
+	})
+
+	// delete labels 0, 2 and 3, breaking all profiles
+	err = ds.DeleteLabel(ctx, labels[0].Name)
+	require.NoError(t, err)
+	err = ds.DeleteLabel(ctx, labels[2].Name)
+	require.NoError(t, err)
+	err = ds.DeleteLabel(ctx, labels[3].Name)
+	require.NoError(t, err)
+
+	err = ds.BulkSetPendingMDMHostProfiles(ctx, []uint{winHost.ID, appleHost.ID}, nil, nil, nil)
+	require.NoError(t, err)
+
+	// broken profiles do not get reported as "to remove"
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
+		appleHost: {
+			{
+				ProfileUUID:      allProfs[0].ProfileUUID,
+				Status:           &fleet.MDMDeliveryPending,
+				OperationType:    fleet.MDMOperationTypeInstall,
+				IdentifierOrName: allProfs[0].Identifier,
+			},
+			{
+				ProfileUUID:      allProfs[1].ProfileUUID,
+				Status:           &fleet.MDMDeliveryPending,
+				OperationType:    fleet.MDMOperationTypeInstall,
+				IdentifierOrName: allProfs[1].Identifier,
+			},
+		},
+		winHost: {
+			{
+				ProfileUUID:      allProfs[2].ProfileUUID,
+				Status:           &fleet.MDMDeliveryPending,
+				OperationType:    fleet.MDMOperationTypeInstall,
+				IdentifierOrName: allProfs[2].Name,
+			},
+		},
+	})
+
+	// create a new windows and apple host, not a member of any label
+	i++
+	winHost2, err := ds.NewHost(ctx, &fleet.Host{
+		Hostname:      fmt.Sprintf("win-host%d-name", i),
+		OsqueryHostID: ptr.String(fmt.Sprintf("osquery-%d", i)),
+		NodeKey:       ptr.String(fmt.Sprintf("nodekey-%d", i)),
+		UUID:          fmt.Sprintf("win-uuid-%d", i),
+		Platform:      "windows",
+	})
+	require.NoError(t, err)
+	windowsEnroll(t, ds, winHost2)
+
+	i++
+	appleHost2, err := ds.NewHost(ctx, &fleet.Host{
+		Hostname:      fmt.Sprintf("apple-host%d-name", i),
+		OsqueryHostID: ptr.String(fmt.Sprintf("osquery-%d", i)),
+		NodeKey:       ptr.String(fmt.Sprintf("nodekey-%d", i)),
+		UUID:          fmt.Sprintf("apple-uuid-%d", i),
+		Platform:      "darwin",
+	})
+	require.NoError(t, err)
+	nanoEnroll(t, ds, appleHost2, false)
+
+	err = ds.BulkSetPendingMDMHostProfiles(ctx, []uint{winHost.ID, appleHost.ID, winHost2.ID, appleHost2.ID}, nil, nil, nil)
+	require.NoError(t, err)
+
+	// broken profiles do not get reported as "to install"
+	assertHostProfiles(t, ds, map[*fleet.Host][]anyProfile{
+		appleHost: {
+			{
+				ProfileUUID:      allProfs[0].ProfileUUID,
+				Status:           &fleet.MDMDeliveryPending,
+				OperationType:    fleet.MDMOperationTypeInstall,
+				IdentifierOrName: allProfs[0].Identifier,
+			},
+			{
+				ProfileUUID:      allProfs[1].ProfileUUID,
+				Status:           &fleet.MDMDeliveryPending,
+				OperationType:    fleet.MDMOperationTypeInstall,
+				IdentifierOrName: allProfs[1].Identifier,
+			},
+		},
+		winHost: {
+			{
+				ProfileUUID:      allProfs[2].ProfileUUID,
+				Status:           &fleet.MDMDeliveryPending,
+				OperationType:    fleet.MDMOperationTypeInstall,
+				IdentifierOrName: allProfs[2].Name,
+			},
+		},
+		appleHost2: {},
+		winHost2:   {},
+	})
+}
diff --git a/server/datastore/mysql/microsoft_mdm.go b/server/datastore/mysql/microsoft_mdm.go
index 8ee0b0d802..b7426bff00 100644
--- a/server/datastore/mysql/microsoft_mdm.go
+++ b/server/datastore/mysql/microsoft_mdm.go
@@ -744,9 +744,12 @@ WHERE
 	if err != nil {
 		return nil, err
 	}
-	if len(labels) > 0 {
-		// ensure we leave Labels nil if there are none
-		res.Labels = labels
+	for _, lbl := range labels {
+		if lbl.Exclude {
+			res.LabelsExcludeAny = append(res.LabelsExcludeAny, lbl)
+		} else {
+			res.LabelsIncludeAll = append(res.LabelsIncludeAll, lbl)
+		}
 	}
 
 	return &res, nil
@@ -1127,6 +1130,7 @@ const windowsMDMProfilesDesiredStateQuery = `
 		mwcp.name,
 		h.uuid as host_uuid,
 		0 as count_profile_labels,
+		0 as count_non_broken_labels,
 		0 as count_host_labels
 	FROM
 		mdm_windows_configuration_profiles mwcp
@@ -1145,12 +1149,15 @@ const windowsMDMProfilesDesiredStateQuery = `
 
 	UNION
 
-	-- label-based profiles
+	-- label-based profiles where the host is a member of all the labels (include-all).
+	-- by design, "include" labels cannot match if they are broken (the host cannot be
+	-- a member of a deleted label).
 	SELECT
 		mwcp.profile_uuid,
 		mwcp.name,
 		h.uuid as host_uuid,
 		COUNT(*) as count_profile_labels,
+		COUNT(mcpl.label_id) as count_non_broken_labels,
 		COUNT(lm.label_id) as count_host_labels
 	FROM
 		mdm_windows_configuration_profiles mwcp
@@ -1159,7 +1166,7 @@ const windowsMDMProfilesDesiredStateQuery = `
 			JOIN mdm_windows_enrollments mwe
 				ON mwe.host_uuid = h.uuid
 			JOIN mdm_configuration_profile_labels mcpl
-				ON mcpl.windows_profile_uuid = mwcp.profile_uuid
+				ON mcpl.windows_profile_uuid = mwcp.profile_uuid AND mcpl.exclude = 0
 			LEFT OUTER JOIN label_membership lm
 				ON lm.label_id = mcpl.label_id AND lm.host_id = h.id
 	WHERE
@@ -1169,6 +1176,36 @@ const windowsMDMProfilesDesiredStateQuery = `
 		mwcp.profile_uuid, mwcp.name, h.uuid
 	HAVING
 		count_profile_labels > 0 AND count_host_labels = count_profile_labels
+
+	UNION
+
+	-- label-based entities where the host is NOT a member of any of the labels (exclude-any).
+	-- explicitly ignore profiles with broken excluded labels so that they are never applied.
+	SELECT
+		mwcp.profile_uuid,
+		mwcp.name,
+		h.uuid as host_uuid,
+		COUNT(*) as count_profile_labels,
+		COUNT(mcpl.label_id) as count_non_broken_labels,
+		COUNT(lm.label_id) as count_host_labels
+	FROM
+		mdm_windows_configuration_profiles mwcp
+			JOIN hosts h
+				ON h.team_id = mwcp.team_id OR (h.team_id IS NULL AND mwcp.team_id = 0)
+			JOIN mdm_windows_enrollments mwe
+				ON mwe.host_uuid = h.uuid
+			JOIN mdm_configuration_profile_labels mcpl
+				ON mcpl.windows_profile_uuid = mwcp.profile_uuid AND mcpl.exclude = 1
+			LEFT OUTER JOIN label_membership lm
+				ON lm.label_id = mcpl.label_id AND lm.host_id = h.id
+	WHERE
+		h.platform = 'windows' AND
+		( %s )
+	GROUP BY
+		mwcp.profile_uuid, mwcp.name, h.uuid
+	HAVING
+		-- considers only the profiles with labels, without any broken label, and with the host not in any label
+		count_profile_labels > 0 AND count_profile_labels = count_non_broken_labels AND count_host_labels = 0
 `
 
 func (ds *Datastore) ListMDMWindowsProfilesToInstall(ctx context.Context) ([]*fleet.MDMWindowsProfilePayload, error) {
@@ -1235,9 +1272,9 @@ func listMDMWindowsProfilesToInstallDB(
 
 	var err error
 	args := []any{fleet.MDMOperationTypeInstall}
-	query = fmt.Sprintf(query, hostFilter, hostFilter)
+	query = fmt.Sprintf(query, hostFilter, hostFilter, hostFilter)
 	if len(hostUUIDs) > 0 {
-		query, args, err = sqlx.In(query, hostUUIDs, hostUUIDs, fleet.MDMOperationTypeInstall)
+		query, args, err = sqlx.In(query, hostUUIDs, hostUUIDs, hostUUIDs, fleet.MDMOperationTypeInstall)
 		if err != nil {
 			return nil, ctxerr.Wrap(ctx, err, "building sqlx.In")
 		}
@@ -1306,6 +1343,7 @@ func listMDMWindowsProfilesToRemoveDB(
 		-- TODO(mna): why don't we have the same exception for "remove" operations as for Apple
 
 		-- except "would be removed" profiles if they are a broken label-based profile
+		-- (regardless of if it is an include-all or exclude-any label)
 		NOT EXISTS (
 			SELECT 1
 			FROM mdm_configuration_profile_labels mcpl
@@ -1314,7 +1352,7 @@ func listMDMWindowsProfilesToRemoveDB(
 				mcpl.label_id IS NULL
 		) AND
 		(%s)
-`, fmt.Sprintf(windowsMDMProfilesDesiredStateQuery, "TRUE", "TRUE"), hostFilter)
+`, fmt.Sprintf(windowsMDMProfilesDesiredStateQuery, "TRUE", "TRUE", "TRUE"), hostFilter)
 
 	var err error
 	var args []any
@@ -1533,10 +1571,17 @@ INSERT INTO
 			}
 		}
 
-		for i := range cp.Labels {
-			cp.Labels[i].ProfileUUID = profileUUID
+		labels := make([]fleet.ConfigurationProfileLabel, 0, len(cp.LabelsIncludeAll)+len(cp.LabelsExcludeAny))
+		for i := range cp.LabelsIncludeAll {
+			cp.LabelsIncludeAll[i].ProfileUUID = profileUUID
+			labels = append(labels, cp.LabelsIncludeAll[i])
 		}
-		if err := batchSetProfileLabelAssociationsDB(ctx, tx, cp.Labels, "windows"); err != nil {
+		for i := range cp.LabelsExcludeAny {
+			cp.LabelsExcludeAny[i].ProfileUUID = profileUUID
+			cp.LabelsExcludeAny[i].Exclude = true
+			labels = append(labels, cp.LabelsExcludeAny[i])
+		}
+		if err := batchSetProfileLabelAssociationsDB(ctx, tx, labels, "windows"); err != nil {
 			return ctxerr.Wrap(ctx, err, "inserting windows profile label associations")
 		}
 
@@ -1767,10 +1812,15 @@ ON DUPLICATE KEY UPDATE
 				return ctxerr.Wrapf(ctx, err, "profile %q is in the database but was not incoming", newlyInsertedProf.Name)
 			}
 
-			for _, label := range incomingProf.Labels {
+			for _, label := range incomingProf.LabelsIncludeAll {
 				label.ProfileUUID = newlyInsertedProf.ProfileUUID
 				incomingLabels = append(incomingLabels, label)
 			}
+			for _, label := range incomingProf.LabelsExcludeAny {
+				label.ProfileUUID = newlyInsertedProf.ProfileUUID
+				label.Exclude = true
+				incomingLabels = append(incomingLabels, label)
+			}
 		}
 	}
 
diff --git a/server/datastore/mysql/microsoft_mdm_test.go b/server/datastore/mysql/microsoft_mdm_test.go
index 06cdb895dd..02a4c9d149 100644
--- a/server/datastore/mysql/microsoft_mdm_test.go
+++ b/server/datastore/mysql/microsoft_mdm_test.go
@@ -1805,10 +1805,10 @@ func testMDMWindowsConfigProfiles(t *testing.T, ds *Datastore) {
 	_, err = ds.NewMDMWindowsConfigProfile(
 		ctx,
 		fleet.MDMWindowsConfigProfile{
-			Name:   "fake-labels",
-			TeamID: nil,
-			SyncML: []byte("<Replace></Replace>"),
-			Labels: []fleet.ConfigurationProfileLabel{{LabelName: "foo", LabelID: 1}},
+			Name:             "fake-labels",
+			TeamID:           nil,
+			SyncML:           []byte("<Replace></Replace>"),
+			LabelsIncludeAll: []fleet.ConfigurationProfileLabel{{LabelName: "foo", LabelID: 1}},
 		})
 	require.NotNil(t, err)
 	require.True(t, fleet.IsForeignKey(err))
@@ -1825,10 +1825,10 @@ func testMDMWindowsConfigProfiles(t *testing.T, ds *Datastore) {
 	profWithLabel, err := ds.NewMDMWindowsConfigProfile(
 		ctx,
 		fleet.MDMWindowsConfigProfile{
-			Name:   "with-labels",
-			TeamID: nil,
-			SyncML: []byte("<Replace></Replace>"),
-			Labels: []fleet.ConfigurationProfileLabel{{LabelName: label.Name, LabelID: label.ID}},
+			Name:             "with-labels",
+			TeamID:           nil,
+			SyncML:           []byte("<Replace></Replace>"),
+			LabelsIncludeAll: []fleet.ConfigurationProfileLabel{{LabelName: label.Name, LabelID: label.ID}},
 		})
 	require.NoError(t, err)
 	require.NotEmpty(t, profWithLabel.ProfileUUID)
@@ -1836,20 +1836,20 @@ func testMDMWindowsConfigProfiles(t *testing.T, ds *Datastore) {
 	// get that profile with label
 	prof, err := ds.GetMDMWindowsConfigProfile(ctx, profWithLabel.ProfileUUID)
 	require.NoError(t, err)
-	require.Len(t, prof.Labels, 1)
-	require.Equal(t, label.Name, prof.Labels[0].LabelName)
-	require.Equal(t, label.ID, prof.Labels[0].LabelID)
-	require.False(t, prof.Labels[0].Broken)
+	require.Len(t, prof.LabelsIncludeAll, 1)
+	require.Equal(t, label.Name, prof.LabelsIncludeAll[0].LabelName)
+	require.Equal(t, label.ID, prof.LabelsIncludeAll[0].LabelID)
+	require.False(t, prof.LabelsIncludeAll[0].Broken)
 
 	// break that profile by deleting the label
 	require.NoError(t, ds.DeleteLabel(ctx, label.Name))
 
 	prof, err = ds.GetMDMWindowsConfigProfile(ctx, profWithLabel.ProfileUUID)
 	require.NoError(t, err)
-	require.Len(t, prof.Labels, 1)
-	require.Equal(t, label.Name, prof.Labels[0].LabelName)
-	require.Zero(t, prof.Labels[0].LabelID)
-	require.True(t, prof.Labels[0].Broken)
+	require.Len(t, prof.LabelsIncludeAll, 1)
+	require.Equal(t, label.Name, prof.LabelsIncludeAll[0].LabelName)
+	require.Zero(t, prof.LabelsIncludeAll[0].LabelID)
+	require.True(t, prof.LabelsIncludeAll[0].Broken)
 
 	_, err = ds.GetMDMWindowsConfigProfile(ctx, "not-valid")
 	require.Error(t, err)
@@ -1864,7 +1864,7 @@ func testMDMWindowsConfigProfiles(t *testing.T, ds *Datastore) {
 	require.Equal(t, "<Replace></Replace>", string(prof.SyncML))
 	require.NotZero(t, prof.CreatedAt)
 	require.NotZero(t, prof.UploadedAt)
-	require.Nil(t, prof.Labels)
+	require.Nil(t, prof.LabelsIncludeAll)
 
 	err = ds.DeleteMDMWindowsConfigProfile(ctx, "not-valid")
 	require.Error(t, err)
@@ -2125,6 +2125,8 @@ func testBatchSetMDMWindowsProfiles(t *testing.T, ds *Datastore) {
 	applyAndExpect(nil, ptr.Uint(1), nil)
 }
 
+// if the label name starts with "exclude-", the label is considered an "exclude-any", otherwise
+// it is an "include-all".
 func windowsConfigProfileForTest(t *testing.T, name, locURI string, labels ...*fleet.Label) *fleet.MDMWindowsConfigProfile {
 	prof := &fleet.MDMWindowsConfigProfile{
 		Name: name,
@@ -2140,7 +2142,11 @@ func windowsConfigProfileForTest(t *testing.T, name, locURI string, labels ...*f
 	}
 
 	for _, lbl := range labels {
-		prof.Labels = append(prof.Labels, fleet.ConfigurationProfileLabel{LabelName: lbl.Name, LabelID: lbl.ID})
+		if strings.HasPrefix(lbl.Name, "exclude-") {
+			prof.LabelsExcludeAny = append(prof.LabelsExcludeAny, fleet.ConfigurationProfileLabel{LabelName: lbl.Name, LabelID: lbl.ID})
+		} else {
+			prof.LabelsIncludeAll = append(prof.LabelsIncludeAll, fleet.ConfigurationProfileLabel{LabelName: lbl.Name, LabelID: lbl.ID})
+		}
 	}
 
 	return prof
diff --git a/server/datastore/mysql/migrations/tables/20240703154849_AddExcludeLabelToMDMProfilesAndDeclarations.go b/server/datastore/mysql/migrations/tables/20240703154849_AddExcludeLabelToMDMProfilesAndDeclarations.go
new file mode 100644
index 0000000000..e78d7a8662
--- /dev/null
+++ b/server/datastore/mysql/migrations/tables/20240703154849_AddExcludeLabelToMDMProfilesAndDeclarations.go
@@ -0,0 +1,27 @@
+package tables
+
+import (
+	"database/sql"
+	"fmt"
+)
+
+func init() {
+	MigrationClient.AddMigration(Up_20240703154849, Down_20240703154849)
+}
+
+func Up_20240703154849(tx *sql.Tx) error {
+	_, err := tx.Exec(`ALTER TABLE mdm_configuration_profile_labels ADD COLUMN exclude TINYINT(1) NOT NULL DEFAULT 0`)
+	if err != nil {
+		return fmt.Errorf("failed to add exclude boolean to mdm_configuration_profile_labels: %w", err)
+	}
+
+	_, err = tx.Exec(`ALTER TABLE mdm_declaration_labels ADD COLUMN exclude TINYINT(1) NOT NULL DEFAULT 0`)
+	if err != nil {
+		return fmt.Errorf("failed to add exclude boolean to mdm_declaration_labels: %w", err)
+	}
+	return nil
+}
+
+func Down_20240703154849(tx *sql.Tx) error {
+	return nil
+}
diff --git a/server/datastore/mysql/migrations/tables/20240703154849_AddExcludeLabelToMDMProfilesAndDeclarations_test.go b/server/datastore/mysql/migrations/tables/20240703154849_AddExcludeLabelToMDMProfilesAndDeclarations_test.go
new file mode 100644
index 0000000000..92a8f6f9f4
--- /dev/null
+++ b/server/datastore/mysql/migrations/tables/20240703154849_AddExcludeLabelToMDMProfilesAndDeclarations_test.go
@@ -0,0 +1,64 @@
+package tables
+
+import (
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+)
+
+func TestUp_20240703154849(t *testing.T) {
+	db := applyUpToPrev(t)
+
+	// create an MDM profile and an MDM declaration
+	profStmt := `
+INSERT INTO
+    mdm_apple_configuration_profiles (team_id, identifier, name, mobileconfig, profile_uuid, checksum)
+VALUES (?, ?, ?, ?, ?, ?)`
+
+	profUUID := uuid.NewString()
+	mcBytes := []byte(`<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+</dict>
+</plist>
+`)
+
+	_, err := db.Exec(profStmt, 0, "TestPayloadIdentifier", "TestPayloadName", mcBytes, profUUID, "ABCD")
+	require.NoError(t, err)
+
+	declStmt := `
+INSERT INTO
+	mdm_apple_declarations (declaration_uuid, team_id, identifier, name, raw_json, checksum)
+VALUES (?, ?, ?, ?, ?, ?)`
+
+	declUUID := uuid.NewString()
+	_, err = db.Exec(declStmt, declUUID, 0, "TestDecl", "TestDecl", `{}`, "abcd")
+	require.NoError(t, err)
+
+	// create a couple labels
+	idlA := execNoErrLastID(t, db, `INSERT INTO labels (name, query) VALUES ('LA', 'select 1')`)
+	idlB := execNoErrLastID(t, db, `INSERT INTO labels (name, query) VALUES ('LB', 'select 1')`)
+
+	// finally we can create the MDM profile label and MDM declaration label entries
+	profLblID := execNoErrLastID(t, db, `INSERT INTO mdm_configuration_profile_labels (apple_profile_uuid, label_name, label_id) VALUES (?, ?, ?)`,
+		profUUID, "LA", idlA)
+	declLblID := execNoErrLastID(t, db, `INSERT INTO mdm_declaration_labels (apple_declaration_uuid, label_name, label_id) VALUES (?, ?, ?)`,
+		declUUID, "LB", idlB)
+
+	// Apply current migration.
+	applyNext(t, db)
+
+	// check that the "exclude" flag is false in the DB (set it to true to verify
+	// that it did scan from the DB)
+	exclude := true
+	err = db.Get(&exclude, "SELECT exclude FROM mdm_configuration_profile_labels WHERE id = ?", profLblID)
+	require.NoError(t, err)
+	require.False(t, exclude)
+
+	exclude = true
+	err = db.Get(&exclude, "SELECT exclude FROM mdm_declaration_labels WHERE id = ?", declLblID)
+	require.NoError(t, err)
+	require.False(t, exclude)
+}
diff --git a/server/datastore/mysql/schema.sql b/server/datastore/mysql/schema.sql
index b659e2c51d..2b5d5bd1b8 100644
--- a/server/datastore/mysql/schema.sql
+++ b/server/datastore/mysql/schema.sql
@@ -842,6 +842,7 @@ CREATE TABLE `mdm_configuration_profile_labels` (
   `label_id` int(10) unsigned DEFAULT NULL,
   `created_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
   `updated_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+  `exclude` tinyint(1) NOT NULL DEFAULT '0',
   PRIMARY KEY (`id`),
   UNIQUE KEY `idx_mdm_configuration_profile_labels_apple_label_name` (`apple_profile_uuid`,`label_name`),
   UNIQUE KEY `idx_mdm_configuration_profile_labels_windows_label_name` (`windows_profile_uuid`,`label_name`),
@@ -860,6 +861,7 @@ CREATE TABLE `mdm_declaration_labels` (
   `label_id` int(10) unsigned DEFAULT NULL,
   `created_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
   `uploaded_at` timestamp NULL DEFAULT NULL,
+  `exclude` tinyint(1) NOT NULL DEFAULT '0',
   PRIMARY KEY (`id`),
   UNIQUE KEY `idx_mdm_declaration_labels_label_name` (`apple_declaration_uuid`,`label_name`),
   KEY `label_id` (`label_id`),
@@ -941,9 +943,9 @@ CREATE TABLE `migration_status_tables` (
   `tstamp` timestamp NULL DEFAULT CURRENT_TIMESTAMP,
   PRIMARY KEY (`id`),
   UNIQUE KEY `id` (`id`)
-) ENGINE=InnoDB AUTO_INCREMENT=277 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
+) ENGINE=InnoDB AUTO_INCREMENT=278 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 /*!40101 SET character_set_client = @saved_cs_client */;
-INSERT INTO `migration_status_tables` VALUES (1,0,1,'2020-01-01 01:01:01'),(2,20161118193812,1,'2020-01-01 01:01:01'),(3,20161118211713,1,'2020-01-01 01:01:01'),(4,20161118212436,1,'2020-01-01 01:01:01'),(5,20161118212515,1,'2020-01-01 01:01:01'),(6,20161118212528,1,'2020-01-01 01:01:01'),(7,20161118212538,1,'2020-01-01 01:01:01'),(8,20161118212549,1,'2020-01-01 01:01:01'),(9,20161118212557,1,'2020-01-01 01:01:01'),(10,20161118212604,1,'2020-01-01 01:01:01'),(11,20161118212613,1,'2020-01-01 01:01:01'),(12,20161118212621,1,'2020-01-01 01:01:01'),(13,20161118212630,1,'2020-01-01 01:01:01'),(14,20161118212641,1,'2020-01-01 01:01:01'),(15,20161118212649,1,'2020-01-01 01:01:01'),(16,20161118212656,1,'2020-01-01 01:01:01'),(17,20161118212758,1,'2020-01-01 01:01:01'),(18,20161128234849,1,'2020-01-01 01:01:01'),(19,20161230162221,1,'2020-01-01 01:01:01'),(20,20170104113816,1,'2020-01-01 01:01:01'),(21,20170105151732,1,'2020-01-01 01:01:01'),(22,20170108191242,1,'2020-01-01 01:01:01'),(23,20170109094020,1,'2020-01-01 01:01:01'),(24,20170109130438,1,'2020-01-01 01:01:01'),(25,20170110202752,1,'2020-01-01 01:01:01'),(26,20170111133013,1,'2020-01-01 01:01:01'),(27,20170117025759,1,'2020-01-01 01:01:01'),(28,20170118191001,1,'2020-01-01 01:01:01'),(29,20170119234632,1,'2020-01-01 01:01:01'),(30,20170124230432,1,'2020-01-01 01:01:01'),(31,20170127014618,1,'2020-01-01 01:01:01'),(32,20170131232841,1,'2020-01-01 01:01:01'),(33,20170223094154,1,'2020-01-01 01:01:01'),(34,20170306075207,1,'2020-01-01 01:01:01'),(35,20170309100733,1,'2020-01-01 01:01:01'),(36,20170331111922,1,'2020-01-01 01:01:01'),(37,20170502143928,1,'2020-01-01 01:01:01'),(38,20170504130602,1,'2020-01-01 01:01:01'),(39,20170509132100,1,'2020-01-01 01:01:01'),(40,20170519105647,1,'2020-01-01 01:01:01'),(41,20170519105648,1,'2020-01-01 01:01:01'),(42,20170831234300,1,'2020-01-01 01:01:01'),(43,20170831234301,1,'2020-01-01 01:01:01'),(44,20170831234303,1,'2020-01-01 01:01:01'),(45,20171116163618,1,'2020-01-01 01:01:01'),(46,20171219164727,1,'2020-01-01 01:01:01'),(47,20180620164811,1,'2020-01-01 01:01:01'),(48,20180620175054,1,'2020-01-01 01:01:01'),(49,20180620175055,1,'2020-01-01 01:01:01'),(50,20191010101639,1,'2020-01-01 01:01:01'),(51,20191010155147,1,'2020-01-01 01:01:01'),(52,20191220130734,1,'2020-01-01 01:01:01'),(53,20200311140000,1,'2020-01-01 01:01:01'),(54,20200405120000,1,'2020-01-01 01:01:01'),(55,20200407120000,1,'2020-01-01 01:01:01'),(56,20200420120000,1,'2020-01-01 01:01:01'),(57,20200504120000,1,'2020-01-01 01:01:01'),(58,20200512120000,1,'2020-01-01 01:01:01'),(59,20200707120000,1,'2020-01-01 01:01:01'),(60,20201011162341,1,'2020-01-01 01:01:01'),(61,20201021104586,1,'2020-01-01 01:01:01'),(62,20201102112520,1,'2020-01-01 01:01:01'),(63,20201208121729,1,'2020-01-01 01:01:01'),(64,20201215091637,1,'2020-01-01 01:01:01'),(65,20210119174155,1,'2020-01-01 01:01:01'),(66,20210326182902,1,'2020-01-01 01:01:01'),(67,20210421112652,1,'2020-01-01 01:01:01'),(68,20210506095025,1,'2020-01-01 01:01:01'),(69,20210513115729,1,'2020-01-01 01:01:01'),(70,20210526113559,1,'2020-01-01 01:01:01'),(71,20210601000001,1,'2020-01-01 01:01:01'),(72,20210601000002,1,'2020-01-01 01:01:01'),(73,20210601000003,1,'2020-01-01 01:01:01'),(74,20210601000004,1,'2020-01-01 01:01:01'),(75,20210601000005,1,'2020-01-01 01:01:01'),(76,20210601000006,1,'2020-01-01 01:01:01'),(77,20210601000007,1,'2020-01-01 01:01:01'),(78,20210601000008,1,'2020-01-01 01:01:01'),(79,20210606151329,1,'2020-01-01 01:01:01'),(80,20210616163757,1,'2020-01-01 01:01:01'),(81,20210617174723,1,'2020-01-01 01:01:01'),(82,20210622160235,1,'2020-01-01 01:01:01'),(83,20210623100031,1,'2020-01-01 01:01:01'),(84,20210623133615,1,'2020-01-01 01:01:01'),(85,20210708143152,1,'2020-01-01 01:01:01'),(86,20210709124443,1,'2020-01-01 01:01:01'),(87,20210712155608,1,'2020-01-01 01:01:01'),(88,20210714102108,1,'2020-01-01 01:01:01'),(89,20210719153709,1,'2020-01-01 01:01:01'),(90,20210721171531,1,'2020-01-01 01:01:01'),(91,20210723135713,1,'2020-01-01 01:01:01'),(92,20210802135933,1,'2020-01-01 01:01:01'),(93,20210806112844,1,'2020-01-01 01:01:01'),(94,20210810095603,1,'2020-01-01 01:01:01'),(95,20210811150223,1,'2020-01-01 01:01:01'),(96,20210818151827,1,'2020-01-01 01:01:01'),(97,20210818151828,1,'2020-01-01 01:01:01'),(98,20210818182258,1,'2020-01-01 01:01:01'),(99,20210819131107,1,'2020-01-01 01:01:01'),(100,20210819143446,1,'2020-01-01 01:01:01'),(101,20210903132338,1,'2020-01-01 01:01:01'),(102,20210915144307,1,'2020-01-01 01:01:01'),(103,20210920155130,1,'2020-01-01 01:01:01'),(104,20210927143115,1,'2020-01-01 01:01:01'),(105,20210927143116,1,'2020-01-01 01:01:01'),(106,20211013133706,1,'2020-01-01 01:01:01'),(107,20211013133707,1,'2020-01-01 01:01:01'),(108,20211102135149,1,'2020-01-01 01:01:01'),(109,20211109121546,1,'2020-01-01 01:01:01'),(110,20211110163320,1,'2020-01-01 01:01:01'),(111,20211116184029,1,'2020-01-01 01:01:01'),(112,20211116184030,1,'2020-01-01 01:01:01'),(113,20211202092042,1,'2020-01-01 01:01:01'),(114,20211202181033,1,'2020-01-01 01:01:01'),(115,20211207161856,1,'2020-01-01 01:01:01'),(116,20211216131203,1,'2020-01-01 01:01:01'),(117,20211221110132,1,'2020-01-01 01:01:01'),(118,20220107155700,1,'2020-01-01 01:01:01'),(119,20220125105650,1,'2020-01-01 01:01:01'),(120,20220201084510,1,'2020-01-01 01:01:01'),(121,20220208144830,1,'2020-01-01 01:01:01'),(122,20220208144831,1,'2020-01-01 01:01:01'),(123,20220215152203,1,'2020-01-01 01:01:01'),(124,20220223113157,1,'2020-01-01 01:01:01'),(125,20220307104655,1,'2020-01-01 01:01:01'),(126,20220309133956,1,'2020-01-01 01:01:01'),(127,20220316155700,1,'2020-01-01 01:01:01'),(128,20220323152301,1,'2020-01-01 01:01:01'),(129,20220330100659,1,'2020-01-01 01:01:01'),(130,20220404091216,1,'2020-01-01 01:01:01'),(131,20220419140750,1,'2020-01-01 01:01:01'),(132,20220428140039,1,'2020-01-01 01:01:01'),(133,20220503134048,1,'2020-01-01 01:01:01'),(134,20220524102918,1,'2020-01-01 01:01:01'),(135,20220526123327,1,'2020-01-01 01:01:01'),(136,20220526123328,1,'2020-01-01 01:01:01'),(137,20220526123329,1,'2020-01-01 01:01:01'),(138,20220608113128,1,'2020-01-01 01:01:01'),(139,20220627104817,1,'2020-01-01 01:01:01'),(140,20220704101843,1,'2020-01-01 01:01:01'),(141,20220708095046,1,'2020-01-01 01:01:01'),(142,20220713091130,1,'2020-01-01 01:01:01'),(143,20220802135510,1,'2020-01-01 01:01:01'),(144,20220818101352,1,'2020-01-01 01:01:01'),(145,20220822161445,1,'2020-01-01 01:01:01'),(146,20220831100036,1,'2020-01-01 01:01:01'),(147,20220831100151,1,'2020-01-01 01:01:01'),(148,20220908181826,1,'2020-01-01 01:01:01'),(149,20220914154915,1,'2020-01-01 01:01:01'),(150,20220915165115,1,'2020-01-01 01:01:01'),(151,20220915165116,1,'2020-01-01 01:01:01'),(152,20220928100158,1,'2020-01-01 01:01:01'),(153,20221014084130,1,'2020-01-01 01:01:01'),(154,20221027085019,1,'2020-01-01 01:01:01'),(155,20221101103952,1,'2020-01-01 01:01:01'),(156,20221104144401,1,'2020-01-01 01:01:01'),(157,20221109100749,1,'2020-01-01 01:01:01'),(158,20221115104546,1,'2020-01-01 01:01:01'),(159,20221130114928,1,'2020-01-01 01:01:01'),(160,20221205112142,1,'2020-01-01 01:01:01'),(161,20221216115820,1,'2020-01-01 01:01:01'),(162,20221220195934,1,'2020-01-01 01:01:01'),(163,20221220195935,1,'2020-01-01 01:01:01'),(164,20221223174807,1,'2020-01-01 01:01:01'),(165,20221227163855,1,'2020-01-01 01:01:01'),(166,20221227163856,1,'2020-01-01 01:01:01'),(167,20230202224725,1,'2020-01-01 01:01:01'),(168,20230206163608,1,'2020-01-01 01:01:01'),(169,20230214131519,1,'2020-01-01 01:01:01'),(170,20230303135738,1,'2020-01-01 01:01:01'),(171,20230313135301,1,'2020-01-01 01:01:01'),(172,20230313141819,1,'2020-01-01 01:01:01'),(173,20230315104937,1,'2020-01-01 01:01:01'),(174,20230317173844,1,'2020-01-01 01:01:01'),(175,20230320133602,1,'2020-01-01 01:01:01'),(176,20230330100011,1,'2020-01-01 01:01:01'),(177,20230330134823,1,'2020-01-01 01:01:01'),(178,20230405232025,1,'2020-01-01 01:01:01'),(179,20230408084104,1,'2020-01-01 01:01:01'),(180,20230411102858,1,'2020-01-01 01:01:01'),(181,20230421155932,1,'2020-01-01 01:01:01'),(182,20230425082126,1,'2020-01-01 01:01:01'),(183,20230425105727,1,'2020-01-01 01:01:01'),(184,20230501154913,1,'2020-01-01 01:01:01'),(185,20230503101418,1,'2020-01-01 01:01:01'),(186,20230515144206,1,'2020-01-01 01:01:01'),(187,20230517140952,1,'2020-01-01 01:01:01'),(188,20230517152807,1,'2020-01-01 01:01:01'),(189,20230518114155,1,'2020-01-01 01:01:01'),(190,20230520153236,1,'2020-01-01 01:01:01'),(191,20230525151159,1,'2020-01-01 01:01:01'),(192,20230530122103,1,'2020-01-01 01:01:01'),(193,20230602111827,1,'2020-01-01 01:01:01'),(194,20230608103123,1,'2020-01-01 01:01:01'),(195,20230629140529,1,'2020-01-01 01:01:01'),(196,20230629140530,1,'2020-01-01 01:01:01'),(197,20230711144622,1,'2020-01-01 01:01:01'),(198,20230721135421,1,'2020-01-01 01:01:01'),(199,20230721161508,1,'2020-01-01 01:01:01'),(200,20230726115701,1,'2020-01-01 01:01:01'),(201,20230807100822,1,'2020-01-01 01:01:01'),(202,20230814150442,1,'2020-01-01 01:01:01'),(203,20230823122728,1,'2020-01-01 01:01:01'),(204,20230906152143,1,'2020-01-01 01:01:01'),(205,20230911163618,1,'2020-01-01 01:01:01'),(206,20230912101759,1,'2020-01-01 01:01:01'),(207,20230915101341,1,'2020-01-01 01:01:01'),(208,20230918132351,1,'2020-01-01 01:01:01'),(209,20231004144339,1,'2020-01-01 01:01:01'),(210,20231009094541,1,'2020-01-01 01:01:01'),(211,20231009094542,1,'2020-01-01 01:01:01'),(212,20231009094543,1,'2020-01-01 01:01:01'),(213,20231009094544,1,'2020-01-01 01:01:01'),(214,20231016091915,1,'2020-01-01 01:01:01'),(215,20231024174135,1,'2020-01-01 01:01:01'),(216,20231025120016,1,'2020-01-01 01:01:01'),(217,20231025160156,1,'2020-01-01 01:01:01'),(218,20231031165350,1,'2020-01-01 01:01:01'),(219,20231106144110,1,'2020-01-01 01:01:01'),(220,20231107130934,1,'2020-01-01 01:01:01'),(221,20231109115838,1,'2020-01-01 01:01:01'),(222,20231121054530,1,'2020-01-01 01:01:01'),(223,20231122101320,1,'2020-01-01 01:01:01'),(224,20231130132828,1,'2020-01-01 01:01:01'),(225,20231130132931,1,'2020-01-01 01:01:01'),(226,20231204155427,1,'2020-01-01 01:01:01'),(227,20231206142340,1,'2020-01-01 01:01:01'),(228,20231207102320,1,'2020-01-01 01:01:01'),(229,20231207102321,1,'2020-01-01 01:01:01'),(230,20231207133731,1,'2020-01-01 01:01:01'),(231,20231212094238,1,'2020-01-01 01:01:01'),(232,20231212095734,1,'2020-01-01 01:01:01'),(233,20231212161121,1,'2020-01-01 01:01:01'),(234,20231215122713,1,'2020-01-01 01:01:01'),(235,20231219143041,1,'2020-01-01 01:01:01'),(236,20231224070653,1,'2020-01-01 01:01:01'),(237,20240110134315,1,'2020-01-01 01:01:01'),(238,20240119091637,1,'2020-01-01 01:01:01'),(239,20240126020642,1,'2020-01-01 01:01:01'),(240,20240126020643,1,'2020-01-01 01:01:01'),(241,20240129162819,1,'2020-01-01 01:01:01'),(242,20240130115133,1,'2020-01-01 01:01:01'),(243,20240131083822,1,'2020-01-01 01:01:01'),(244,20240205095928,1,'2020-01-01 01:01:01'),(245,20240205121956,1,'2020-01-01 01:01:01'),(246,20240209110212,1,'2020-01-01 01:01:01'),(247,20240212111533,1,'2020-01-01 01:01:01'),(248,20240221112844,1,'2020-01-01 01:01:01'),(249,20240222073518,1,'2020-01-01 01:01:01'),(250,20240222135115,1,'2020-01-01 01:01:01'),(251,20240226082255,1,'2020-01-01 01:01:01'),(252,20240228082706,1,'2020-01-01 01:01:01'),(253,20240301173035,1,'2020-01-01 01:01:01'),(254,20240302111134,1,'2020-01-01 01:01:01'),(255,20240312103753,1,'2020-01-01 01:01:01'),(256,20240313143416,1,'2020-01-01 01:01:01'),(257,20240314085226,1,'2020-01-01 01:01:01'),(258,20240314151747,1,'2020-01-01 01:01:01'),(259,20240320145650,1,'2020-01-01 01:01:01'),(260,20240327115530,1,'2020-01-01 01:01:01'),(261,20240327115617,1,'2020-01-01 01:01:01'),(262,20240408085837,1,'2020-01-01 01:01:01'),(263,20240415104633,1,'2020-01-01 01:01:01'),(264,20240430111727,1,'2020-01-01 01:01:01'),(265,20240515200020,1,'2020-01-01 01:01:01'),(266,20240521143023,1,'2020-01-01 01:01:01'),(267,20240521143024,1,'2020-01-01 01:01:01'),(268,20240601174138,1,'2020-01-01 01:01:01'),(269,20240607133721,1,'2020-01-01 01:01:01'),(270,20240612150059,1,'2020-01-01 01:01:01'),(271,20240613162201,1,'2020-01-01 01:01:01'),(272,20240613172616,1,'2020-01-01 01:01:01'),(273,20240618142419,1,'2020-01-01 01:01:01'),(274,20240625093543,1,'2020-01-01 01:01:01'),(275,20240626195531,1,'2020-01-01 01:01:01'),(276,20240702123921,1,'2020-01-01 01:01:01');
+INSERT INTO `migration_status_tables` VALUES (1,0,1,'2020-01-01 01:01:01'),(2,20161118193812,1,'2020-01-01 01:01:01'),(3,20161118211713,1,'2020-01-01 01:01:01'),(4,20161118212436,1,'2020-01-01 01:01:01'),(5,20161118212515,1,'2020-01-01 01:01:01'),(6,20161118212528,1,'2020-01-01 01:01:01'),(7,20161118212538,1,'2020-01-01 01:01:01'),(8,20161118212549,1,'2020-01-01 01:01:01'),(9,20161118212557,1,'2020-01-01 01:01:01'),(10,20161118212604,1,'2020-01-01 01:01:01'),(11,20161118212613,1,'2020-01-01 01:01:01'),(12,20161118212621,1,'2020-01-01 01:01:01'),(13,20161118212630,1,'2020-01-01 01:01:01'),(14,20161118212641,1,'2020-01-01 01:01:01'),(15,20161118212649,1,'2020-01-01 01:01:01'),(16,20161118212656,1,'2020-01-01 01:01:01'),(17,20161118212758,1,'2020-01-01 01:01:01'),(18,20161128234849,1,'2020-01-01 01:01:01'),(19,20161230162221,1,'2020-01-01 01:01:01'),(20,20170104113816,1,'2020-01-01 01:01:01'),(21,20170105151732,1,'2020-01-01 01:01:01'),(22,20170108191242,1,'2020-01-01 01:01:01'),(23,20170109094020,1,'2020-01-01 01:01:01'),(24,20170109130438,1,'2020-01-01 01:01:01'),(25,20170110202752,1,'2020-01-01 01:01:01'),(26,20170111133013,1,'2020-01-01 01:01:01'),(27,20170117025759,1,'2020-01-01 01:01:01'),(28,20170118191001,1,'2020-01-01 01:01:01'),(29,20170119234632,1,'2020-01-01 01:01:01'),(30,20170124230432,1,'2020-01-01 01:01:01'),(31,20170127014618,1,'2020-01-01 01:01:01'),(32,20170131232841,1,'2020-01-01 01:01:01'),(33,20170223094154,1,'2020-01-01 01:01:01'),(34,20170306075207,1,'2020-01-01 01:01:01'),(35,20170309100733,1,'2020-01-01 01:01:01'),(36,20170331111922,1,'2020-01-01 01:01:01'),(37,20170502143928,1,'2020-01-01 01:01:01'),(38,20170504130602,1,'2020-01-01 01:01:01'),(39,20170509132100,1,'2020-01-01 01:01:01'),(40,20170519105647,1,'2020-01-01 01:01:01'),(41,20170519105648,1,'2020-01-01 01:01:01'),(42,20170831234300,1,'2020-01-01 01:01:01'),(43,20170831234301,1,'2020-01-01 01:01:01'),(44,20170831234303,1,'2020-01-01 01:01:01'),(45,20171116163618,1,'2020-01-01 01:01:01'),(46,20171219164727,1,'2020-01-01 01:01:01'),(47,20180620164811,1,'2020-01-01 01:01:01'),(48,20180620175054,1,'2020-01-01 01:01:01'),(49,20180620175055,1,'2020-01-01 01:01:01'),(50,20191010101639,1,'2020-01-01 01:01:01'),(51,20191010155147,1,'2020-01-01 01:01:01'),(52,20191220130734,1,'2020-01-01 01:01:01'),(53,20200311140000,1,'2020-01-01 01:01:01'),(54,20200405120000,1,'2020-01-01 01:01:01'),(55,20200407120000,1,'2020-01-01 01:01:01'),(56,20200420120000,1,'2020-01-01 01:01:01'),(57,20200504120000,1,'2020-01-01 01:01:01'),(58,20200512120000,1,'2020-01-01 01:01:01'),(59,20200707120000,1,'2020-01-01 01:01:01'),(60,20201011162341,1,'2020-01-01 01:01:01'),(61,20201021104586,1,'2020-01-01 01:01:01'),(62,20201102112520,1,'2020-01-01 01:01:01'),(63,20201208121729,1,'2020-01-01 01:01:01'),(64,20201215091637,1,'2020-01-01 01:01:01'),(65,20210119174155,1,'2020-01-01 01:01:01'),(66,20210326182902,1,'2020-01-01 01:01:01'),(67,20210421112652,1,'2020-01-01 01:01:01'),(68,20210506095025,1,'2020-01-01 01:01:01'),(69,20210513115729,1,'2020-01-01 01:01:01'),(70,20210526113559,1,'2020-01-01 01:01:01'),(71,20210601000001,1,'2020-01-01 01:01:01'),(72,20210601000002,1,'2020-01-01 01:01:01'),(73,20210601000003,1,'2020-01-01 01:01:01'),(74,20210601000004,1,'2020-01-01 01:01:01'),(75,20210601000005,1,'2020-01-01 01:01:01'),(76,20210601000006,1,'2020-01-01 01:01:01'),(77,20210601000007,1,'2020-01-01 01:01:01'),(78,20210601000008,1,'2020-01-01 01:01:01'),(79,20210606151329,1,'2020-01-01 01:01:01'),(80,20210616163757,1,'2020-01-01 01:01:01'),(81,20210617174723,1,'2020-01-01 01:01:01'),(82,20210622160235,1,'2020-01-01 01:01:01'),(83,20210623100031,1,'2020-01-01 01:01:01'),(84,20210623133615,1,'2020-01-01 01:01:01'),(85,20210708143152,1,'2020-01-01 01:01:01'),(86,20210709124443,1,'2020-01-01 01:01:01'),(87,20210712155608,1,'2020-01-01 01:01:01'),(88,20210714102108,1,'2020-01-01 01:01:01'),(89,20210719153709,1,'2020-01-01 01:01:01'),(90,20210721171531,1,'2020-01-01 01:01:01'),(91,20210723135713,1,'2020-01-01 01:01:01'),(92,20210802135933,1,'2020-01-01 01:01:01'),(93,20210806112844,1,'2020-01-01 01:01:01'),(94,20210810095603,1,'2020-01-01 01:01:01'),(95,20210811150223,1,'2020-01-01 01:01:01'),(96,20210818151827,1,'2020-01-01 01:01:01'),(97,20210818151828,1,'2020-01-01 01:01:01'),(98,20210818182258,1,'2020-01-01 01:01:01'),(99,20210819131107,1,'2020-01-01 01:01:01'),(100,20210819143446,1,'2020-01-01 01:01:01'),(101,20210903132338,1,'2020-01-01 01:01:01'),(102,20210915144307,1,'2020-01-01 01:01:01'),(103,20210920155130,1,'2020-01-01 01:01:01'),(104,20210927143115,1,'2020-01-01 01:01:01'),(105,20210927143116,1,'2020-01-01 01:01:01'),(106,20211013133706,1,'2020-01-01 01:01:01'),(107,20211013133707,1,'2020-01-01 01:01:01'),(108,20211102135149,1,'2020-01-01 01:01:01'),(109,20211109121546,1,'2020-01-01 01:01:01'),(110,20211110163320,1,'2020-01-01 01:01:01'),(111,20211116184029,1,'2020-01-01 01:01:01'),(112,20211116184030,1,'2020-01-01 01:01:01'),(113,20211202092042,1,'2020-01-01 01:01:01'),(114,20211202181033,1,'2020-01-01 01:01:01'),(115,20211207161856,1,'2020-01-01 01:01:01'),(116,20211216131203,1,'2020-01-01 01:01:01'),(117,20211221110132,1,'2020-01-01 01:01:01'),(118,20220107155700,1,'2020-01-01 01:01:01'),(119,20220125105650,1,'2020-01-01 01:01:01'),(120,20220201084510,1,'2020-01-01 01:01:01'),(121,20220208144830,1,'2020-01-01 01:01:01'),(122,20220208144831,1,'2020-01-01 01:01:01'),(123,20220215152203,1,'2020-01-01 01:01:01'),(124,20220223113157,1,'2020-01-01 01:01:01'),(125,20220307104655,1,'2020-01-01 01:01:01'),(126,20220309133956,1,'2020-01-01 01:01:01'),(127,20220316155700,1,'2020-01-01 01:01:01'),(128,20220323152301,1,'2020-01-01 01:01:01'),(129,20220330100659,1,'2020-01-01 01:01:01'),(130,20220404091216,1,'2020-01-01 01:01:01'),(131,20220419140750,1,'2020-01-01 01:01:01'),(132,20220428140039,1,'2020-01-01 01:01:01'),(133,20220503134048,1,'2020-01-01 01:01:01'),(134,20220524102918,1,'2020-01-01 01:01:01'),(135,20220526123327,1,'2020-01-01 01:01:01'),(136,20220526123328,1,'2020-01-01 01:01:01'),(137,20220526123329,1,'2020-01-01 01:01:01'),(138,20220608113128,1,'2020-01-01 01:01:01'),(139,20220627104817,1,'2020-01-01 01:01:01'),(140,20220704101843,1,'2020-01-01 01:01:01'),(141,20220708095046,1,'2020-01-01 01:01:01'),(142,20220713091130,1,'2020-01-01 01:01:01'),(143,20220802135510,1,'2020-01-01 01:01:01'),(144,20220818101352,1,'2020-01-01 01:01:01'),(145,20220822161445,1,'2020-01-01 01:01:01'),(146,20220831100036,1,'2020-01-01 01:01:01'),(147,20220831100151,1,'2020-01-01 01:01:01'),(148,20220908181826,1,'2020-01-01 01:01:01'),(149,20220914154915,1,'2020-01-01 01:01:01'),(150,20220915165115,1,'2020-01-01 01:01:01'),(151,20220915165116,1,'2020-01-01 01:01:01'),(152,20220928100158,1,'2020-01-01 01:01:01'),(153,20221014084130,1,'2020-01-01 01:01:01'),(154,20221027085019,1,'2020-01-01 01:01:01'),(155,20221101103952,1,'2020-01-01 01:01:01'),(156,20221104144401,1,'2020-01-01 01:01:01'),(157,20221109100749,1,'2020-01-01 01:01:01'),(158,20221115104546,1,'2020-01-01 01:01:01'),(159,20221130114928,1,'2020-01-01 01:01:01'),(160,20221205112142,1,'2020-01-01 01:01:01'),(161,20221216115820,1,'2020-01-01 01:01:01'),(162,20221220195934,1,'2020-01-01 01:01:01'),(163,20221220195935,1,'2020-01-01 01:01:01'),(164,20221223174807,1,'2020-01-01 01:01:01'),(165,20221227163855,1,'2020-01-01 01:01:01'),(166,20221227163856,1,'2020-01-01 01:01:01'),(167,20230202224725,1,'2020-01-01 01:01:01'),(168,20230206163608,1,'2020-01-01 01:01:01'),(169,20230214131519,1,'2020-01-01 01:01:01'),(170,20230303135738,1,'2020-01-01 01:01:01'),(171,20230313135301,1,'2020-01-01 01:01:01'),(172,20230313141819,1,'2020-01-01 01:01:01'),(173,20230315104937,1,'2020-01-01 01:01:01'),(174,20230317173844,1,'2020-01-01 01:01:01'),(175,20230320133602,1,'2020-01-01 01:01:01'),(176,20230330100011,1,'2020-01-01 01:01:01'),(177,20230330134823,1,'2020-01-01 01:01:01'),(178,20230405232025,1,'2020-01-01 01:01:01'),(179,20230408084104,1,'2020-01-01 01:01:01'),(180,20230411102858,1,'2020-01-01 01:01:01'),(181,20230421155932,1,'2020-01-01 01:01:01'),(182,20230425082126,1,'2020-01-01 01:01:01'),(183,20230425105727,1,'2020-01-01 01:01:01'),(184,20230501154913,1,'2020-01-01 01:01:01'),(185,20230503101418,1,'2020-01-01 01:01:01'),(186,20230515144206,1,'2020-01-01 01:01:01'),(187,20230517140952,1,'2020-01-01 01:01:01'),(188,20230517152807,1,'2020-01-01 01:01:01'),(189,20230518114155,1,'2020-01-01 01:01:01'),(190,20230520153236,1,'2020-01-01 01:01:01'),(191,20230525151159,1,'2020-01-01 01:01:01'),(192,20230530122103,1,'2020-01-01 01:01:01'),(193,20230602111827,1,'2020-01-01 01:01:01'),(194,20230608103123,1,'2020-01-01 01:01:01'),(195,20230629140529,1,'2020-01-01 01:01:01'),(196,20230629140530,1,'2020-01-01 01:01:01'),(197,20230711144622,1,'2020-01-01 01:01:01'),(198,20230721135421,1,'2020-01-01 01:01:01'),(199,20230721161508,1,'2020-01-01 01:01:01'),(200,20230726115701,1,'2020-01-01 01:01:01'),(201,20230807100822,1,'2020-01-01 01:01:01'),(202,20230814150442,1,'2020-01-01 01:01:01'),(203,20230823122728,1,'2020-01-01 01:01:01'),(204,20230906152143,1,'2020-01-01 01:01:01'),(205,20230911163618,1,'2020-01-01 01:01:01'),(206,20230912101759,1,'2020-01-01 01:01:01'),(207,20230915101341,1,'2020-01-01 01:01:01'),(208,20230918132351,1,'2020-01-01 01:01:01'),(209,20231004144339,1,'2020-01-01 01:01:01'),(210,20231009094541,1,'2020-01-01 01:01:01'),(211,20231009094542,1,'2020-01-01 01:01:01'),(212,20231009094543,1,'2020-01-01 01:01:01'),(213,20231009094544,1,'2020-01-01 01:01:01'),(214,20231016091915,1,'2020-01-01 01:01:01'),(215,20231024174135,1,'2020-01-01 01:01:01'),(216,20231025120016,1,'2020-01-01 01:01:01'),(217,20231025160156,1,'2020-01-01 01:01:01'),(218,20231031165350,1,'2020-01-01 01:01:01'),(219,20231106144110,1,'2020-01-01 01:01:01'),(220,20231107130934,1,'2020-01-01 01:01:01'),(221,20231109115838,1,'2020-01-01 01:01:01'),(222,20231121054530,1,'2020-01-01 01:01:01'),(223,20231122101320,1,'2020-01-01 01:01:01'),(224,20231130132828,1,'2020-01-01 01:01:01'),(225,20231130132931,1,'2020-01-01 01:01:01'),(226,20231204155427,1,'2020-01-01 01:01:01'),(227,20231206142340,1,'2020-01-01 01:01:01'),(228,20231207102320,1,'2020-01-01 01:01:01'),(229,20231207102321,1,'2020-01-01 01:01:01'),(230,20231207133731,1,'2020-01-01 01:01:01'),(231,20231212094238,1,'2020-01-01 01:01:01'),(232,20231212095734,1,'2020-01-01 01:01:01'),(233,20231212161121,1,'2020-01-01 01:01:01'),(234,20231215122713,1,'2020-01-01 01:01:01'),(235,20231219143041,1,'2020-01-01 01:01:01'),(236,20231224070653,1,'2020-01-01 01:01:01'),(237,20240110134315,1,'2020-01-01 01:01:01'),(238,20240119091637,1,'2020-01-01 01:01:01'),(239,20240126020642,1,'2020-01-01 01:01:01'),(240,20240126020643,1,'2020-01-01 01:01:01'),(241,20240129162819,1,'2020-01-01 01:01:01'),(242,20240130115133,1,'2020-01-01 01:01:01'),(243,20240131083822,1,'2020-01-01 01:01:01'),(244,20240205095928,1,'2020-01-01 01:01:01'),(245,20240205121956,1,'2020-01-01 01:01:01'),(246,20240209110212,1,'2020-01-01 01:01:01'),(247,20240212111533,1,'2020-01-01 01:01:01'),(248,20240221112844,1,'2020-01-01 01:01:01'),(249,20240222073518,1,'2020-01-01 01:01:01'),(250,20240222135115,1,'2020-01-01 01:01:01'),(251,20240226082255,1,'2020-01-01 01:01:01'),(252,20240228082706,1,'2020-01-01 01:01:01'),(253,20240301173035,1,'2020-01-01 01:01:01'),(254,20240302111134,1,'2020-01-01 01:01:01'),(255,20240312103753,1,'2020-01-01 01:01:01'),(256,20240313143416,1,'2020-01-01 01:01:01'),(257,20240314085226,1,'2020-01-01 01:01:01'),(258,20240314151747,1,'2020-01-01 01:01:01'),(259,20240320145650,1,'2020-01-01 01:01:01'),(260,20240327115530,1,'2020-01-01 01:01:01'),(261,20240327115617,1,'2020-01-01 01:01:01'),(262,20240408085837,1,'2020-01-01 01:01:01'),(263,20240415104633,1,'2020-01-01 01:01:01'),(264,20240430111727,1,'2020-01-01 01:01:01'),(265,20240515200020,1,'2020-01-01 01:01:01'),(266,20240521143023,1,'2020-01-01 01:01:01'),(267,20240521143024,1,'2020-01-01 01:01:01'),(268,20240601174138,1,'2020-01-01 01:01:01'),(269,20240607133721,1,'2020-01-01 01:01:01'),(270,20240612150059,1,'2020-01-01 01:01:01'),(271,20240613162201,1,'2020-01-01 01:01:01'),(272,20240613172616,1,'2020-01-01 01:01:01'),(273,20240618142419,1,'2020-01-01 01:01:01'),(274,20240625093543,1,'2020-01-01 01:01:01'),(275,20240626195531,1,'2020-01-01 01:01:01'),(276,20240702123921,1,'2020-01-01 01:01:01'),(277,20240703154849,1,'2020-01-01 01:01:01');
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `mobile_device_management_solutions` (
diff --git a/server/fleet/app.go b/server/fleet/app.go
index fcd299da74..4f61323f28 100644
--- a/server/fleet/app.go
+++ b/server/fleet/app.go
@@ -308,6 +308,18 @@ func (s MacOSSettings) ToMap() map[string]interface{} {
 func (s *MacOSSettings) FromMap(m map[string]interface{}) (map[string]bool, error) {
 	set := make(map[string]bool)
 
+	extractLabelField := func(parentMap map[string]interface{}, fieldName string) []string {
+		var ret []string
+		if labels, ok := parentMap[fieldName].([]interface{}); ok {
+			for _, label := range labels {
+				if strLabel, ok := label.(string); ok {
+					ret = append(ret, strLabel)
+				}
+			}
+		}
+		return ret
+	}
+
 	if v, ok := m["custom_settings"]; ok {
 		set["custom_settings"] = true
 
@@ -322,15 +334,9 @@ func (s *MacOSSettings) FromMap(m map[string]interface{}) (map[string]bool, erro
 						spec.Path = path
 					}
 
-					// extract the Labels field (if they are not provided, labels are
-					// cleared for that profile)
-					if labels, ok := m["labels"].([]interface{}); ok {
-						for _, label := range labels {
-							if strLabel, ok := label.(string); ok {
-								spec.Labels = append(spec.Labels, strLabel)
-							}
-						}
-					}
+					spec.Labels = extractLabelField(m, "labels")
+					spec.LabelsIncludeAll = extractLabelField(m, "labels_include_all")
+					spec.LabelsExcludeAny = extractLabelField(m, "labels_exclude_any")
 
 					csSpecs = append(csSpecs, spec)
 				} else if m, ok := v.(string); ok { // for backwards compatibility with the old way to define profiles
diff --git a/server/fleet/apple_mdm.go b/server/fleet/apple_mdm.go
index 39df5674bf..7d8d6ebb26 100644
--- a/server/fleet/apple_mdm.go
+++ b/server/fleet/apple_mdm.go
@@ -195,11 +195,11 @@ type MDMAppleConfigProfile struct {
 	// representation of the configuration profile. It must be XML or PKCS7 parseable.
 	Mobileconfig mobileconfig.Mobileconfig `db:"mobileconfig" json:"-"`
 	// Checksum is an MD5 hash of the Mobileconfig bytes
-	Checksum []byte `db:"checksum" json:"checksum,omitempty"`
-	// Labels are the associated labels for this profile
-	Labels     []ConfigurationProfileLabel `db:"labels" json:"labels,omitempty"`
-	CreatedAt  time.Time                   `db:"created_at" json:"created_at"`
-	UploadedAt time.Time                   `db:"uploaded_at" json:"updated_at"` // NOTE: JSON field is still `updated_at` for historical reasons, would be an API breaking change
+	Checksum         []byte                      `db:"checksum" json:"checksum,omitempty"`
+	LabelsIncludeAll []ConfigurationProfileLabel `db:"-" json:"labels_include_all,omitempty"`
+	LabelsExcludeAny []ConfigurationProfileLabel `db:"-" json:"labels_exclude_any,omitempty"`
+	CreatedAt        time.Time                   `db:"created_at" json:"created_at"`
+	UploadedAt       time.Time                   `db:"uploaded_at" json:"updated_at"` // NOTE: JSON field is still `updated_at` for historical reasons, would be an API breaking change
 }
 
 // ConfigurationProfileLabel represents the many-to-many relationship between
@@ -212,6 +212,7 @@ type ConfigurationProfileLabel struct {
 	LabelName   string `db:"label_name" json:"name"`
 	LabelID     uint   `db:"label_id" json:"id,omitempty"`   // omitted if 0 (which is impossible if the label is not broken)
 	Broken      bool   `db:"broken" json:"broken,omitempty"` // omitted (not rendered to JSON) if false
+	Exclude     bool   `db:"exclude" json:"-"`               // not rendered in JSON, used to store the profile in LabelsIncludeAll or LabelsExcludeAny on the parent profile
 }
 
 func NewMDMAppleConfigProfile(raw []byte, teamID *uint) (*MDMAppleConfigProfile, error) {
@@ -561,8 +562,9 @@ type MDMAppleDeclaration struct {
 	// Checksum is a checksum of the JSON contents
 	Checksum string `db:"checksum" json:"-"`
 
-	// Labels are the labels associated with this Declaration
-	Labels []ConfigurationProfileLabel `db:"labels" json:"labels,omitempty"`
+	// labels associated with this Declaration
+	LabelsIncludeAll []ConfigurationProfileLabel `db:"-" json:"labels_include_all,omitempty"`
+	LabelsExcludeAny []ConfigurationProfileLabel `db:"-" json:"labels_exclude_any,omitempty"`
 
 	CreatedAt  time.Time `db:"created_at" json:"created_at"`
 	UploadedAt time.Time `db:"uploaded_at" json:"uploaded_at"`
diff --git a/server/fleet/mdm.go b/server/fleet/mdm.go
index a7e695c870..0477ba6f91 100644
--- a/server/fleet/mdm.go
+++ b/server/fleet/mdm.go
@@ -129,6 +129,8 @@ type ExpectedMDMProfile struct {
 	CountProfileLabels uint `db:"count_profile_labels"`
 	// CountHostLabels is used to enable queries that filter based on profile <-> label mappings.
 	CountHostLabels uint `db:"count_host_labels"`
+	// CountNonBrokenLabels is used to enable queries that filter based on profile <-> label mappings.
+	CountNonBrokenLabels uint `db:"count_non_broken_labels"`
 }
 
 // IsWithinGracePeriod returns true if the host is within the grace period for the profile.
@@ -364,23 +366,29 @@ func (m MDMConfigProfileAuthz) AuthzType() string {
 // MDMConfigProfilePayload is the platform-agnostic struct returned by
 // endpoints that return MDM configuration profiles (get/list profiles).
 type MDMConfigProfilePayload struct {
-	ProfileUUID string                      `json:"profile_uuid" db:"profile_uuid"`
-	TeamID      *uint                       `json:"team_id" db:"team_id"` // null for no-team
-	Name        string                      `json:"name" db:"name"`
-	Platform    string                      `json:"platform" db:"platform"`               // "windows" or "darwin"
-	Identifier  string                      `json:"identifier,omitempty" db:"identifier"` // only set for macOS
-	Checksum    []byte                      `json:"checksum,omitempty" db:"checksum"`     // only set for macOS
-	CreatedAt   time.Time                   `json:"created_at" db:"created_at"`
-	UploadedAt  time.Time                   `json:"updated_at" db:"uploaded_at"` // NOTE: JSON field is still `updated_at` for historical reasons, would be an API breaking change
-	Labels      []ConfigurationProfileLabel `json:"labels,omitempty" db:"-"`
+	ProfileUUID      string                      `json:"profile_uuid" db:"profile_uuid"`
+	TeamID           *uint                       `json:"team_id" db:"team_id"` // null for no-team
+	Name             string                      `json:"name" db:"name"`
+	Platform         string                      `json:"platform" db:"platform"`               // "windows" or "darwin"
+	Identifier       string                      `json:"identifier,omitempty" db:"identifier"` // only set for macOS
+	Checksum         []byte                      `json:"checksum,omitempty" db:"checksum"`     // only set for macOS
+	CreatedAt        time.Time                   `json:"created_at" db:"created_at"`
+	UploadedAt       time.Time                   `json:"updated_at" db:"uploaded_at"` // NOTE: JSON field is still `updated_at` for historical reasons, would be an API breaking change
+	LabelsIncludeAll []ConfigurationProfileLabel `json:"labels_include_all,omitempty" db:"-"`
+	LabelsExcludeAny []ConfigurationProfileLabel `json:"labels_exclude_any,omitempty" db:"-"`
 }
 
 // MDMProfileBatchPayload represents the payload to batch-set the profiles for
 // a team or no-team.
 type MDMProfileBatchPayload struct {
-	Name     string   `json:"name,omitempty"`
-	Contents []byte   `json:"contents,omitempty"`
-	Labels   []string `json:"labels,omitempty"`
+	Name     string `json:"name,omitempty"`
+	Contents []byte `json:"contents,omitempty"`
+
+	// Deprecated: Labels is the backwards-compatible way of specifying
+	// LabelsIncludeAll.
+	Labels           []string `json:"labels,omitempty"`
+	LabelsIncludeAll []string `json:"labels_include_all,omitempty"`
+	LabelsExcludeAny []string `json:"labels_exclude_any,omitempty"`
 }
 
 func NewMDMConfigProfilePayloadFromWindows(cp *MDMWindowsConfigProfile) *MDMConfigProfilePayload {
@@ -389,13 +397,14 @@ func NewMDMConfigProfilePayloadFromWindows(cp *MDMWindowsConfigProfile) *MDMConf
 		tid = cp.TeamID
 	}
 	return &MDMConfigProfilePayload{
-		ProfileUUID: cp.ProfileUUID,
-		TeamID:      tid,
-		Name:        cp.Name,
-		Platform:    "windows",
-		CreatedAt:   cp.CreatedAt,
-		UploadedAt:  cp.UploadedAt,
-		Labels:      cp.Labels,
+		ProfileUUID:      cp.ProfileUUID,
+		TeamID:           tid,
+		Name:             cp.Name,
+		Platform:         "windows",
+		CreatedAt:        cp.CreatedAt,
+		UploadedAt:       cp.UploadedAt,
+		LabelsIncludeAll: cp.LabelsIncludeAll,
+		LabelsExcludeAny: cp.LabelsExcludeAny,
 	}
 }
 
@@ -405,15 +414,16 @@ func NewMDMConfigProfilePayloadFromApple(cp *MDMAppleConfigProfile) *MDMConfigPr
 		tid = cp.TeamID
 	}
 	return &MDMConfigProfilePayload{
-		ProfileUUID: cp.ProfileUUID,
-		TeamID:      tid,
-		Name:        cp.Name,
-		Identifier:  cp.Identifier,
-		Platform:    "darwin",
-		Checksum:    cp.Checksum,
-		CreatedAt:   cp.CreatedAt,
-		UploadedAt:  cp.UploadedAt,
-		Labels:      cp.Labels,
+		ProfileUUID:      cp.ProfileUUID,
+		TeamID:           tid,
+		Name:             cp.Name,
+		Identifier:       cp.Identifier,
+		Platform:         "darwin",
+		Checksum:         cp.Checksum,
+		CreatedAt:        cp.CreatedAt,
+		UploadedAt:       cp.UploadedAt,
+		LabelsIncludeAll: cp.LabelsIncludeAll,
+		LabelsExcludeAny: cp.LabelsExcludeAny,
 	}
 }
 
@@ -423,23 +433,37 @@ func NewMDMConfigProfilePayloadFromAppleDDM(decl *MDMAppleDeclaration) *MDMConfi
 		tid = decl.TeamID
 	}
 	return &MDMConfigProfilePayload{
-		ProfileUUID: decl.DeclarationUUID,
-		TeamID:      tid,
-		Name:        decl.Name,
-		Identifier:  decl.Identifier,
-		Platform:    "darwin",
-		Checksum:    []byte(decl.Checksum),
-		CreatedAt:   decl.CreatedAt,
-		UploadedAt:  decl.UploadedAt,
-		Labels:      decl.Labels,
+		ProfileUUID:      decl.DeclarationUUID,
+		TeamID:           tid,
+		Name:             decl.Name,
+		Identifier:       decl.Identifier,
+		Platform:         "darwin",
+		Checksum:         []byte(decl.Checksum),
+		CreatedAt:        decl.CreatedAt,
+		UploadedAt:       decl.UploadedAt,
+		LabelsIncludeAll: decl.LabelsIncludeAll,
+		LabelsExcludeAny: decl.LabelsExcludeAny,
 	}
 }
 
 // MDMProfileSpec represents the spec used to define configuration
 // profiles via yaml files.
 type MDMProfileSpec struct {
-	Path   string   `json:"path,omitempty"`
+	Path string `json:"path,omitempty"`
+
+	// Deprecated: the Labels field is now deprecated, it is superseded by
+	// LabelsIncludeAll, so any value set via this field will be transferred to
+	// LabelsIncludeAll.
 	Labels []string `json:"labels,omitempty"`
+
+	// LabelsIncludeAll is a list of label names that the host must be a member
+	// of in order to receive the profile. It must be a member of all listed
+	// labels.
+	LabelsIncludeAll []string `json:"labels_include_all,omitempty"`
+	// LabelsExcludeAll is a list of label names that the host must not be a
+	// member of in order to receive the profile. It must not be a member of any
+	// of the listed labels.
+	LabelsExcludeAny []string `json:"labels_exclude_any,omitempty"`
 }
 
 // UnmarshalJSON implements the json.Unmarshaler interface to add backwards
@@ -487,6 +511,14 @@ func (p *MDMProfileSpec) Copy() *MDMProfileSpec {
 		clone.Labels = make([]string, len(p.Labels))
 		copy(clone.Labels, p.Labels)
 	}
+	if len(p.LabelsIncludeAll) > 0 {
+		clone.LabelsIncludeAll = make([]string, len(p.LabelsIncludeAll))
+		copy(clone.LabelsIncludeAll, p.LabelsIncludeAll)
+	}
+	if len(p.LabelsExcludeAny) > 0 {
+		clone.LabelsExcludeAny = make([]string, len(p.LabelsExcludeAny))
+		copy(clone.LabelsExcludeAny, p.LabelsExcludeAny)
+	}
 
 	return &clone
 }
@@ -506,35 +538,64 @@ func MDMProfileSpecsMatch(a, b []MDMProfileSpec) bool {
 		return false
 	}
 
-	pathLabelCounts := make(map[string]map[string]int)
+	pathLabelIncludeCounts := make(map[string]map[string]int)
 	for _, v := range a {
-		pathLabelCounts[v.Path] = labelCountMap(v.Labels)
+		// the deprecated Labels field is only relevant if LabelsIncludeAll is
+		// empty.
+		if len(v.LabelsIncludeAll) > 0 {
+			pathLabelIncludeCounts[v.Path] = labelCountMap(v.LabelsIncludeAll)
+		} else {
+			pathLabelIncludeCounts[v.Path] = labelCountMap(v.Labels)
+		}
+	}
+	pathLabelExcludeCounts := make(map[string]map[string]int)
+	for _, v := range a {
+		pathLabelExcludeCounts[v.Path] = labelCountMap(v.LabelsExcludeAny)
 	}
 
 	for _, v := range b {
-		labels, ok := pathLabelCounts[v.Path]
-		if !ok {
+		includeLabels, okIncl := pathLabelIncludeCounts[v.Path]
+		excludeLabels, okExcl := pathLabelExcludeCounts[v.Path]
+		if !okIncl || !okExcl {
 			return false
 		}
 
-		bLabelCounts := labelCountMap(v.Labels)
-		for label, count := range bLabelCounts {
-			if labels[label] != count {
+		var bLabelIncludeCounts map[string]int
+		if len(v.LabelsIncludeAll) > 0 {
+			bLabelIncludeCounts = labelCountMap(v.LabelsIncludeAll)
+		} else {
+			bLabelIncludeCounts = labelCountMap(v.Labels)
+		}
+		for label, count := range bLabelIncludeCounts {
+			if includeLabels[label] != count {
 				return false
 			}
-			labels[label] -= count
+			includeLabels[label] -= count
 		}
-
-		for _, count := range labels {
+		for _, count := range includeLabels {
 			if count != 0 {
 				return false
 			}
 		}
 
-		delete(pathLabelCounts, v.Path)
+		bLabelExcludeCounts := labelCountMap(v.LabelsExcludeAny)
+		for label, count := range bLabelExcludeCounts {
+			if excludeLabels[label] != count {
+				return false
+			}
+			excludeLabels[label] -= count
+		}
+		for _, count := range excludeLabels {
+			if count != 0 {
+				return false
+			}
+		}
+
+		delete(pathLabelIncludeCounts, v.Path)
+		delete(pathLabelExcludeCounts, v.Path)
 	}
 
-	return len(pathLabelCounts) == 0
+	return len(pathLabelIncludeCounts) == 0 && len(pathLabelExcludeCounts) == 0
 }
 
 type MDMAssetName string
diff --git a/server/fleet/mdm_test.go b/server/fleet/mdm_test.go
index e35099f551..a1dd3d49d5 100644
--- a/server/fleet/mdm_test.go
+++ b/server/fleet/mdm_test.go
@@ -316,6 +316,66 @@ func TestMDMProfileSpecsMatch(t *testing.T) {
 			},
 			expected: false,
 		},
+		{
+			name: "Include Labels Match",
+			a: []fleet.MDMProfileSpec{
+				{Path: "path1", LabelsIncludeAll: []string{"label1", "label2"}},
+				{Path: "path2", LabelsIncludeAll: []string{"label3"}},
+			},
+			b: []fleet.MDMProfileSpec{
+				{Path: "path1", LabelsIncludeAll: []string{"label2", "label1"}},
+				{Path: "path2", LabelsIncludeAll: []string{"label3"}},
+			},
+			expected: true,
+		},
+		{
+			name: "Exclude Labels Match",
+			a: []fleet.MDMProfileSpec{
+				{Path: "path1", LabelsExcludeAny: []string{"label1", "label2"}},
+				{Path: "path2", LabelsExcludeAny: []string{"label3"}},
+			},
+			b: []fleet.MDMProfileSpec{
+				{Path: "path1", LabelsExcludeAny: []string{"label2", "label1"}},
+				{Path: "path2", LabelsExcludeAny: []string{"label3"}},
+			},
+			expected: true,
+		},
+		{
+			name: "Include Labels Mismatch",
+			a: []fleet.MDMProfileSpec{
+				{Path: "path1", LabelsIncludeAll: []string{"label1", "label2"}},
+				{Path: "path2", LabelsIncludeAll: []string{"label3"}},
+			},
+			b: []fleet.MDMProfileSpec{
+				{Path: "path1", LabelsIncludeAll: []string{"label2", "label1"}},
+				{Path: "path2", LabelsIncludeAll: []string{"label4"}},
+			},
+			expected: false,
+		},
+		{
+			name: "Exclude Labels Mismatch",
+			a: []fleet.MDMProfileSpec{
+				{Path: "path1", LabelsExcludeAny: []string{"label1", "label2"}},
+				{Path: "path2", LabelsExcludeAny: []string{"label3"}},
+			},
+			b: []fleet.MDMProfileSpec{
+				{Path: "path1", LabelsExcludeAny: []string{"label2", "label1"}},
+				{Path: "path3", LabelsExcludeAny: []string{"label3"}},
+			},
+			expected: false,
+		},
+		{
+			name: "Deprecated Labels Match IncludeAll",
+			a: []fleet.MDMProfileSpec{
+				{Path: "path1", Labels: []string{"label1", "label2"}},
+				{Path: "path2", LabelsExcludeAny: []string{"label3"}},
+			},
+			b: []fleet.MDMProfileSpec{
+				{Path: "path1", LabelsIncludeAll: []string{"label2", "label1"}},
+				{Path: "path2", LabelsExcludeAny: []string{"label3"}},
+			},
+			expected: true,
+		},
 	}
 
 	for _, tc := range tests {
diff --git a/server/fleet/service.go b/server/fleet/service.go
index 631097dc6a..4ef1619f0f 100644
--- a/server/fleet/service.go
+++ b/server/fleet/service.go
@@ -710,9 +710,9 @@ type Service interface {
 	GetHostDEPAssignment(ctx context.Context, host *Host) (*HostDEPAssignment, error)
 
 	// NewMDMAppleConfigProfile creates a new configuration profile for the specified team.
-	NewMDMAppleConfigProfile(ctx context.Context, teamID uint, r io.Reader, labels []string) (*MDMAppleConfigProfile, error)
+	NewMDMAppleConfigProfile(ctx context.Context, teamID uint, r io.Reader, labels []string, labelsExcludeMode bool) (*MDMAppleConfigProfile, error)
 	// NewMDMAppleConfigProfileWithPayload creates a new declaration for the specified team.
-	NewMDMAppleDeclaration(ctx context.Context, teamID uint, r io.Reader, labels []string, name string) (*MDMAppleDeclaration, error)
+	NewMDMAppleDeclaration(ctx context.Context, teamID uint, r io.Reader, labels []string, name string, labelsExcludeMode bool) (*MDMAppleDeclaration, error)
 
 	// GetMDMAppleConfigProfileByDeprecatedID retrieves the specified Apple
 	// configuration profile via its numeric ID. This method is deprecated and
@@ -974,7 +974,7 @@ type Service interface {
 
 	// NewMDMWindowsConfigProfile creates a new Windows configuration profile for
 	// the specified team.
-	NewMDMWindowsConfigProfile(ctx context.Context, teamID uint, profileName string, r io.Reader, labels []string) (*MDMWindowsConfigProfile, error)
+	NewMDMWindowsConfigProfile(ctx context.Context, teamID uint, profileName string, r io.Reader, labels []string, labelsExcludeMode bool) (*MDMWindowsConfigProfile, error)
 
 	// NewMDMUnsupportedConfigProfile is called when a profile with an
 	// unsupported extension is uploaded.
diff --git a/server/fleet/teams.go b/server/fleet/teams.go
index 5509d47ae1..45febe6d90 100644
--- a/server/fleet/teams.go
+++ b/server/fleet/teams.go
@@ -33,12 +33,10 @@ type TeamPayload struct {
 // need to be able which part of the MDM config was provided in the request,
 // so the fields are pointers to structs.
 type TeamPayloadMDM struct {
-	EnableDiskEncryption optjson.Bool     `json:"enable_disk_encryption"`
-	MacOSUpdates         *MacOSUpdates    `json:"macos_updates"`
-	WindowsUpdates       *WindowsUpdates  `json:"windows_updates"`
-	MacOSSettings        *MacOSSettings   `json:"macos_settings"`
-	MacOSSetup           *MacOSSetup      `json:"macos_setup"`
-	WindowsSettings      *WindowsSettings `json:"windows_settings"`
+	EnableDiskEncryption optjson.Bool    `json:"enable_disk_encryption"`
+	MacOSUpdates         *MacOSUpdates   `json:"macos_updates"`
+	WindowsUpdates       *WindowsUpdates `json:"windows_updates"`
+	MacOSSetup           *MacOSSetup     `json:"macos_setup"`
 }
 
 // Team is the data representation for the "Team" concept (group of hosts and
diff --git a/server/fleet/windows_mdm.go b/server/fleet/windows_mdm.go
index a83fa4d5f1..4487765008 100644
--- a/server/fleet/windows_mdm.go
+++ b/server/fleet/windows_mdm.go
@@ -32,13 +32,14 @@ type MDMWindowsBitLockerSummary struct {
 type MDMWindowsConfigProfile struct {
 	// ProfileUUID is the unique identifier of the configuration profile in
 	// Fleet. For Windows profiles, it is the letter "w" followed by a uuid.
-	ProfileUUID string                      `db:"profile_uuid" json:"profile_uuid"`
-	TeamID      *uint                       `db:"team_id" json:"team_id"`
-	Name        string                      `db:"name" json:"name"`
-	SyncML      []byte                      `db:"syncml" json:"-"`
-	Labels      []ConfigurationProfileLabel `db:"labels" json:"labels,omitempty"`
-	CreatedAt   time.Time                   `db:"created_at" json:"created_at"`
-	UploadedAt  time.Time                   `db:"uploaded_at" json:"updated_at"` // NOTE: JSON field is still `updated_at` for historical reasons, would be an API breaking change
+	ProfileUUID      string                      `db:"profile_uuid" json:"profile_uuid"`
+	TeamID           *uint                       `db:"team_id" json:"team_id"`
+	Name             string                      `db:"name" json:"name"`
+	SyncML           []byte                      `db:"syncml" json:"-"`
+	LabelsIncludeAll []ConfigurationProfileLabel `db:"-" json:"labels_include_all,omitempty"`
+	LabelsExcludeAny []ConfigurationProfileLabel `db:"-" json:"labels_exclude_any,omitempty"`
+	CreatedAt        time.Time                   `db:"created_at" json:"created_at"`
+	UploadedAt       time.Time                   `db:"uploaded_at" json:"updated_at"` // NOTE: JSON field is still `updated_at` for historical reasons, would be an API breaking change
 }
 
 // ValidateUserProvided ensures that the SyncML content in the profile is valid
@@ -124,9 +125,7 @@ func (m *MDMWindowsConfigProfile) ValidateUserProvided() error {
 					return err
 				}
 			}
-
 		}
-
 	}
 
 	return nil
diff --git a/server/service/appconfig.go b/server/service/appconfig.go
index 458d9920ff..f05d861eda 100644
--- a/server/service/appconfig.go
+++ b/server/service/appconfig.go
@@ -743,6 +743,25 @@ func (svc *Service) validateMDM(
 				`Couldn't update macos_setup because MDM features aren't turned on in Fleet. Use fleetctl generate mdm-apple and then fleet serve with mdm configuration to turn on MDM features.`)
 		}
 	}
+	checkCustomSettings := func(prefix string, customSettings []fleet.MDMProfileSpec) {
+		for i, prof := range customSettings {
+			count := 0
+			for _, b := range []bool{len(prof.Labels) > 0, len(prof.LabelsIncludeAll) > 0, len(prof.LabelsExcludeAny) > 0} {
+				if b {
+					count++
+				}
+			}
+			if count > 1 {
+				invalid.Append(fmt.Sprintf("%s_settings.custom_settings", prefix),
+					fmt.Sprintf(`Couldn't edit %s_settings.custom_settings. For each profile, only one of "labels_exclude_any", "labels_include_all" or "labels" can be included.`, prefix))
+			}
+			if len(prof.Labels) > 0 {
+				customSettings[i].LabelsIncludeAll = customSettings[i].Labels
+				customSettings[i].Labels = nil
+			}
+		}
+	}
+	checkCustomSettings("macos", mdm.MacOSSettings.CustomSettings)
 
 	if !mdm.WindowsEnabledAndConfigured {
 		if mdm.WindowsSettings.CustomSettings.Set &&
@@ -752,6 +771,7 @@ func (svc *Service) validateMDM(
 				`Couldn’t edit windows_settings.custom_settings. Windows MDM isn’t turned on. Visit https://fleetdm.com/docs/using-fleet to learn how to turn on MDM.`)
 		}
 	}
+	checkCustomSettings("windows", mdm.WindowsSettings.CustomSettings.Value)
 
 	if name := mdm.AppleBMDefaultTeam; name != "" && name != oldMdm.AppleBMDefaultTeam {
 		if !license.IsPremium() {
diff --git a/server/service/apple_mdm.go b/server/service/apple_mdm.go
index 42744b72d2..8677c0fdad 100644
--- a/server/service/apple_mdm.go
+++ b/server/service/apple_mdm.go
@@ -306,7 +306,7 @@ func newMDMAppleConfigProfileEndpoint(ctx context.Context, request interface{},
 	}
 	defer ff.Close()
 	// providing an empty set of labels since this endpoint is only maintained for backwards compat
-	cp, err := svc.NewMDMAppleConfigProfile(ctx, req.TeamID, ff, nil)
+	cp, err := svc.NewMDMAppleConfigProfile(ctx, req.TeamID, ff, nil, false)
 	if err != nil {
 		return &newMDMAppleConfigProfileResponse{Err: err}, nil
 	}
@@ -315,7 +315,7 @@ func newMDMAppleConfigProfileEndpoint(ctx context.Context, request interface{},
 	}, nil
 }
 
-func (svc *Service) NewMDMAppleConfigProfile(ctx context.Context, teamID uint, r io.Reader, labels []string) (*fleet.MDMAppleConfigProfile, error) {
+func (svc *Service) NewMDMAppleConfigProfile(ctx context.Context, teamID uint, r io.Reader, labels []string, labelsExcludeMode bool) (*fleet.MDMAppleConfigProfile, error) {
 	if err := svc.authz.Authorize(ctx, &fleet.MDMConfigProfileAuthz{TeamID: &teamID}, fleet.ActionWrite); err != nil {
 		return nil, ctxerr.Wrap(ctx, err)
 	}
@@ -359,7 +359,11 @@ func (svc *Service) NewMDMAppleConfigProfile(ctx context.Context, teamID uint, r
 	if err != nil {
 		return nil, ctxerr.Wrap(ctx, err, "validating labels")
 	}
-	cp.Labels = labelMap
+	if labelsExcludeMode {
+		cp.LabelsExcludeAny = labelMap
+	} else {
+		cp.LabelsIncludeAll = labelMap
+	}
 
 	newCP, err := svc.ds.NewMDMAppleConfigProfile(ctx, *cp)
 	if err != nil {
@@ -401,7 +405,7 @@ func (svc *Service) NewMDMAppleConfigProfile(ctx context.Context, teamID uint, r
 	return newCP, nil
 }
 
-func (svc *Service) NewMDMAppleDeclaration(ctx context.Context, teamID uint, r io.Reader, labels []string, name string) (*fleet.MDMAppleDeclaration, error) {
+func (svc *Service) NewMDMAppleDeclaration(ctx context.Context, teamID uint, r io.Reader, labels []string, name string, labelsExcludeMode bool) (*fleet.MDMAppleDeclaration, error) {
 	if err := svc.authz.Authorize(ctx, &fleet.MDMConfigProfileAuthz{TeamID: &teamID}, fleet.ActionWrite); err != nil {
 		return nil, ctxerr.Wrap(ctx, err)
 	}
@@ -455,8 +459,11 @@ func (svc *Service) NewMDMAppleDeclaration(ctx context.Context, teamID uint, r i
 
 	d := fleet.NewMDMAppleDeclaration(data, tmID, name, rawDecl.Type, rawDecl.Identifier)
 
-	// TODO(roberto): this should be part of fleet.NewMDMAppleDeclaration
-	d.Labels = validatedLabels
+	if labelsExcludeMode {
+		d.LabelsExcludeAny = validatedLabels
+	} else {
+		d.LabelsIncludeAll = validatedLabels
+	}
 
 	decl, err := svc.ds.NewMDMAppleDeclaration(ctx, d)
 	if err != nil {
diff --git a/server/service/apple_mdm_test.go b/server/service/apple_mdm_test.go
index 0e91742bb1..554ef26204 100644
--- a/server/service/apple_mdm_test.go
+++ b/server/service/apple_mdm_test.go
@@ -644,11 +644,11 @@ func TestMDMAppleConfigProfileAuthz(t *testing.T) {
 
 		t.Run(tt.name, func(t *testing.T) {
 			// test authz create new profile (no team)
-			_, err := svc.NewMDMAppleConfigProfile(ctx, 0, bytes.NewReader(mcBytes), nil)
+			_, err := svc.NewMDMAppleConfigProfile(ctx, 0, bytes.NewReader(mcBytes), nil, false)
 			checkShouldFail(err, tt.shouldFailGlobal)
 
 			// test authz create new profile (team 1)
-			_, err = svc.NewMDMAppleConfigProfile(ctx, 1, bytes.NewReader(mcBytes), nil)
+			_, err = svc.NewMDMAppleConfigProfile(ctx, 1, bytes.NewReader(mcBytes), nil, false)
 			checkShouldFail(err, tt.shouldFailTeam)
 
 			// test authz list profiles (no team)
@@ -710,7 +710,7 @@ func TestNewMDMAppleConfigProfile(t *testing.T) {
 		return nil
 	}
 
-	cp, err := svc.NewMDMAppleConfigProfile(ctx, 0, r, nil)
+	cp, err := svc.NewMDMAppleConfigProfile(ctx, 0, r, nil, false)
 	require.NoError(t, err)
 	require.Equal(t, "Foo", cp.Name)
 	require.Equal(t, "Bar", cp.Identifier)
diff --git a/server/service/client.go b/server/service/client.go
index f5b0894a31..82fee91585 100644
--- a/server/service/client.go
+++ b/server/service/client.go
@@ -375,9 +375,11 @@ func getProfilesContents(baseDir string, macProfiles []fleet.MDMProfileSpec, win
 			extByName[name] = ext
 
 			result = append(result, fleet.MDMProfileBatchPayload{
-				Name:     name,
-				Contents: fileContents,
-				Labels:   profile.Labels,
+				Name:             name,
+				Contents:         fileContents,
+				Labels:           profile.Labels,
+				LabelsIncludeAll: profile.LabelsIncludeAll,
+				LabelsExcludeAny: profile.LabelsExcludeAny,
 			})
 
 		}
@@ -828,6 +830,18 @@ func extractAppCfgCustomSettings(appCfg interface{}, platformKey string) []fleet
 		return []fleet.MDMProfileSpec{}
 	}
 
+	extractLabelField := func(parentMap map[string]interface{}, fieldName string) []string {
+		var ret []string
+		if labels, ok := parentMap[fieldName].([]interface{}); ok {
+			for _, label := range labels {
+				if strLabel, ok := label.(string); ok {
+					ret = append(ret, strLabel)
+				}
+			}
+		}
+		return ret
+	}
+
 	csSpecs := make([]fleet.MDMProfileSpec, 0, len(csAny))
 	for _, v := range csAny {
 		if m, ok := v.(map[string]interface{}); ok {
@@ -838,14 +852,11 @@ func extractAppCfgCustomSettings(appCfg interface{}, platformKey string) []fleet
 				profSpec.Path = path
 			}
 
-			// extract the Labels field, labels are cleared if not provided
-			if labels, ok := m["labels"].([]interface{}); ok {
-				for _, label := range labels {
-					if strLabel, ok := label.(string); ok {
-						profSpec.Labels = append(profSpec.Labels, strLabel)
-					}
-				}
-			}
+			// at this stage we extract and return all supported label fields, the
+			// validations are done later on in the Fleet API endpoint.
+			profSpec.Labels = extractLabelField(m, "labels")
+			profSpec.LabelsIncludeAll = extractLabelField(m, "labels_include_all")
+			profSpec.LabelsExcludeAny = extractLabelField(m, "labels_exclude_any")
 
 			if profSpec.Path != "" {
 				csSpecs = append(csSpecs, profSpec)
diff --git a/server/service/integration_mdm_ddm_test.go b/server/service/integration_mdm_ddm_test.go
index 4034e5540a..34a4956a4d 100644
--- a/server/service/integration_mdm_ddm_test.go
+++ b/server/service/integration_mdm_ddm_test.go
@@ -168,10 +168,10 @@ func (s *integrationMDMTestSuite) TestAppleDDMBatchUpload() {
 	require.Equal(t, "label_2", createResp.Label.Name)
 	lbl2 := createResp.Label.Label
 
-	// Add with labels
+	// Add with the deprecated "labels" and the new LabelsIncludeAll field
 	s.Do("POST", "/api/latest/fleet/mdm/profiles/batch", batchSetMDMProfilesRequest{Profiles: []fleet.MDMProfileBatchPayload{
 		{Name: "N5", Contents: decls[5], Labels: []string{lbl1.Name, lbl2.Name}},
-		{Name: "N6", Contents: decls[6], Labels: []string{lbl1.Name}},
+		{Name: "N6", Contents: decls[6], LabelsIncludeAll: []string{lbl1.Name}},
 	}}, http.StatusNoContent)
 
 	s.DoJSON("GET", "/api/latest/fleet/mdm/profiles", &listMDMConfigProfilesRequest{}, http.StatusOK, &resp)
@@ -181,11 +181,11 @@ func (s *integrationMDMTestSuite) TestAppleDDMBatchUpload() {
 	require.Equal(t, "darwin", resp.Profiles[0].Platform)
 	require.Equal(t, "N6", resp.Profiles[1].Name)
 	require.Equal(t, "darwin", resp.Profiles[1].Platform)
-	require.Len(t, resp.Profiles[0].Labels, 2)
-	require.Equal(t, lbl1.Name, resp.Profiles[0].Labels[0].LabelName)
-	require.Equal(t, lbl2.Name, resp.Profiles[0].Labels[1].LabelName)
-	require.Len(t, resp.Profiles[1].Labels, 1)
-	require.Equal(t, lbl1.Name, resp.Profiles[1].Labels[0].LabelName)
+	require.Len(t, resp.Profiles[0].LabelsIncludeAll, 2)
+	require.Equal(t, lbl1.Name, resp.Profiles[0].LabelsIncludeAll[0].LabelName)
+	require.Equal(t, lbl2.Name, resp.Profiles[0].LabelsIncludeAll[1].LabelName)
+	require.Len(t, resp.Profiles[1].LabelsIncludeAll, 1)
+	require.Equal(t, lbl1.Name, resp.Profiles[1].LabelsIncludeAll[0].LabelName)
 }
 
 func (s *integrationMDMTestSuite) TestMDMAppleDeviceManagementRequests() {
diff --git a/server/service/integration_mdm_lifecycle_test.go b/server/service/integration_mdm_lifecycle_test.go
index dfd8bd8eb4..5dce43108d 100644
--- a/server/service/integration_mdm_lifecycle_test.go
+++ b/server/service/integration_mdm_lifecycle_test.go
@@ -519,14 +519,14 @@ func (s *integrationMDMTestSuite) recordAppleHostStatus(
 	require.NoError(t, err)
 	for cmd != nil {
 		var fullCmd micromdm.CommandPayload
-		require.NoError(t, plist.Unmarshal(cmd.Raw, &fullCmd))
 
 		// command uuid is a random value, we only care that's set
-		require.NotEmpty(t, fullCmd.CommandUUID)
-		fullCmd.CommandUUID = ""
+		require.NotEmpty(t, cmd.CommandUUID)
 
 		// strip the signature of the profiles so they can be easily compared
-		if fullCmd.Command.RequestType == "InstallProfile" {
+		if cmd.Command.RequestType == "InstallProfile" {
+			require.NoError(t, plist.Unmarshal(cmd.Raw, &fullCmd))
+			fullCmd.CommandUUID = ""
 			p7, err := pkcs7.Parse(fullCmd.Command.InstallProfile.Payload)
 			require.NoError(t, err)
 			fullCmd.Command.InstallProfile.Payload = p7.Content
diff --git a/server/service/integration_mdm_profiles_test.go b/server/service/integration_mdm_profiles_test.go
index e527fe833b..2b1a9f0dce 100644
--- a/server/service/integration_mdm_profiles_test.go
+++ b/server/service/integration_mdm_profiles_test.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"sort"
 	"strconv"
 	"strings"
 	"testing"
@@ -1080,7 +1081,7 @@ func (s *integrationMDMTestSuite) TestPuppetMatchPreassignProfiles() {
 	s.runWorker()
 
 	// the mdm host has the same profiles (i1, i2, plus fleetd config and disk encryption)
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		mdmHost: {
 			{Identifier: "i1", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
 			{Identifier: "i2", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
@@ -1157,7 +1158,7 @@ func (s *integrationMDMTestSuite) TestPuppetMatchPreassignProfiles() {
 	//	mysql.DumpTable(t, q, "host_mdm_apple_profiles")
 	//	return nil
 	//})
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		mdmHost: {
 			{Identifier: "i1", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
 			{Identifier: "i2", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
@@ -1198,7 +1199,7 @@ func (s *integrationMDMTestSuite) TestPuppetMatchPreassignProfiles() {
 	// and its profiles have been left untouched
 	s.awaitTriggerProfileSchedule(t)
 
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		mdmHost2: {
 			{Identifier: "i1", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
 			{Identifier: "i4", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
@@ -1679,50 +1680,106 @@ func (s *integrationMDMTestSuite) TestMDMAppleListConfigProfiles() {
 	})
 }
 
-func (s *integrationMDMTestSuite) TestAppConfigMDMAppleProfiles() {
+func (s *integrationMDMTestSuite) TestAppConfigMDMCustomSettings() {
 	t := s.T()
 
-	// set the macos custom settings fields
+	// set the macos custom settings fields with the deprecated Labels field
 	acResp := appConfigResponse{}
 	s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
 		"mdm": {
 		  "macos_settings": {
-		    "custom_settings": [
-		        {"path": "foo", "labels": ["baz"]},
-			{"path": "bar"}
-		    ]
-		  }
+				"custom_settings": [
+					{"path": "foo", "labels": ["baz"]},
+					{"path": "bar"}
+				]
+			}
 		}
   }`), http.StatusOK, &acResp)
-	assert.Equal(t, []fleet.MDMProfileSpec{{Path: "foo", Labels: []string{"baz"}}, {Path: "bar"}}, acResp.MDM.MacOSSettings.CustomSettings)
+	assert.Equal(t, []fleet.MDMProfileSpec{{Path: "foo", LabelsIncludeAll: []string{"baz"}}, {Path: "bar"}}, acResp.MDM.MacOSSettings.CustomSettings)
 
 	// check that they are returned by a GET /config
 	acResp = appConfigResponse{}
 	s.DoJSON("GET", "/api/latest/fleet/config", nil, http.StatusOK, &acResp)
-	assert.Equal(t, []fleet.MDMProfileSpec{{Path: "foo", Labels: []string{"baz"}}, {Path: "bar"}}, acResp.MDM.MacOSSettings.CustomSettings)
+	assert.Equal(t, []fleet.MDMProfileSpec{{Path: "foo", LabelsIncludeAll: []string{"baz"}}, {Path: "bar"}}, acResp.MDM.MacOSSettings.CustomSettings)
 
-	// patch without specifying the macos custom settings fields and an unrelated
+	// set the windows custom settings fields with included/excluded labels
+	acResp = appConfigResponse{}
+	s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
+		"mdm": {
+			"windows_settings": {
+				"custom_settings": [
+					{"path": "foo", "labels_exclude_any": ["x", "y"]},
+					{"path": "bar", "labels_include_all": ["a", "b"]},
+					{"path": "baz", "labels": ["c"]}
+				]
+			}
+		}
+  }`), http.StatusOK, &acResp)
+	assert.Equal(t, []fleet.MDMProfileSpec{{Path: "foo", LabelsIncludeAll: []string{"baz"}}, {Path: "bar"}}, acResp.MDM.MacOSSettings.CustomSettings)
+	assert.Equal(t, optjson.SetSlice([]fleet.MDMProfileSpec{{Path: "foo", LabelsExcludeAny: []string{"x", "y"}}, {Path: "bar", LabelsIncludeAll: []string{"a", "b"}}, {Path: "baz", LabelsIncludeAll: []string{"c"}}}), acResp.MDM.WindowsSettings.CustomSettings)
+
+	// check that they are returned by a GET /config
+	acResp = appConfigResponse{}
+	s.DoJSON("GET", "/api/latest/fleet/config", nil, http.StatusOK, &acResp)
+	assert.Equal(t, []fleet.MDMProfileSpec{{Path: "foo", LabelsIncludeAll: []string{"baz"}}, {Path: "bar"}}, acResp.MDM.MacOSSettings.CustomSettings)
+	assert.Equal(t, optjson.SetSlice([]fleet.MDMProfileSpec{{Path: "foo", LabelsExcludeAny: []string{"x", "y"}}, {Path: "bar", LabelsIncludeAll: []string{"a", "b"}}, {Path: "baz", LabelsIncludeAll: []string{"c"}}}), acResp.MDM.WindowsSettings.CustomSettings)
+
+	// patch without specifying the windows/macos custom settings fields and an unrelated
 	// field, should not remove them
 	acResp = appConfigResponse{}
 	s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
 		"mdm": { "enable_disk_encryption": true }
   }`), http.StatusOK, &acResp)
-	assert.Equal(t, []fleet.MDMProfileSpec{{Path: "foo", Labels: []string{"baz"}}, {Path: "bar"}}, acResp.MDM.MacOSSettings.CustomSettings)
+	assert.Equal(t, []fleet.MDMProfileSpec{{Path: "foo", LabelsIncludeAll: []string{"baz"}}, {Path: "bar"}}, acResp.MDM.MacOSSettings.CustomSettings)
+	assert.Equal(t, optjson.SetSlice([]fleet.MDMProfileSpec{{Path: "foo", LabelsExcludeAny: []string{"x", "y"}}, {Path: "bar", LabelsIncludeAll: []string{"a", "b"}}, {Path: "baz", LabelsIncludeAll: []string{"c"}}}), acResp.MDM.WindowsSettings.CustomSettings)
 
-	// patch with explicitly empty macos custom settings fields, would remove
+	// patch with explicitly empty macos/windows custom settings fields, would remove
 	// them but this is a dry-run
 	acResp = appConfigResponse{}
 	s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
-		"mdm": { "macos_settings": { "custom_settings": null } }
+		"mdm": {
+			"macos_settings": { "custom_settings": null },
+			"windows_settings": { "custom_settings": null }
+		}
   }`), http.StatusOK, &acResp, "dry_run", "true")
-	assert.Equal(t, []fleet.MDMProfileSpec{{Path: "foo", Labels: []string{"baz"}}, {Path: "bar"}}, acResp.MDM.MacOSSettings.CustomSettings)
+	assert.Equal(t, []fleet.MDMProfileSpec{{Path: "foo", LabelsIncludeAll: []string{"baz"}}, {Path: "bar"}}, acResp.MDM.MacOSSettings.CustomSettings)
+	assert.Equal(t, optjson.SetSlice([]fleet.MDMProfileSpec{{Path: "foo", LabelsExcludeAny: []string{"x", "y"}}, {Path: "bar", LabelsIncludeAll: []string{"a", "b"}}, {Path: "baz", LabelsIncludeAll: []string{"c"}}}), acResp.MDM.WindowsSettings.CustomSettings)
 
 	// patch with explicitly empty macos custom settings fields, removes them
 	acResp = appConfigResponse{}
 	s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
-		"mdm": { "macos_settings": { "custom_settings": null } }
+		"mdm": {
+			"macos_settings": { "custom_settings": null },
+			"windows_settings": { "custom_settings": null }
+		}
   }`), http.StatusOK, &acResp)
 	assert.Empty(t, acResp.MDM.MacOSSettings.CustomSettings)
+	assert.Equal(t, optjson.Slice[fleet.MDMProfileSpec]{Set: true, Value: []fleet.MDMProfileSpec{}}, acResp.MDM.WindowsSettings.CustomSettings)
+
+	// mix of labels fields returns an error
+	res := s.Do("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
+		"mdm": {
+		  "macos_settings": {
+				"custom_settings": [
+					{"path": "foo", "labels": ["a"], "labels_exclude_any": ["b"]}
+				]
+			}
+		}
+  }`), http.StatusUnprocessableEntity)
+	msg := extractServerErrorText(res.Body)
+	require.Contains(t, msg, `For each profile, only one of "labels_exclude_any", "labels_include_all" or "labels" can be included.`)
+
+	res = s.Do("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
+		"mdm": {
+		  "windows_settings": {
+				"custom_settings": [
+					{"path": "foo", "labels_include_all": ["a"], "labels_exclude_any": ["b"]}
+				]
+			}
+		}
+  }`), http.StatusUnprocessableEntity)
+	msg = extractServerErrorText(res.Body)
+	require.Contains(t, msg, `For each profile, only one of "labels_exclude_any", "labels_include_all" or "labels" can be included.`)
 }
 
 func (s *integrationMDMTestSuite) TestApplyTeamsMDMAppleProfiles() {
@@ -1744,7 +1801,10 @@ func (s *integrationMDMTestSuite) TestApplyTeamsMDMAppleProfiles() {
 		Name: teamName,
 		MDM: fleet.TeamSpecMDM{
 			MacOSSettings: map[string]interface{}{
-				"custom_settings": []map[string]interface{}{{"path": "foo"}, {"path": "bar"}},
+				"custom_settings": []map[string]interface{}{
+					{"path": "foo", "labels": []string{"a", "b"}},
+					{"path": "bar", "labels_exclude_any": []string{"c"}},
+				},
 			},
 		},
 	}}}
@@ -1753,7 +1813,10 @@ func (s *integrationMDMTestSuite) TestApplyTeamsMDMAppleProfiles() {
 	// retrieving the team returns the custom macos settings
 	var teamResp getTeamResponse
 	s.DoJSON("GET", fmt.Sprintf("/api/latest/fleet/teams/%d", team.ID), nil, http.StatusOK, &teamResp)
-	require.Equal(t, []fleet.MDMProfileSpec{{Path: "foo"}, {Path: "bar"}}, teamResp.Team.Config.MDM.MacOSSettings.CustomSettings)
+	require.Equal(t, []fleet.MDMProfileSpec{
+		{Path: "foo", LabelsIncludeAll: []string{"a", "b"}},
+		{Path: "bar", LabelsExcludeAny: []string{"c"}},
+	}, teamResp.Team.Config.MDM.MacOSSettings.CustomSettings)
 
 	// apply with invalid macos settings subfield should fail
 	teamSpecs = applyTeamSpecsRequest{Specs: []*fleet.TeamSpec{{
@@ -1788,7 +1851,10 @@ func (s *integrationMDMTestSuite) TestApplyTeamsMDMAppleProfiles() {
 	s.Do("POST", "/api/latest/fleet/spec/teams", teamSpecs, http.StatusOK)
 	teamResp = getTeamResponse{}
 	s.DoJSON("GET", fmt.Sprintf("/api/latest/fleet/teams/%d", team.ID), nil, http.StatusOK, &teamResp)
-	require.Equal(t, []fleet.MDMProfileSpec{{Path: "foo"}, {Path: "bar"}}, teamResp.Team.Config.MDM.MacOSSettings.CustomSettings)
+	require.Equal(t, []fleet.MDMProfileSpec{
+		{Path: "foo", LabelsIncludeAll: []string{"a", "b"}},
+		{Path: "bar", LabelsExcludeAny: []string{"c"}},
+	}, teamResp.Team.Config.MDM.MacOSSettings.CustomSettings)
 
 	// apply with explicitly empty custom macos settings would clear the existing
 	// settings, but dry-run
@@ -1801,7 +1867,10 @@ func (s *integrationMDMTestSuite) TestApplyTeamsMDMAppleProfiles() {
 	s.Do("POST", "/api/latest/fleet/spec/teams", teamSpecs, http.StatusOK, "dry_run", "true")
 	teamResp = getTeamResponse{}
 	s.DoJSON("GET", fmt.Sprintf("/api/latest/fleet/teams/%d", team.ID), nil, http.StatusOK, &teamResp)
-	require.Equal(t, []fleet.MDMProfileSpec{{Path: "foo"}, {Path: "bar"}}, teamResp.Team.Config.MDM.MacOSSettings.CustomSettings)
+	require.Equal(t, []fleet.MDMProfileSpec{
+		{Path: "foo", LabelsIncludeAll: []string{"a", "b"}},
+		{Path: "bar", LabelsExcludeAny: []string{"c"}},
+	}, teamResp.Team.Config.MDM.MacOSSettings.CustomSettings)
 
 	// apply with explicitly empty custom macos settings clears the existing settings
 	teamSpecs = applyTeamSpecsRequest{Specs: []*fleet.TeamSpec{{
@@ -1814,6 +1883,22 @@ func (s *integrationMDMTestSuite) TestApplyTeamsMDMAppleProfiles() {
 	teamResp = getTeamResponse{}
 	s.DoJSON("GET", fmt.Sprintf("/api/latest/fleet/teams/%d", team.ID), nil, http.StatusOK, &teamResp)
 	require.Equal(t, []fleet.MDMProfileSpec{}, teamResp.Team.Config.MDM.MacOSSettings.CustomSettings)
+
+	// apply with invalid mix of labels fails
+	teamSpecs = applyTeamSpecsRequest{Specs: []*fleet.TeamSpec{{
+		Name: teamName,
+		MDM: fleet.TeamSpecMDM{
+			MacOSSettings: map[string]interface{}{
+				"custom_settings": []map[string]interface{}{
+					{"path": "bar", "labels": []string{"x"}},
+					{"path": "foo", "labels": []string{"a", "b"}, "labels_include_all": []string{"c"}},
+				},
+			},
+		},
+	}}}
+	res = s.Do("POST", "/api/latest/fleet/spec/teams", teamSpecs, http.StatusUnprocessableEntity)
+	errMsg = extractServerErrorText(res.Body)
+	assert.Contains(t, errMsg, `For each profile, only one of "labels_exclude_any", "labels_include_all" or "labels" can be included.`)
 }
 
 func (s *integrationMDMTestSuite) TestBatchSetMDMAppleProfiles() {
@@ -1998,7 +2083,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 	require.Nil(t, h2.TeamID)
 	// run the cron
 	s.awaitTriggerProfileSchedule(t)
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h1: {
 			{Identifier: "G1", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
 			{Identifier: "G2", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
@@ -2022,7 +2107,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 	require.Equal(t, tm1.ID, *h4.TeamID)
 	// run the cron
 	s.awaitTriggerProfileSchedule(t)
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h3: {
 			{Identifier: "T1.1", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
 			{Identifier: "T1.2", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
@@ -2044,7 +2129,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 	var moveHostResp addHostsToTeamResponse
 	s.DoJSON("POST", "/api/v1/fleet/hosts/transfer",
 		addHostsToTeamRequest{TeamID: &tm2.ID, HostIDs: []uint{h1.ID}}, http.StatusOK, &moveHostResp)
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h1: {
 			{Identifier: "G1", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
 			{Identifier: "G2", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
@@ -2063,7 +2148,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 	// switch a team host (h3) to another team (tm2)
 	s.DoJSON("POST", "/api/v1/fleet/hosts/transfer",
 		addHostsToTeamRequest{TeamID: &tm2.ID, HostIDs: []uint{h3.ID}}, http.StatusOK, &moveHostResp)
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h3: {
 			{Identifier: "T1.1", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
 			{Identifier: "T1.2", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
@@ -2082,7 +2167,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 	// switch a team host (h4) to no team
 	s.DoJSON("POST", "/api/v1/fleet/hosts/transfer",
 		addHostsToTeamRequest{TeamID: nil, HostIDs: []uint{h4.ID}}, http.StatusOK, &moveHostResp)
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h3: {
 			{Identifier: "T1.1", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
 			{Identifier: "T1.2", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
@@ -2107,7 +2192,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 	body, headers := generateNewProfileMultipartRequest(t,
 		"some_name", mobileconfigForTest("G3", "G3"), s.token, nil)
 	s.DoRawWithHeaders("POST", "/api/latest/fleet/mdm/apple/profiles", body.Bytes(), http.StatusOK, headers)
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h2: {
 			{Identifier: "G1", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
 			{Identifier: "G2", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
@@ -2128,7 +2213,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 	body, headers = generateNewProfileMultipartRequest(t,
 		"some_name", mobileconfigForTest("T2.2", "T2.2"), s.token, map[string][]string{"team_id": {fmt.Sprintf("%d", tm2.ID)}})
 	s.DoRawWithHeaders("POST", "/api/latest/fleet/mdm/apple/profiles", body.Bytes(), http.StatusOK, headers)
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h1: {
 			{Identifier: "T2.1", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
 			{Identifier: "T2.2", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
@@ -2160,7 +2245,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 	var delProfResp deleteMDMAppleConfigProfileResponse
 	s.DoJSON("DELETE", fmt.Sprintf("/api/latest/fleet/mdm/apple/profiles/%d", g1ProfID),
 		deleteMDMAppleConfigProfileRequest{}, http.StatusOK, &delProfResp)
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h2: {
 			{Identifier: "G1", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
 			{Identifier: "G2", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
@@ -2190,7 +2275,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 	require.NotZero(t, tm21ProfID)
 	s.DoJSON("DELETE", fmt.Sprintf("/api/latest/fleet/mdm/apple/profiles/%d", tm21ProfID),
 		deleteMDMAppleConfigProfileRequest{}, http.StatusOK, &delProfResp)
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h1: {
 			{Identifier: "T2.1", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
 			{Identifier: "T2.2", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
@@ -2220,7 +2305,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 			},
 		}, http.StatusNoContent)
 
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h2: {
 			{Identifier: "G2", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
 			{Identifier: "G2b", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
@@ -2249,7 +2334,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 				t23Content,
 			},
 		}, http.StatusNoContent, "team_id", fmt.Sprint(tm2.ID))
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h1: {
 			{Identifier: "T2.2", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
 			{Identifier: "T2.2b", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
@@ -2290,7 +2375,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 				mobileconfigForTest("T1.3", "T1.3"),
 			},
 		}, http.StatusNoContent, "team_id", fmt.Sprint(tm1.ID))
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h1: {
 			{Identifier: "T2.2b", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
 			{Identifier: "T2.3", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
@@ -2319,7 +2404,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 
 	// delete team 2 (h1 and h3 are part of that team)
 	s.Do("DELETE", fmt.Sprintf("/api/latest/fleet/teams/%d", tm2.ID), nil, http.StatusOK)
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h1: {
 			{Identifier: "T2.2b", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
 			{Identifier: "T2.3", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
@@ -2342,7 +2427,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 	triggerReconcileProfiles()
 
 	// all profiles now verifying
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h1: {
 			{Identifier: "G2b", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
 			{Identifier: "G4", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
@@ -2373,7 +2458,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 	require.NoError(t, apple_mdm.VerifyHostMDMProfiles(context.Background(), s.ds, h1, map[string]*fleet.HostMacOSProfile{
 		"G2b": {Identifier: "G2b", DisplayName: "G2b", InstallDate: time.Now()},
 	}))
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h1: {
 			{Identifier: "G2b", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerified},
 			{Identifier: "G4", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
@@ -2450,7 +2535,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 
 	triggerReconcileProfiles()
 
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h1: {
 			{Identifier: mobileconfig.FleetdConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
 			{Identifier: mobileconfig.FleetCARootConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
@@ -2481,7 +2566,7 @@ func (s *integrationMDMTestSuite) TestHostMDMAppleProfilesStatus() {
 		"label_prof": {Identifier: "label_prof", DisplayName: "label_prof", InstallDate: time.Now()},
 	}))
 
-	s.assertHostConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
 		h1: {
 			{Identifier: mobileconfig.FleetdConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
 			{Identifier: mobileconfig.FleetCARootConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
@@ -2516,10 +2601,36 @@ func (s *integrationMDMTestSuite) TestMDMConfigProfileCRUD() {
 	testTeam, err := s.ds.NewTeam(ctx, &fleet.Team{Name: "TestTeam"})
 	require.NoError(t, err)
 
-	assertAppleProfile := func(filename, name, ident string, teamID uint, labelNames []string, wantStatus int, wantErrMsg string) string {
-		fields := map[string][]string{
-			"labels": labelNames,
+	// NOTE: label names starting with "-" are sent as "labels_excluding_any"
+	// (and the leading "-" is removed from the name). Names starting with
+	// "!" are sent as the deprecated "labels" field (and the "!" is removed).
+	addLabelsFields := func(labelNames []string) map[string][]string {
+		var deprLabels, inclLabels, exclLabels []string
+		for _, lbl := range labelNames {
+			if strings.HasPrefix(lbl, "-") {
+				exclLabels = append(exclLabels, strings.TrimPrefix(lbl, "-"))
+			} else if strings.HasPrefix(lbl, "!") {
+				deprLabels = append(deprLabels, strings.TrimPrefix(lbl, "!"))
+			} else {
+				inclLabels = append(inclLabels, lbl)
+			}
 		}
+
+		fields := make(map[string][]string)
+		if len(deprLabels) > 0 {
+			fields["labels"] = deprLabels
+		}
+		if len(inclLabels) > 0 {
+			fields["labels_include_all"] = inclLabels
+		}
+		if len(exclLabels) > 0 {
+			fields["labels_exclude_any"] = exclLabels
+		}
+		return fields
+	}
+
+	assertAppleProfile := func(filename, name, ident string, teamID uint, labelNames []string, wantStatus int, wantErrMsg string) string {
+		fields := addLabelsFields(labelNames)
 		if teamID > 0 {
 			fields["team_id"] = []string{fmt.Sprintf("%d", teamID)}
 		}
@@ -2542,9 +2653,7 @@ func (s *integrationMDMTestSuite) TestMDMConfigProfileCRUD() {
 		return resp.ProfileUUID
 	}
 	assertAppleDeclaration := func(filename, ident string, teamID uint, labelNames []string, wantStatus int, wantErrMsg string) string {
-		fields := map[string][]string{
-			"labels": labelNames,
-		}
+		fields := addLabelsFields(labelNames)
 		if teamID > 0 {
 			fields["team_id"] = []string{fmt.Sprintf("%d", teamID)}
 		}
@@ -2603,9 +2712,7 @@ func (s *integrationMDMTestSuite) TestMDMConfigProfileCRUD() {
 	}
 
 	assertWindowsProfile := func(filename, locURI string, teamID uint, labelNames []string, wantStatus int, wantErrMsg string) string {
-		fields := map[string][]string{
-			"labels": labelNames,
-		}
+		fields := addLabelsFields(labelNames)
 		if teamID > 0 {
 			fields["team_id"] = []string{fmt.Sprintf("%d", teamID)}
 		}
@@ -2720,35 +2827,17 @@ func (s *integrationMDMTestSuite) TestMDMConfigProfileCRUD() {
 	assertAppleDeclaration("apple-declaration-with-labels.json", "ident-with-labels", 0, []string{"does-not-exist", "foo"}, http.StatusBadRequest, "some or all the labels provided don't exist")
 	assertWindowsProfile("win-profile-with-labels.xml", "./Test", 0, []string{"does-not-exist", "bar"}, http.StatusBadRequest, "some or all the labels provided don't exist")
 
+	// profiles with invalid mix of labels
+	assertAppleProfile("apple-invalid-profile-with-labels.mobileconfig", "apple-invalid-profile-with-labels", "ident-with-labels", 0, []string{"foo", "!bar"}, http.StatusBadRequest, `Only one of "labels_exclude_any", "labels_include_all" or "labels" can be included.`)
+	assertAppleDeclaration("apple-invalid-decl-with-labels.json", "ident-decl-with-labels", 0, []string{"foo", "-bar"}, http.StatusBadRequest, `Only one of "labels_exclude_any", "labels_include_all" or "labels" can be included.`)
+	assertWindowsProfile("win-invalid-profile-with-labels.xml", "./Test", 0, []string{"-foo", "!bar"}, http.StatusBadRequest, `Only one of "labels_exclude_any", "labels_include_all" or "labels" can be included.`)
+
 	// profiles with valid labels
-	uuidAppleWithLabel := assertAppleProfile("apple-profile-with-labels.mobileconfig", "apple-profile-with-labels", "ident-with-labels", 0, []string{"foo"}, http.StatusOK, "")
+	uuidAppleWithLabel := assertAppleProfile("apple-profile-with-labels.mobileconfig", "apple-profile-with-labels", "ident-with-labels", 0, []string{"!foo"}, http.StatusOK, "")
 	uuidAppleDDMWithLabel := createAppleDeclaration("apple-decl-with-labels", "ident-decl-with-labels", 0, []string{"foo"})
-	uuidWindowsWithLabel := assertWindowsProfile("win-profile-with-labels.xml", "./Test", 0, []string{"foo", "bar"}, http.StatusOK, "")
-
-	// verify that the label associations have been created
-	// TODO: update when we have datastore methods to get this data
-	var profileLabels []fleet.ConfigurationProfileLabel
-	mysql.ExecAdhocSQL(t, s.ds, func(q sqlx.ExtContext) error {
-		stmt := `
-		SELECT COALESCE(apple_profile_uuid, windows_profile_uuid) as profile_uuid, label_name, COALESCE(label_id, 0) as label_id
-		FROM mdm_configuration_profile_labels 
-		UNION SELECT apple_declaration_uuid as profile_uuid, label_name, COALESCE(label_id, 0) as label_id
-		FROM mdm_declaration_labels ORDER BY profile_uuid, label_name;`
-		return sqlx.SelectContext(context.Background(), q, &profileLabels, stmt)
-	})
-
-	require.NotEmpty(t, profileLabels)
-	require.Len(t, profileLabels, 4)
-	require.ElementsMatch(
-		t,
-		[]fleet.ConfigurationProfileLabel{
-			{ProfileUUID: uuidAppleWithLabel, LabelName: labelFoo.Name, LabelID: labelFoo.ID},
-			{ProfileUUID: uuidAppleDDMWithLabel, LabelName: labelFoo.Name, LabelID: labelFoo.ID},
-			{ProfileUUID: uuidWindowsWithLabel, LabelName: labelFoo.Name, LabelID: labelFoo.ID},
-			{ProfileUUID: uuidWindowsWithLabel, LabelName: labelBar.Name, LabelID: labelBar.ID},
-		},
-		profileLabels,
-	)
+	uuidWindowsWithLabel := assertWindowsProfile("win-profile-with-labels.xml", "./Test", 0, []string{"-foo", "-bar"}, http.StatusOK, "")
+	uuidAppleDDMTeamWithLabel := createAppleDeclaration("apple-team-decl-with-labels", "ident-team-decl-with-labels", testTeam.ID, []string{"-foo"})
+	uuidWindowsTeamWithLabel := assertWindowsProfile("win-team-profile-with-labels.xml", "./Test", testTeam.ID, []string{"foo", "bar"}, http.StatusOK, "")
 
 	// Windows invalid content
 	body, headers := generateNewProfileMultipartRequest(t, "win.xml", []byte("\x00\x01\x02"), s.token, nil)
@@ -2776,7 +2865,33 @@ func (s *integrationMDMTestSuite) TestMDMConfigProfileCRUD() {
 		{ProfileUUID: teamAppleProfUUID, Platform: "darwin", Name: "apple-team-profile", Identifier: "test-team-ident", TeamID: &testTeam.ID},
 		{ProfileUUID: noTeamWinProfUUID, Platform: "windows", Name: "win-global-profile", TeamID: nil},
 		{ProfileUUID: teamWinProfUUID, Platform: "windows", Name: "win-team-profile", TeamID: &testTeam.ID},
-		{ProfileUUID: uuidAppleDDMWithLabel, Platform: "darwin", Name: "apple-decl-with-labels", Identifier: "ident-decl-with-labels", TeamID: nil, Labels: []fleet.ConfigurationProfileLabel{{LabelID: labelFoo.ID, LabelName: labelFoo.Name}}},
+		{ProfileUUID: uuidAppleDDMWithLabel, Platform: "darwin", Name: "apple-decl-with-labels", Identifier: "ident-decl-with-labels", TeamID: nil,
+			LabelsIncludeAll: []fleet.ConfigurationProfileLabel{
+				{LabelID: labelFoo.ID, LabelName: labelFoo.Name},
+			},
+		},
+		{ProfileUUID: uuidAppleWithLabel, Platform: "darwin", Name: "apple-profile-with-labels", Identifier: "ident-with-labels", TeamID: nil,
+			LabelsIncludeAll: []fleet.ConfigurationProfileLabel{
+				{LabelID: labelFoo.ID, LabelName: labelFoo.Name},
+			},
+		},
+		{ProfileUUID: uuidWindowsWithLabel, Platform: "windows", Name: "win-profile-with-labels", TeamID: nil,
+			LabelsExcludeAny: []fleet.ConfigurationProfileLabel{
+				{LabelID: labelBar.ID, LabelName: labelBar.Name},
+				{LabelID: labelFoo.ID, LabelName: labelFoo.Name},
+			},
+		},
+		{ProfileUUID: uuidAppleDDMTeamWithLabel, Platform: "darwin", Name: "apple-team-decl-with-labels", Identifier: "ident-team-decl-with-labels", TeamID: &testTeam.ID,
+			LabelsExcludeAny: []fleet.ConfigurationProfileLabel{
+				{LabelID: labelFoo.ID, LabelName: labelFoo.Name},
+			},
+		},
+		{ProfileUUID: uuidWindowsTeamWithLabel, Platform: "windows", Name: "win-team-profile-with-labels", TeamID: &testTeam.ID,
+			LabelsIncludeAll: []fleet.ConfigurationProfileLabel{
+				{LabelID: labelBar.ID, LabelName: labelBar.Name},
+				{LabelID: labelFoo.ID, LabelName: labelFoo.Name},
+			},
+		},
 	}
 	for _, prof := range expectedProfiles {
 		var getResp getMDMConfigProfileResponse
@@ -2790,6 +2905,13 @@ func (s *integrationMDMTestSuite) TestMDMConfigProfileCRUD() {
 		}
 		getResp.CreatedAt, getResp.UploadedAt = time.Time{}, time.Time{}
 		getResp.Checksum = nil
+		// sort the labels by name
+		sort.Slice(getResp.LabelsIncludeAll, func(i, j int) bool {
+			return getResp.LabelsIncludeAll[i].LabelName < getResp.LabelsIncludeAll[j].LabelName
+		})
+		sort.Slice(getResp.LabelsExcludeAny, func(i, j int) bool {
+			return getResp.LabelsExcludeAny[i].LabelName < getResp.LabelsExcludeAny[j].LabelName
+		})
 		require.Equal(t, prof, *getResp.MDMConfigProfilePayload)
 
 		resp := s.Do("GET", fmt.Sprintf("/api/latest/fleet/configuration_profiles/%s", prof.ProfileUUID), nil, http.StatusOK, "alt", "media")
@@ -2927,27 +3049,32 @@ func (s *integrationMDMTestSuite) TestListMDMConfigProfiles() {
 		}
 	}
 
+	lblFoo, err := s.ds.NewLabel(ctx, &fleet.Label{Name: "foo", Query: "select 1"})
+	require.NoError(t, err)
+	lblBar, err := s.ds.NewLabel(ctx, &fleet.Label{Name: "bar", Query: "select 1"})
+	require.NoError(t, err)
+
 	// create a couple profiles (Win and mac) for team 2, and none for team 3
 	tprof, err := fleet.NewMDMAppleConfigProfile(mcBytesForTest("tF", "tF.identifier", "tF.uuid"), nil)
 	require.NoError(t, err)
 	tprof.TeamID = &tm2.ID
+	// make tm2ProfF a "exclude-any" label-based profile
+	tprof.LabelsExcludeAny = []fleet.ConfigurationProfileLabel{
+		{LabelID: lblFoo.ID, LabelName: lblFoo.Name},
+		{LabelID: lblBar.ID, LabelName: lblBar.Name},
+	}
 	tm2ProfF, err := s.ds.NewMDMAppleConfigProfile(ctx, *tprof)
 	require.NoError(t, err)
 	// checksum is not returned by New..., so compute it manually
 	checkSum := md5.Sum(tm2ProfF.Mobileconfig) // nolint:gosec // used only for test
 	tm2ProfF.Checksum = checkSum[:]
 
-	// make tm2ProfG a label-based profile
-	lblFoo, err := s.ds.NewLabel(ctx, &fleet.Label{Name: "foo", Query: "select 1"})
-	require.NoError(t, err)
-	lblBar, err := s.ds.NewLabel(ctx, &fleet.Label{Name: "bar", Query: "select 1"})
-	require.NoError(t, err)
-
+	// make tm2ProfG a "include-all" label-based profile
 	tm2ProfG, err := s.ds.NewMDMWindowsConfigProfile(ctx, fleet.MDMWindowsConfigProfile{
 		Name:   "tG",
 		TeamID: &tm2.ID,
 		SyncML: []byte(`<Add></Add>`),
-		Labels: []fleet.ConfigurationProfileLabel{
+		LabelsIncludeAll: []fleet.ConfigurationProfileLabel{
 			{LabelID: lblFoo.ID, LabelName: lblFoo.Name},
 			{LabelID: lblBar.ID, LabelName: lblBar.Name},
 		},
@@ -2973,7 +3100,11 @@ func (s *integrationMDMTestSuite) TestListMDMConfigProfiles() {
 		Platform:    "darwin",
 		Identifier:  tm2ProfF.Identifier,
 		Checksum:    tm2ProfF.Checksum,
-		Labels:      nil,
+		// labels are ordered by name
+		LabelsExcludeAny: []fleet.ConfigurationProfileLabel{
+			{LabelID: lblBar.ID, LabelName: lblBar.Name},
+			{LabelID: 0, LabelName: lblFoo.Name, Broken: true},
+		},
 	}, listResp.Profiles[0])
 	require.Equal(t, &fleet.MDMConfigProfilePayload{
 		ProfileUUID: tm2ProfG.ProfileUUID,
@@ -2981,13 +3112,13 @@ func (s *integrationMDMTestSuite) TestListMDMConfigProfiles() {
 		Name:        tm2ProfG.Name,
 		Platform:    "windows",
 		// labels are ordered by name
-		Labels: []fleet.ConfigurationProfileLabel{
+		LabelsIncludeAll: []fleet.ConfigurationProfileLabel{
 			{LabelID: lblBar.ID, LabelName: lblBar.Name},
 			{LabelID: 0, LabelName: lblFoo.Name, Broken: true},
 		},
 	}, listResp.Profiles[1])
 
-	// get the specific label-based profile returns the information
+	// get the specific include-all label-based profile returns the information
 	var getProfResp getMDMConfigProfileResponse
 	s.DoJSON("GET", "/api/latest/fleet/mdm/profiles/"+tm2ProfG.ProfileUUID, nil, http.StatusOK, &getProfResp)
 	getProfResp.CreatedAt, getProfResp.UploadedAt = time.Time{}, time.Time{}
@@ -2997,13 +3128,13 @@ func (s *integrationMDMTestSuite) TestListMDMConfigProfiles() {
 		Name:        tm2ProfG.Name,
 		Platform:    "windows",
 		// labels are ordered by name
-		Labels: []fleet.ConfigurationProfileLabel{
+		LabelsIncludeAll: []fleet.ConfigurationProfileLabel{
 			{LabelID: lblBar.ID, LabelName: lblBar.Name},
 			{LabelID: 0, LabelName: lblFoo.Name, Broken: true},
 		},
 	}, getProfResp.MDMConfigProfilePayload)
 
-	// get the non label-based profile returns no labels
+	// get the specific exclude-any label-based profile returns the information
 	getProfResp = getMDMConfigProfileResponse{}
 	s.DoJSON("GET", "/api/latest/fleet/mdm/profiles/"+tm2ProfF.ProfileUUID, nil, http.StatusOK, &getProfResp)
 	getProfResp.CreatedAt, getProfResp.UploadedAt = time.Time{}, time.Time{}
@@ -3014,7 +3145,11 @@ func (s *integrationMDMTestSuite) TestListMDMConfigProfiles() {
 		Platform:    "darwin",
 		Identifier:  tm2ProfF.Identifier,
 		Checksum:    tm2ProfF.Checksum,
-		Labels:      nil,
+		// labels are ordered by name
+		LabelsExcludeAny: []fleet.ConfigurationProfileLabel{
+			{LabelID: lblBar.ID, LabelName: lblBar.Name},
+			{LabelID: 0, LabelName: lblFoo.Name, Broken: true},
+		},
 	}, getProfResp.MDMConfigProfilePayload)
 
 	// list for a non-existing team returns 404
@@ -3094,9 +3229,14 @@ func (s *integrationMDMTestSuite) TestListMDMConfigProfiles() {
 				for i, p := range listResp.Profiles {
 					gotNames[i] = p.Name
 					if p.Name == "tG" {
-						require.Len(t, p.Labels, 2)
+						require.Len(t, p.LabelsIncludeAll, 2)
 					} else {
-						require.Nil(t, p.Labels)
+						require.Nil(t, p.LabelsIncludeAll)
+					}
+					if p.Name == "tF" {
+						require.Len(t, p.LabelsExcludeAny, 2)
+					} else {
+						require.Nil(t, p.LabelsExcludeAny)
 					}
 					if c.teamID == nil {
 						// we set it to 0 for global
@@ -3523,52 +3663,6 @@ func (s *integrationMDMTestSuite) TestWindowsProfileManagement() {
 	require.Contains(t, errMsg, "Profile is not compatible with host platform")
 }
 
-func (s *integrationMDMTestSuite) TestAppConfigMDMWindowsProfiles() {
-	t := s.T()
-
-	// set the windows custom settings fields
-	acResp := appConfigResponse{}
-	s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
-		"mdm": {
-		  "windows_settings": {
-		    "custom_settings": [
-		        {"path": "foo", "labels": ["baz"]},
-			{"path": "bar"}
-		    ]
-		  }
-		}
-  }`), http.StatusOK, &acResp)
-	assert.Equal(t, []fleet.MDMProfileSpec{{Path: "foo", Labels: []string{"baz"}}, {Path: "bar"}}, acResp.MDM.WindowsSettings.CustomSettings.Value)
-
-	// check that they are returned by a GET /config
-	acResp = appConfigResponse{}
-	s.DoJSON("GET", "/api/latest/fleet/config", nil, http.StatusOK, &acResp)
-	assert.Equal(t, []fleet.MDMProfileSpec{{Path: "foo", Labels: []string{"baz"}}, {Path: "bar"}}, acResp.MDM.WindowsSettings.CustomSettings.Value)
-
-	// patch without specifying the windows custom settings fields and an unrelated
-	// field, should not remove them
-	acResp = appConfigResponse{}
-	s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
-		"mdm": { "enable_disk_encryption": true }
-  }`), http.StatusOK, &acResp)
-	assert.Equal(t, []fleet.MDMProfileSpec{{Path: "foo", Labels: []string{"baz"}}, {Path: "bar"}}, acResp.MDM.WindowsSettings.CustomSettings.Value)
-
-	// patch with explicitly empty windows custom settings fields, would remove
-	// them but this is a dry-run
-	acResp = appConfigResponse{}
-	s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
-		"mdm": { "windows_settings": { "custom_settings": null } }
-  }`), http.StatusOK, &acResp, "dry_run", "true")
-	assert.Equal(t, []fleet.MDMProfileSpec{{Path: "foo", Labels: []string{"baz"}}, {Path: "bar"}}, acResp.MDM.WindowsSettings.CustomSettings.Value)
-
-	// patch with explicitly empty windows custom settings fields, removes them
-	acResp = appConfigResponse{}
-	s.DoJSON("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
-		"mdm": { "windows_settings": { "custom_settings": null } }
-  }`), http.StatusOK, &acResp)
-	assert.Empty(t, acResp.MDM.WindowsSettings.CustomSettings.Value)
-}
-
 func (s *integrationMDMTestSuite) TestApplyTeamsMDMWindowsProfiles() {
 	t := s.T()
 
@@ -3591,12 +3685,12 @@ func (s *integrationMDMTestSuite) TestApplyTeamsMDMWindowsProfiles() {
 	var applyResp applyTeamSpecsResponse
 	s.DoJSON("POST", "/api/latest/fleet/spec/teams", rawTeamSpec(`
 		{
-		  "windows_settings": {
-		    "custom_settings": [
-		       {"path": "foo", "labels": ["baz"]},
-		       {"path": "bar"}
-		    ]
-		  }
+			"windows_settings": {
+				"custom_settings": [
+					{"path": "foo", "labels": ["baz"]},
+					{"path": "bar", "labels_exclude_any": ["x", "y"]}
+				]
+			}
 		}
 	`), http.StatusOK, &applyResp)
 	require.Len(t, applyResp.TeamIDsByName, 1)
@@ -3604,7 +3698,10 @@ func (s *integrationMDMTestSuite) TestApplyTeamsMDMWindowsProfiles() {
 	// check that they are returned by a GET /config
 	var teamResp getTeamResponse
 	s.DoJSON("GET", fmt.Sprintf("/api/latest/fleet/teams/%d", team.ID), nil, http.StatusOK, &teamResp)
-	require.ElementsMatch(t, []fleet.MDMProfileSpec{{Path: "foo", Labels: []string{"baz"}}, {Path: "bar"}}, teamResp.Team.Config.MDM.WindowsSettings.CustomSettings.Value)
+	require.ElementsMatch(t, []fleet.MDMProfileSpec{
+		{Path: "foo", LabelsIncludeAll: []string{"baz"}},
+		{Path: "bar", LabelsExcludeAny: []string{"x", "y"}},
+	}, teamResp.Team.Config.MDM.WindowsSettings.CustomSettings.Value)
 
 	// patch without specifying the windows custom settings fields and an unrelated
 	// field, should not remove them
@@ -3615,7 +3712,10 @@ func (s *integrationMDMTestSuite) TestApplyTeamsMDMWindowsProfiles() {
 	// check that they are returned by a GET /config
 	teamResp = getTeamResponse{}
 	s.DoJSON("GET", fmt.Sprintf("/api/latest/fleet/teams/%d", team.ID), nil, http.StatusOK, &teamResp)
-	require.ElementsMatch(t, []fleet.MDMProfileSpec{{Path: "foo", Labels: []string{"baz"}}, {Path: "bar"}}, teamResp.Team.Config.MDM.WindowsSettings.CustomSettings.Value)
+	require.ElementsMatch(t, []fleet.MDMProfileSpec{
+		{Path: "foo", LabelsIncludeAll: []string{"baz"}},
+		{Path: "bar", LabelsExcludeAny: []string{"x", "y"}},
+	}, teamResp.Team.Config.MDM.WindowsSettings.CustomSettings.Value)
 
 	// patch with explicitly empty windows custom settings fields, would remove
 	// them but this is a dry-run
@@ -3627,7 +3727,10 @@ func (s *integrationMDMTestSuite) TestApplyTeamsMDMWindowsProfiles() {
 
 	teamResp = getTeamResponse{}
 	s.DoJSON("GET", fmt.Sprintf("/api/latest/fleet/teams/%d", team.ID), nil, http.StatusOK, &teamResp)
-	require.ElementsMatch(t, []fleet.MDMProfileSpec{{Path: "foo", Labels: []string{"baz"}}, {Path: "bar"}}, teamResp.Team.Config.MDM.WindowsSettings.CustomSettings.Value)
+	require.ElementsMatch(t, []fleet.MDMProfileSpec{
+		{Path: "foo", LabelsIncludeAll: []string{"baz"}},
+		{Path: "bar", LabelsExcludeAny: []string{"x", "y"}},
+	}, teamResp.Team.Config.MDM.WindowsSettings.CustomSettings.Value)
 
 	// patch with explicitly empty windows custom settings fields, removes them
 	applyResp = applyTeamSpecsResponse{}
@@ -3639,6 +3742,19 @@ func (s *integrationMDMTestSuite) TestApplyTeamsMDMWindowsProfiles() {
 	teamResp = getTeamResponse{}
 	s.DoJSON("GET", fmt.Sprintf("/api/latest/fleet/teams/%d", team.ID), nil, http.StatusOK, &teamResp)
 	require.Empty(t, teamResp.Team.Config.MDM.WindowsSettings.CustomSettings.Value)
+
+	// apply with invalid mix of labels fails
+	res := s.Do("POST", "/api/latest/fleet/spec/teams", rawTeamSpec(`
+		{
+			"windows_settings": {
+				"custom_settings": [
+					{"path": "foo", "labels": ["a"], "labels_include_all": ["b"]}
+				]
+			}
+		}
+	`), http.StatusUnprocessableEntity)
+	errMsg := extractServerErrorText(res.Body)
+	assert.Contains(t, errMsg, `For each profile, only one of "labels_exclude_any", "labels_include_all" or "labels" can be included.`)
 }
 
 func (s *integrationMDMTestSuite) TestBatchSetMDMProfiles() {
@@ -3812,13 +3928,83 @@ func (s *integrationMDMTestSuite) TestBatchSetMDMProfiles() {
 		fmt.Sprintf(`{"team_id": %d, "team_name": %q}`, tm.ID, tm.Name),
 		0,
 	)
-
 	s.lastActivityOfTypeMatches(
 		fleet.ActivityTypeEditedDeclarationProfile{}.ActivityName(),
 		fmt.Sprintf(`{"team_id": %d, "team_name": %q}`, tm.ID, tm.Name),
 		0,
 	)
 
+	// batch-apply profiles with labels
+	lbl1, err := s.ds.NewLabel(ctx, &fleet.Label{Name: "L1", Query: "select 1;"})
+	require.NoError(t, err)
+	lbl2, err := s.ds.NewLabel(ctx, &fleet.Label{Name: "L2", Query: "select 1;"})
+	require.NoError(t, err)
+	lbl3, err := s.ds.NewLabel(ctx, &fleet.Label{Name: "L3", Query: "select 1;"})
+	require.NoError(t, err)
+
+	// attempt with an invalid label name
+	res = s.Do("POST", "/api/v1/fleet/mdm/profiles/batch", batchSetMDMProfilesRequest{Profiles: []fleet.MDMProfileBatchPayload{
+		{Name: "N1", Contents: mobileconfigForTest("N1", "I1"), Labels: []string{lbl1.Name, "no-such-label"}},
+	}}, http.StatusBadRequest)
+	msg := extractServerErrorText(res.Body)
+	require.Contains(t, msg, "some or all the labels provided don't exist")
+
+	// mix of labels fields
+	res = s.Do("POST", "/api/v1/fleet/mdm/profiles/batch", batchSetMDMProfilesRequest{Profiles: []fleet.MDMProfileBatchPayload{
+		{Name: "N1", Contents: mobileconfigForTest("N1", "I1"), Labels: []string{lbl1.Name}, LabelsExcludeAny: []string{lbl2.Name}},
+	}}, http.StatusUnprocessableEntity)
+	msg = extractServerErrorText(res.Body)
+	require.Contains(t, msg, `For each profile, only one of "labels_exclude_any", "labels_include_all" or "labels" can be included.`)
+
+	// successful batch-set
+	s.Do("POST", "/api/v1/fleet/mdm/profiles/batch", batchSetMDMProfilesRequest{Profiles: []fleet.MDMProfileBatchPayload{
+		{Name: "N1", Contents: mobileconfigForTest("N1", "I1"), Labels: []string{lbl1.Name, lbl2.Name}},
+		{Name: "N2", Contents: syncMLForTest("./Foo/Bar"), LabelsIncludeAll: []string{lbl1.Name}},
+		{Name: "N4", Contents: declarationForTest("D1"), LabelsExcludeAny: []string{lbl2.Name}},
+	}}, http.StatusNoContent)
+
+	// confirm expected results
+	var listResp listMDMConfigProfilesResponse
+	s.DoJSON("GET", "/api/latest/fleet/configuration_profiles", nil, http.StatusOK, &listResp)
+	require.Len(t, listResp.Profiles, 3)
+	require.Equal(t, "N1", listResp.Profiles[0].Name)
+	require.Equal(t, "N2", listResp.Profiles[1].Name)
+	require.Equal(t, "N4", listResp.Profiles[2].Name)
+	require.Equal(t, listResp.Profiles[0].LabelsIncludeAll, []fleet.ConfigurationProfileLabel{
+		{LabelID: lbl1.ID, LabelName: lbl1.Name},
+		{LabelID: lbl2.ID, LabelName: lbl2.Name},
+	})
+	require.Nil(t, listResp.Profiles[0].LabelsExcludeAny)
+	require.Equal(t, listResp.Profiles[1].LabelsIncludeAll, []fleet.ConfigurationProfileLabel{
+		{LabelID: lbl1.ID, LabelName: lbl1.Name},
+	})
+	require.Nil(t, listResp.Profiles[1].LabelsExcludeAny)
+	require.Equal(t, listResp.Profiles[2].LabelsExcludeAny, []fleet.ConfigurationProfileLabel{
+		{LabelID: lbl2.ID, LabelName: lbl2.Name},
+	})
+	require.Nil(t, listResp.Profiles[2].LabelsIncludeAll)
+
+	// successful batch-set that updates some labels
+	s.Do("POST", "/api/v1/fleet/mdm/profiles/batch", batchSetMDMProfilesRequest{Profiles: []fleet.MDMProfileBatchPayload{
+		{Name: "N1", Contents: mobileconfigForTest("N1", "I1"), LabelsExcludeAny: []string{lbl1.Name, lbl3.Name}},
+		{Name: "N2", Contents: syncMLForTest("./Foo/Bar"), LabelsIncludeAll: []string{lbl2.Name}},
+	}}, http.StatusNoContent)
+
+	listResp = listMDMConfigProfilesResponse{}
+	s.DoJSON("GET", "/api/latest/fleet/configuration_profiles", nil, http.StatusOK, &listResp)
+	require.Len(t, listResp.Profiles, 2)
+	require.Equal(t, "N1", listResp.Profiles[0].Name)
+	require.Equal(t, "N2", listResp.Profiles[1].Name)
+	require.Equal(t, listResp.Profiles[0].LabelsExcludeAny, []fleet.ConfigurationProfileLabel{
+		{LabelID: lbl1.ID, LabelName: lbl1.Name},
+		{LabelID: lbl3.ID, LabelName: lbl3.Name},
+	})
+	require.Nil(t, listResp.Profiles[0].LabelsIncludeAll)
+	require.Equal(t, listResp.Profiles[1].LabelsIncludeAll, []fleet.ConfigurationProfileLabel{
+		{LabelID: lbl2.ID, LabelName: lbl2.Name},
+	})
+	require.Nil(t, listResp.Profiles[1].LabelsExcludeAny)
+
 	// names cannot be duplicated across platforms
 	declBytes := json.RawMessage(`{
 	"Type": "com.apple.configuration.decl.foo",
@@ -4351,3 +4537,271 @@ func (s *integrationMDMTestSuite) TestMDMAppleConfigProfileCRUD() {
 	deleteResp = deleteMDMAppleConfigProfileResponse{}
 	s.DoJSON("DELETE", deletePath, nil, http.StatusBadRequest, &deleteResp)
 }
+
+func (s *integrationMDMTestSuite) TestHostMDMProfilesExcludeLabels() {
+	t := s.T()
+	ctx := context.Background()
+
+	triggerReconcileProfiles := func() {
+		s.awaitTriggerProfileSchedule(t)
+		// this will only mark them as "pending", as the response to confirm
+		// profile deployment is asynchronous, so we simulate it here by
+		// updating any "pending" (not NULL) profiles to "verifying"
+		mysql.ExecAdhocSQL(t, s.ds, func(q sqlx.ExtContext) error {
+			if _, err := q.ExecContext(ctx, `UPDATE host_mdm_apple_profiles SET status = ? WHERE status = ?`, fleet.OSSettingsVerifying, fleet.OSSettingsPending); err != nil {
+				return err
+			}
+			if _, err := q.ExecContext(ctx, `UPDATE host_mdm_apple_declarations SET status = ? WHERE status = ?`, fleet.OSSettingsVerifying, fleet.OSSettingsPending); err != nil {
+				return err
+			}
+			if _, err := q.ExecContext(ctx, `UPDATE host_mdm_windows_profiles SET status = ? WHERE status = ?`, fleet.OSSettingsVerifying, fleet.OSSettingsPending); err != nil {
+				return err
+			}
+			return nil
+		})
+	}
+
+	// run the crons immediately, will create the Fleet-controlled profiles that
+	// will then be expected to be applied (e.g. com.fleetdm.fleetd.config and
+	// com.fleetdm.caroot)
+	// first create the no-team enroll secret (required to create the fleet profiles)
+	var applyResp applyEnrollSecretSpecResponse
+	s.DoJSON("POST", "/api/latest/fleet/spec/enroll_secret",
+		applyEnrollSecretSpecRequest{
+			Spec: &fleet.EnrollSecretSpec{Secrets: []*fleet.EnrollSecret{{Secret: "super-global-secret"}}},
+		}, http.StatusOK, &applyResp)
+	s.awaitTriggerProfileSchedule(t)
+
+	// create an Apple and a Windows host
+	appleHost, _ := createHostThenEnrollMDM(s.ds, s.server.URL, t)
+	windowsHost, _ := createWindowsHostThenEnrollMDM(s.ds, s.server.URL, t)
+
+	// create a few labels
+	labels := make([]*fleet.Label, 5)
+	for i := 0; i < len(labels); i++ {
+		label, err := s.ds.NewLabel(ctx, &fleet.Label{Name: fmt.Sprintf("label-%d", i), Query: "select 1;"})
+		require.NoError(t, err)
+		labels[i] = label
+	}
+
+	// set an Apple profile and declaration and a Windows profile
+	s.Do("POST", "/api/v1/fleet/mdm/profiles/batch", batchSetMDMProfilesRequest{Profiles: []fleet.MDMProfileBatchPayload{
+		{Name: "A1", Contents: mobileconfigForTest("A1", "A1"), LabelsExcludeAny: []string{labels[0].Name, labels[1].Name}},
+		{Name: "W2", Contents: syncMLForTest("./Foo/W2"), LabelsExcludeAny: []string{labels[2].Name, labels[3].Name}},
+		{Name: "D3", Contents: declarationForTest("D3"), LabelsExcludeAny: []string{labels[4].Name}},
+	}}, http.StatusNoContent)
+
+	// hosts are not members of any label yet, so running the cron applies the labels
+	s.awaitTriggerProfileSchedule(t)
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+		appleHost: {
+			{Identifier: "A1", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
+			{Identifier: "D3", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
+			{Identifier: mobileconfig.FleetdConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
+			{Identifier: mobileconfig.FleetCARootConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
+		},
+	})
+	s.assertHostWindowsConfigProfiles(map[*fleet.Host][]fleet.HostMDMWindowsProfile{
+		windowsHost: {
+			{Name: "W2", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
+		},
+	})
+
+	// simulate the reconcile profiles deployment
+	triggerReconcileProfiles()
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+		appleHost: {
+			{Identifier: "A1", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: "D3", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetdConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetCARootConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+		},
+	})
+	s.assertHostWindowsConfigProfiles(map[*fleet.Host][]fleet.HostMDMWindowsProfile{
+		windowsHost: {
+			{Name: "W2", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+		},
+	})
+
+	// mark some profiles as verified (despite accepting a HostMacOSProfile struct, it supports Windows too)
+	err := apple_mdm.VerifyHostMDMProfiles(ctx, s.ds, appleHost, map[string]*fleet.HostMacOSProfile{
+		"A1": {Identifier: "A1", DisplayName: "A1", InstallDate: time.Now()},
+	})
+	require.NoError(t, err)
+	err = apple_mdm.VerifyHostMDMProfiles(ctx, s.ds, windowsHost, map[string]*fleet.HostMacOSProfile{
+		"W2": {Identifier: "W2", DisplayName: "W2", InstallDate: time.Now()},
+	})
+	require.NoError(t, err)
+
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+		appleHost: {
+			{Identifier: "A1", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerified},
+			{Identifier: "D3", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetdConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetCARootConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+		},
+	})
+	s.assertHostWindowsConfigProfiles(map[*fleet.Host][]fleet.HostMDMWindowsProfile{
+		windowsHost: {
+			{Name: "W2", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerified},
+		},
+	})
+
+	// make hosts members of labels [1], [2], [3] and [4], meaning that none of the profiles apply anymore
+	err = s.ds.AsyncBatchInsertLabelMembership(ctx, [][2]uint{
+		{labels[1].ID, appleHost.ID},
+		{labels[2].ID, appleHost.ID},
+		{labels[3].ID, appleHost.ID},
+		{labels[4].ID, appleHost.ID},
+		{labels[1].ID, windowsHost.ID},
+		{labels[2].ID, windowsHost.ID},
+		{labels[3].ID, windowsHost.ID},
+		{labels[4].ID, windowsHost.ID},
+	})
+	require.NoError(t, err)
+
+	s.awaitTriggerProfileSchedule(t)
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+		appleHost: {
+			{Identifier: "A1", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
+			{Identifier: "D3", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
+			{Identifier: mobileconfig.FleetdConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetCARootConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+		},
+	})
+	// windows profiles go straight to removed without getting deleted on the host
+	s.assertHostWindowsConfigProfiles(map[*fleet.Host][]fleet.HostMDMWindowsProfile{
+		windowsHost: {},
+	})
+
+	// remove membership of labels [2] for Windows, and [4] for Apple, meaning
+	// that only D3 will be installed on Apple (as the Windows host is still
+	// member of an excluded label)
+	err = s.ds.AsyncBatchDeleteLabelMembership(ctx, [][2]uint{
+		{labels[4].ID, appleHost.ID},
+		{labels[2].ID, windowsHost.ID},
+	})
+	require.NoError(t, err)
+
+	s.awaitTriggerProfileSchedule(t)
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+		appleHost: {
+			{Identifier: "A1", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
+			{Identifier: "D3", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
+			{Identifier: mobileconfig.FleetdConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetCARootConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+		},
+	})
+	s.assertHostWindowsConfigProfiles(map[*fleet.Host][]fleet.HostMDMWindowsProfile{
+		windowsHost: {},
+	})
+
+	// remove label [3] as an excluded label for the Windows profile, meaning
+	// that the host now meets the requirement to install.
+	s.Do("POST", "/api/v1/fleet/mdm/profiles/batch", batchSetMDMProfilesRequest{Profiles: []fleet.MDMProfileBatchPayload{
+		{Name: "A1", Contents: mobileconfigForTest("A1", "A1"), LabelsExcludeAny: []string{labels[0].Name, labels[1].Name}},
+		{Name: "W2", Contents: syncMLForTest("./Foo/W2"), LabelsExcludeAny: []string{labels[2].Name}},
+		{Name: "D3", Contents: declarationForTest("D3"), LabelsExcludeAny: []string{labels[4].Name}},
+	}}, http.StatusNoContent)
+
+	s.awaitTriggerProfileSchedule(t)
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+		appleHost: {
+			{Identifier: "A1", OperationType: fleet.MDMOperationTypeRemove, Status: &fleet.MDMDeliveryPending},
+			{Identifier: "D3", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
+			{Identifier: mobileconfig.FleetdConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetCARootConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+		},
+	})
+	s.assertHostWindowsConfigProfiles(map[*fleet.Host][]fleet.HostMDMWindowsProfile{
+		windowsHost: {
+			{Name: "W2", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryPending},
+		},
+	})
+
+	// simulate the reconcile profiles deployment and mark as verified
+	triggerReconcileProfiles()
+	err = apple_mdm.VerifyHostMDMProfiles(ctx, s.ds, windowsHost, map[string]*fleet.HostMacOSProfile{
+		"W2": {Identifier: "W2", DisplayName: "W2", InstallDate: time.Now()},
+	})
+	require.NoError(t, err)
+
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+		appleHost: {
+			{Identifier: "D3", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetdConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetCARootConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+		},
+	})
+	s.assertHostWindowsConfigProfiles(map[*fleet.Host][]fleet.HostMDMWindowsProfile{
+		windowsHost: {
+			{Name: "W2", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerified},
+		},
+	})
+
+	// break the A1 profile by deleting labels [1]
+	err = s.ds.DeleteLabel(ctx, labels[1].Name)
+	require.NoError(t, err)
+
+	// it doesn't get installed to the Apple host, as it is broken
+	triggerReconcileProfiles()
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+		appleHost: {
+			{Identifier: "D3", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetdConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetCARootConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+		},
+	})
+	s.assertHostWindowsConfigProfiles(map[*fleet.Host][]fleet.HostMDMWindowsProfile{
+		windowsHost: {
+			{Name: "W2", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerified},
+		},
+	})
+
+	// it also doesn't get installed to a new host not a member of any labels
+	appleHost2, _ := createHostThenEnrollMDM(s.ds, s.server.URL, t)
+	triggerReconcileProfiles()
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+		appleHost: {
+			{Identifier: "D3", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetdConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetCARootConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+		},
+		appleHost2: {
+			{Identifier: "D3", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetdConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetCARootConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+		},
+	})
+	s.assertHostWindowsConfigProfiles(map[*fleet.Host][]fleet.HostMDMWindowsProfile{
+		windowsHost: {
+			{Name: "W2", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerified},
+		},
+	})
+
+	// delete labels [2] and [4], breaking D3 and W2, they don't get removed
+	// since they are broken
+	err = s.ds.DeleteLabel(ctx, labels[2].Name)
+	require.NoError(t, err)
+	err = s.ds.DeleteLabel(ctx, labels[4].Name)
+	require.NoError(t, err)
+
+	triggerReconcileProfiles()
+	s.assertHostAppleConfigProfiles(map[*fleet.Host][]fleet.HostMDMAppleProfile{
+		appleHost: {
+			{Identifier: "D3", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetdConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetCARootConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+		},
+		appleHost2: {
+			{Identifier: "D3", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetdConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+			{Identifier: mobileconfig.FleetCARootConfigPayloadIdentifier, OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerifying},
+		},
+	})
+	s.assertHostWindowsConfigProfiles(map[*fleet.Host][]fleet.HostMDMWindowsProfile{
+		windowsHost: {
+			{Name: "W2", OperationType: fleet.MDMOperationTypeInstall, Status: &fleet.MDMDeliveryVerified},
+		},
+	})
+}
diff --git a/server/service/integration_mdm_test.go b/server/service/integration_mdm_test.go
index bd909f0102..b62bbaab4b 100644
--- a/server/service/integration_mdm_test.go
+++ b/server/service/integration_mdm_test.go
@@ -217,12 +217,20 @@ func (s *integrationMDMTestSuite) SetupSuite() {
 						schedule.WithLogger(logger),
 						schedule.WithJob("manage_apple_profiles", func(ctx context.Context) error {
 							if s.onProfileJobDone != nil {
-								s.onProfileJobDone()
+								defer s.onProfileJobDone()
 							}
 							err = ReconcileAppleProfiles(ctx, ds, mdmCommander, logger)
 							require.NoError(s.T(), err)
 							return err
 						}),
+						schedule.WithJob("manage_apple_declarations", func(ctx context.Context) error {
+							if s.onProfileJobDone != nil {
+								defer s.onProfileJobDone()
+							}
+							err = ReconcileAppleDeclarations(ctx, ds, mdmCommander, logger)
+							require.NoError(s.T(), err)
+							return err
+						}),
 						schedule.WithJob("manage_windows_profiles", func(ctx context.Context) error {
 							if s.onProfileJobDone != nil {
 								defer s.onProfileJobDone()
@@ -430,9 +438,9 @@ func (s *integrationMDMTestSuite) mockDEPResponse(handler http.Handler) {
 }
 
 func (s *integrationMDMTestSuite) awaitTriggerProfileSchedule(t *testing.T) {
-	// two jobs running sequentially (macOS then Windows) on the same schedule
+	// three jobs running sequentially (macOS profiles and declarations, then Windows) on the same schedule
 	var wg sync.WaitGroup
-	wg.Add(2)
+	wg.Add(3)
 	s.onProfileJobDone = wg.Done
 	_, err := s.profileSchedule.Trigger()
 	require.NoError(t, err)
@@ -658,13 +666,13 @@ func checkNextPayloads(t *testing.T, mdmDevice *mdmtest.TestAppleMDMClient, forc
 	require.NoError(t, err)
 	for cmd != nil {
 		var fullCmd micromdm.CommandPayload
-		require.NoError(t, plist.Unmarshal(cmd.Raw, &fullCmd))
 		switch cmd.Command.RequestType {
 		case "InstallProfile":
+			require.NoError(t, plist.Unmarshal(cmd.Raw, &fullCmd))
 			installs = append(installs, fullCmd.Command.InstallProfile.Payload)
 		case "RemoveProfile":
+			require.NoError(t, plist.Unmarshal(cmd.Raw, &fullCmd))
 			removes = append(removes, fullCmd.Command.RemoveProfile.Identifier)
-
 		}
 
 		if forceDeviceErr {
@@ -2114,7 +2122,6 @@ func (s *integrationMDMTestSuite) TestTeamsMDMAppleDiskEncryption() {
 	s.DoJSON("PATCH", fmt.Sprintf("/api/latest/fleet/teams/%d", team.ID), fleet.TeamPayload{
 		MDM: &fleet.TeamPayloadMDM{
 			EnableDiskEncryption: optjson.SetBool(true),
-			MacOSSettings:        &fleet.MacOSSettings{},
 		},
 	}, http.StatusOK, &modResp)
 	require.True(t, modResp.Team.Config.MDM.EnableDiskEncryption)
@@ -3958,7 +3965,7 @@ func (s *integrationMDMTestSuite) TestMacosSetupAssistant() {
 }
 
 // only asserts the profile identifier, status and operation (per host)
-func (s *integrationMDMTestSuite) assertHostConfigProfiles(want map[*fleet.Host][]fleet.HostMDMAppleProfile) {
+func (s *integrationMDMTestSuite) assertHostAppleConfigProfiles(want map[*fleet.Host][]fleet.HostMDMAppleProfile) {
 	t := s.T()
 	ds := s.ds
 	ctx := context.Background()
@@ -3966,7 +3973,11 @@ func (s *integrationMDMTestSuite) assertHostConfigProfiles(want map[*fleet.Host]
 	for h, wantProfs := range want {
 		gotProfs, err := ds.GetHostMDMAppleProfiles(ctx, h.UUID)
 		require.NoError(t, err)
-		require.Equal(t, len(wantProfs), len(gotProfs), "host uuid: %s", h.UUID)
+		idents := make([]string, 0, len(gotProfs))
+		for _, gp := range gotProfs {
+			idents = append(idents, gp.Identifier)
+		}
+		require.Equal(t, len(wantProfs), len(gotProfs), "apple host uuid: %s, profiles: %v", h.UUID, idents)
 
 		sort.Slice(gotProfs, func(i, j int) bool {
 			l, r := gotProfs[i], gotProfs[j]
@@ -3985,6 +3996,34 @@ func (s *integrationMDMTestSuite) assertHostConfigProfiles(want map[*fleet.Host]
 	}
 }
 
+// only asserts the profile name, status and operation (per host)
+func (s *integrationMDMTestSuite) assertHostWindowsConfigProfiles(want map[*fleet.Host][]fleet.HostMDMWindowsProfile) {
+	t := s.T()
+	ds := s.ds
+	ctx := context.Background()
+
+	for h, wantProfs := range want {
+		gotProfs, err := ds.GetHostMDMWindowsProfiles(ctx, h.UUID)
+		require.NoError(t, err)
+		require.Equal(t, len(wantProfs), len(gotProfs), "host uuid: %s", h.UUID)
+
+		sort.Slice(gotProfs, func(i, j int) bool {
+			l, r := gotProfs[i], gotProfs[j]
+			return l.Name < r.Name
+		})
+		sort.Slice(wantProfs, func(i, j int) bool {
+			l, r := wantProfs[i], wantProfs[j]
+			return l.Name < r.Name
+		})
+		for i, wp := range wantProfs {
+			gp := gotProfs[i]
+			require.Equal(t, wp.Name, gp.Name, "host uuid: %s, prof id: %s", h.UUID, gp.Name)
+			require.Equal(t, wp.OperationType, gp.OperationType, "host uuid: %s, prof id: %s", h.UUID, gp.Name)
+			require.Equal(t, wp.Status, gp.Status, "host uuid: %s, prof id: %s", h.UUID, gp.Name)
+		}
+	}
+}
+
 func (s *integrationMDMTestSuite) assertConfigProfilesByIdentifier(teamID *uint, profileIdent string, exists bool) (profile *fleet.MDMAppleConfigProfile) {
 	t := s.T()
 	if teamID == nil {
diff --git a/server/service/mdm.go b/server/service/mdm.go
index 4c74601bc0..433fc1bc08 100644
--- a/server/service/mdm.go
+++ b/server/service/mdm.go
@@ -1194,9 +1194,10 @@ func isAppleDeclarationUUID(profileUUID string) bool {
 ////////////////////////////////////////////////////////////////////////////////
 
 type newMDMConfigProfileRequest struct {
-	TeamID  uint
-	Profile *multipart.FileHeader
-	Labels  []string
+	TeamID           uint
+	Profile          *multipart.FileHeader
+	LabelsIncludeAll []string
+	LabelsExcludeAny []string
 }
 
 func (newMDMConfigProfileRequest) DecodeRequest(ctx context.Context, r *http.Request) (interface{}, error) {
@@ -1235,7 +1236,25 @@ func (newMDMConfigProfileRequest) DecodeRequest(ctx context.Context, r *http.Req
 	}
 
 	// add labels
-	decoded.Labels = r.MultipartForm.Value["labels"]
+	var existsIncl, existsExcl, existsDepr bool
+	var deprecatedLabels []string
+	decoded.LabelsIncludeAll, existsIncl = r.MultipartForm.Value["labels_include_all"]
+	decoded.LabelsExcludeAny, existsExcl = r.MultipartForm.Value["labels_exclude_any"]
+	deprecatedLabels, existsDepr = r.MultipartForm.Value["labels"]
+
+	// validate that only one of the labels type is provided
+	var count int
+	for _, b := range []bool{existsIncl, existsExcl, existsDepr} {
+		if b {
+			count++
+		}
+	}
+	if count > 1 {
+		return nil, &fleet.BadRequestError{Message: `Only one of "labels_exclude_any", "labels_include_all" or "labels" can be included.`}
+	}
+	if existsDepr {
+		decoded.LabelsIncludeAll = deprecatedLabels
+	}
 
 	return &decoded, nil
 }
@@ -1260,10 +1279,18 @@ func newMDMConfigProfileEndpoint(ctx context.Context, request interface{}, svc f
 	profileName := strings.TrimSuffix(filepath.Base(req.Profile.Filename), fileExt)
 	isMobileConfig := strings.EqualFold(fileExt, ".mobileconfig")
 	isJSON := strings.EqualFold(fileExt, ".json")
+
+	labels := req.LabelsIncludeAll
+	excludeMode := false
+	if len(req.LabelsExcludeAny) > 0 {
+		labels = req.LabelsExcludeAny
+		excludeMode = true
+	}
+
 	if isMobileConfig || isJSON {
 		// Then it's an Apple configuration file
 		if isJSON {
-			decl, err := svc.NewMDMAppleDeclaration(ctx, req.TeamID, ff, req.Labels, profileName)
+			decl, err := svc.NewMDMAppleDeclaration(ctx, req.TeamID, ff, labels, profileName, excludeMode)
 			if err != nil {
 				return &newMDMConfigProfileResponse{Err: err}, nil
 			}
@@ -1274,7 +1301,7 @@ func newMDMConfigProfileEndpoint(ctx context.Context, request interface{}, svc f
 
 		}
 
-		cp, err := svc.NewMDMAppleConfigProfile(ctx, req.TeamID, ff, req.Labels)
+		cp, err := svc.NewMDMAppleConfigProfile(ctx, req.TeamID, ff, labels, excludeMode)
 		if err != nil {
 			return &newMDMConfigProfileResponse{Err: err}, nil
 		}
@@ -1284,7 +1311,7 @@ func newMDMConfigProfileEndpoint(ctx context.Context, request interface{}, svc f
 	}
 
 	if isWindows := strings.EqualFold(fileExt, ".xml"); isWindows {
-		cp, err := svc.NewMDMWindowsConfigProfile(ctx, req.TeamID, profileName, ff, req.Labels)
+		cp, err := svc.NewMDMWindowsConfigProfile(ctx, req.TeamID, profileName, ff, labels, excludeMode)
 		if err != nil {
 			return &newMDMConfigProfileResponse{Err: err}, nil
 		}
@@ -1308,7 +1335,7 @@ func (svc *Service) NewMDMUnsupportedConfigProfile(ctx context.Context, teamID u
 	return &fleet.BadRequestError{Message: "Couldn't add profile. The file should be a .mobileconfig, XML, or JSON file."}
 }
 
-func (svc *Service) NewMDMWindowsConfigProfile(ctx context.Context, teamID uint, profileName string, r io.Reader, labels []string) (*fleet.MDMWindowsConfigProfile, error) {
+func (svc *Service) NewMDMWindowsConfigProfile(ctx context.Context, teamID uint, profileName string, r io.Reader, labels []string, labelsExcludeMode bool) (*fleet.MDMWindowsConfigProfile, error) {
 	if err := svc.authz.Authorize(ctx, &fleet.MDMConfigProfileAuthz{TeamID: &teamID}, fleet.ActionWrite); err != nil {
 		return nil, ctxerr.Wrap(ctx, err)
 	}
@@ -1357,7 +1384,11 @@ func (svc *Service) NewMDMWindowsConfigProfile(ctx context.Context, teamID uint,
 	if err != nil {
 		return nil, ctxerr.Wrap(ctx, err, "validating labels")
 	}
-	cp.Labels = labelMap
+	if labelsExcludeMode {
+		cp.LabelsExcludeAny = labelMap
+	} else {
+		cp.LabelsIncludeAll = labelMap
+	}
 
 	newCP, err := svc.ds.NewMDMWindowsConfigProfile(ctx, cp)
 	if err != nil {
@@ -1522,8 +1553,17 @@ func (svc *Service) BatchSetMDMProfiles(
 	}
 
 	labels := []string{}
-	for _, prof := range profiles {
-		labels = append(labels, prof.Labels...)
+	for i := range profiles {
+		// from this point on (after this condition), only LabelsIncludeAll or
+		// LabelsExcludeAny need to be checked.
+		if len(profiles[i].Labels) > 0 {
+			// must update the struct in the slice directly, because we don't have a
+			// pointer to it (it is a slice of structs, not of pointer to structs)
+			profiles[i].LabelsIncludeAll = profiles[i].Labels
+			profiles[i].Labels = nil
+		}
+		labels = append(labels, profiles[i].LabelsIncludeAll...)
+		labels = append(labels, profiles[i].LabelsExcludeAny...)
 	}
 	labelMap, err := svc.batchValidateProfileLabels(ctx, labels)
 	if err != nil {
@@ -1732,13 +1772,23 @@ func getAppleProfiles(
 			}
 
 			mdmDecl := fleet.NewMDMAppleDeclaration(prof.Contents, tmID, prof.Name, rawDecl.Type, rawDecl.Identifier)
-			for _, labelName := range prof.Labels {
+			for _, labelName := range prof.LabelsIncludeAll {
 				if lbl, ok := labelMap[labelName]; ok {
 					declLabel := fleet.ConfigurationProfileLabel{
 						LabelName: lbl.LabelName,
 						LabelID:   lbl.LabelID,
 					}
-					mdmDecl.Labels = append(mdmDecl.Labels, declLabel)
+					mdmDecl.LabelsIncludeAll = append(mdmDecl.LabelsIncludeAll, declLabel)
+				}
+			}
+			for _, labelName := range prof.LabelsExcludeAny {
+				if lbl, ok := labelMap[labelName]; ok {
+					declLabel := fleet.ConfigurationProfileLabel{
+						LabelName: lbl.LabelName,
+						LabelID:   lbl.LabelID,
+						Exclude:   true,
+					}
+					mdmDecl.LabelsExcludeAny = append(mdmDecl.LabelsExcludeAny, declLabel)
 				}
 			}
 
@@ -1773,9 +1823,14 @@ func getAppleProfiles(
 				"invalid mobileconfig profile")
 		}
 
-		for _, labelName := range prof.Labels {
+		for _, labelName := range prof.LabelsIncludeAll {
 			if lbl, ok := labelMap[labelName]; ok {
-				mdmProf.Labels = append(mdmProf.Labels, lbl)
+				mdmProf.LabelsIncludeAll = append(mdmProf.LabelsIncludeAll, lbl)
+			}
+		}
+		for _, labelName := range prof.LabelsExcludeAny {
+			if lbl, ok := labelMap[labelName]; ok {
+				mdmProf.LabelsExcludeAny = append(mdmProf.LabelsExcludeAny, lbl)
 			}
 		}
 
@@ -1844,9 +1899,14 @@ func getWindowsProfiles(
 			Name:   profile.Name,
 			SyncML: profile.Contents,
 		}
-		for _, labelName := range profile.Labels {
+		for _, labelName := range profile.LabelsIncludeAll {
 			if lbl, ok := labelMap[labelName]; ok {
-				mdmProf.Labels = append(mdmProf.Labels, lbl)
+				mdmProf.LabelsIncludeAll = append(mdmProf.LabelsIncludeAll, lbl)
+			}
+		}
+		for _, labelName := range profile.LabelsExcludeAny {
+			if lbl, ok := labelMap[labelName]; ok {
+				mdmProf.LabelsExcludeAny = append(mdmProf.LabelsExcludeAny, lbl)
 			}
 		}
 
@@ -1876,6 +1936,21 @@ func getWindowsProfiles(
 
 func validateProfiles(profiles []fleet.MDMProfileBatchPayload) error {
 	for _, profile := range profiles {
+		// validate that only one of labels, labels_include_all and labels_exclude_any is provided.
+		var count int
+		for _, b := range []bool{
+			len(profile.LabelsIncludeAll) > 0,
+			len(profile.LabelsExcludeAny) > 0,
+			len(profile.Labels) > 0,
+		} {
+			if b {
+				count++
+			}
+		}
+		if count > 1 {
+			return fleet.NewInvalidArgumentError("mdm", `Couldn't edit custom_settings. For each profile, only one of "labels_exclude_any", "labels_include_all" or "labels" can be included.`)
+		}
+
 		if len(profile.Contents) > 1024*1024 {
 			return fleet.NewInvalidArgumentError("mdm", "maximum configuration profile file size is 1 MB")
 		}
diff --git a/server/service/mdm_test.go b/server/service/mdm_test.go
index 52e8cb0d41..497f40a85d 100644
--- a/server/service/mdm_test.go
+++ b/server/service/mdm_test.go
@@ -1088,11 +1088,11 @@ func TestMDMWindowsConfigProfileAuthz(t *testing.T) {
 			checkShouldFail(t, err, tt.shouldFailTeamRead)
 
 			// test authz create new profile (no team)
-			_, err = svc.NewMDMWindowsConfigProfile(ctx, 0, "prof", strings.NewReader(winProfContent), nil)
+			_, err = svc.NewMDMWindowsConfigProfile(ctx, 0, "prof", strings.NewReader(winProfContent), nil, false)
 			checkShouldFail(t, err, tt.shouldFailGlobalWrite)
 
 			// test authz create new profile (team 1)
-			_, err = svc.NewMDMWindowsConfigProfile(ctx, 1, "prof", strings.NewReader(winProfContent), nil)
+			_, err = svc.NewMDMWindowsConfigProfile(ctx, 1, "prof", strings.NewReader(winProfContent), nil, false)
 			checkShouldFail(t, err, tt.shouldFailTeamWrite)
 
 			// test authz delete config profile (no team)
@@ -1174,7 +1174,7 @@ func TestUploadWindowsMDMConfigProfileValidations(t *testing.T) {
 				}, nil
 			}
 			ctx = test.UserContext(ctx, test.UserAdmin)
-			_, err := svc.NewMDMWindowsConfigProfile(ctx, c.tmID, "foo", strings.NewReader(c.profile), nil)
+			_, err := svc.NewMDMWindowsConfigProfile(ctx, c.tmID, "foo", strings.NewReader(c.profile), nil, false)
 			if c.wantErr != "" {
 				require.Error(t, err)
 				require.ErrorContains(t, err, c.wantErr)
@@ -1567,6 +1567,34 @@ func TestValidateProfiles(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "Windows Profile With Deprecated Labels",
+			profiles: []fleet.MDMProfileBatchPayload{
+				{Name: "windowsProfile", Labels: []string{"a"}, Contents: []byte("<replace><Target><LocURI>Custom/URI</LocURI></Target></replace>")},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Windows Profile With Excluded Labels",
+			profiles: []fleet.MDMProfileBatchPayload{
+				{Name: "windowsProfile", LabelsExcludeAny: []string{"a"}, Contents: []byte("<replace><Target><LocURI>Custom/URI</LocURI></Target></replace>")},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Windows Profile With Included Labels",
+			profiles: []fleet.MDMProfileBatchPayload{
+				{Name: "windowsProfile", LabelsIncludeAll: []string{"a"}, Contents: []byte("<replace><Target><LocURI>Custom/URI</LocURI></Target></replace>")},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Windows Profile With Mixed Labels",
+			profiles: []fleet.MDMProfileBatchPayload{
+				{Name: "windowsProfile", Labels: []string{"z"}, LabelsIncludeAll: []string{"a"}, Contents: []byte("<replace><Target><LocURI>Custom/URI</LocURI></Target></replace>")},
+			},
+			wantErr: true,
+		},
 		{
 			name: "Too large profile",
 			profiles: []fleet.MDMProfileBatchPayload{
diff --git a/tools/cloner-check/generated_files/appconfig.txt b/tools/cloner-check/generated_files/appconfig.txt
index 79a8c47a76..933d1dd3db 100644
--- a/tools/cloner-check/generated_files/appconfig.txt
+++ b/tools/cloner-check/generated_files/appconfig.txt
@@ -116,6 +116,8 @@ github.com/fleetdm/fleet/v4/server/fleet/MDM	MacOSSettings	fleet.MacOSSettings
 github.com/fleetdm/fleet/v4/server/fleet/MacOSSettings	CustomSettings	[]fleet.MDMProfileSpec
 github.com/fleetdm/fleet/v4/server/fleet/MDMProfileSpec	Path	string
 github.com/fleetdm/fleet/v4/server/fleet/MDMProfileSpec	Labels	[]string
+github.com/fleetdm/fleet/v4/server/fleet/MDMProfileSpec	LabelsIncludeAll	[]string
+github.com/fleetdm/fleet/v4/server/fleet/MDMProfileSpec	LabelsExcludeAny	[]string
 github.com/fleetdm/fleet/v4/server/fleet/MacOSSettings	DeprecatedEnableDiskEncryption	*bool
 github.com/fleetdm/fleet/v4/server/fleet/MDM	MacOSSetup	fleet.MacOSSetup
 github.com/fleetdm/fleet/v4/server/fleet/MacOSSetup	BootstrapPackage	optjson.String
diff --git a/tools/cloner-check/generated_files/mdmprofilespec.txt b/tools/cloner-check/generated_files/mdmprofilespec.txt
index 7459a92480..a4deffbbea 100644
--- a/tools/cloner-check/generated_files/mdmprofilespec.txt
+++ b/tools/cloner-check/generated_files/mdmprofilespec.txt
@@ -1,2 +1,4 @@
 github.com/fleetdm/fleet/v4/server/fleet/MDMProfileSpec	Path	string
 github.com/fleetdm/fleet/v4/server/fleet/MDMProfileSpec	Labels	[]string
+github.com/fleetdm/fleet/v4/server/fleet/MDMProfileSpec	LabelsIncludeAll	[]string
+github.com/fleetdm/fleet/v4/server/fleet/MDMProfileSpec	LabelsExcludeAny	[]string
diff --git a/tools/cloner-check/generated_files/teammdm.txt b/tools/cloner-check/generated_files/teammdm.txt
index fcf77c0fca..cd1278ff04 100644
--- a/tools/cloner-check/generated_files/teammdm.txt
+++ b/tools/cloner-check/generated_files/teammdm.txt
@@ -15,6 +15,8 @@ github.com/fleetdm/fleet/v4/server/fleet/TeamMDM	MacOSSettings	fleet.MacOSSettin
 github.com/fleetdm/fleet/v4/server/fleet/MacOSSettings	CustomSettings	[]fleet.MDMProfileSpec
 github.com/fleetdm/fleet/v4/server/fleet/MDMProfileSpec	Path	string
 github.com/fleetdm/fleet/v4/server/fleet/MDMProfileSpec	Labels	[]string
+github.com/fleetdm/fleet/v4/server/fleet/MDMProfileSpec	LabelsIncludeAll	[]string
+github.com/fleetdm/fleet/v4/server/fleet/MDMProfileSpec	LabelsExcludeAny	[]string
 github.com/fleetdm/fleet/v4/server/fleet/MacOSSettings	DeprecatedEnableDiskEncryption	*bool
 github.com/fleetdm/fleet/v4/server/fleet/TeamMDM	MacOSSetup	fleet.MacOSSetup
 github.com/fleetdm/fleet/v4/server/fleet/MacOSSetup	BootstrapPackage	optjson.String