HOTSPOT
-
You have two Windows 10 devices enrolled in Microsoft Intune as shown in the following table.
The Compliance policy settings are configured as shown in the following exhibit.
On August 1, you create a compliance policy as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
I think it should be N, N, Y Device 1 is not included and marked as non-compliant Device 2 is never compliant Device 2 retired on the 6th day
Question asked if device 2 i compliant on Aug 2, that is not enough time to mark as non compliant even though it isn't compliant. Once it reaches 6 August it is then retired.
Device 2 would be InGracePeriod status, not Compliant or NonCompliant according to this: "Specifically, if a device has a NonCompliant status for an assigned compliance policy, and: ...The device has a grace period that's in the future, then the assigned value for the compliance policy is InGracePeriod" https://learn.microsoft.com/en-us/mem/intune/protect/create-compliance-policy#assign-an-ingraceperiod-status
I believe given answer is correct. Here's what I have deduced : No. Device 1 is not compliant because it is excluded from the compliance policy by group and devices w/o policy are non-compliant. Yes. Device 2 is compliant because although it does not have bitlocker enabled, it does have the compliance policy applied to it making it compliant before the policy catches the non-compliant attribute. No. Device 2 will not be retired on the 6th because it will be retired 5 days after being marked non-compliant which falls on a day after the 6th. Correct me if I'm wrong.
NYN Device 1 is part of Group 2 and hence does not receive the policy. It will be marked as non-compliant as per the configuration above. Device 2 is marked as compliant because it is within it's grace period (3 days). After the grace period it would be marked as non-compliant due to Bitlocker being disabled. Device 2 will not be retired on August 6th. It will be marked as non-compliant after the 3rd day and it will be retired after the 5th day (i.e. Aug 7th). (Ref: https://www.vansurksum.com/2021/04/07/designing-and-configuring-compliance-policies-for-your-windows-modern-workplace-using-microsoft-endpoint-manager/#:~:text=You%20can%20decide%20to%20retire,action%20to%20retire%20the%20device.) .
Second question, in my experience, a new device doesn't start as "compliant" in intune. It stays in the "evaluating" state till it get marked accordingly.
Excellent point. Just read that during the grace period MS states a device will be marked as Noncompliant. I correct my answer to NNN. From Microsoft: "In-grace period: The device is targeted with one or more device compliance policy settings but isn't yet compliant to all of them. Often this is due to users not applying compliant configurations, like meeting password complexity requirements. Devices with this status are noncompliant, but in the grace period defined by the admin." Ref: https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor#:~:text=In%2Dgrace%20period,by%20the%20admin. I enjoy the discussion. Good luck with your learning and exam! .
n,y,n Mark devices with no compliance policy assigned as This setting determines how Intune treats devices that haven't been assigned a device compliance policy. This setting has two values: >Compliant (default): This security feature is off. Devices that aren’t sent a device compliance policy are considered compliant. >Not compliant: This security feature is on. Devices that haven’t received a device compliance policy are considered noncompliant. >Compliance status validity period (days) Specify a period in which devices must successfully report on all their received compliance policies. If a device fails to report its compliance status for a policy before the validity period expires, the device is treated as noncompliant. By default, the period is set to 30 days. You can configure a period from 1 to 120 days. https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started#device-compliance-policies
i think in question is forgotten to add on what day policy was apply..?
Read before you post On August 1, you create a compliance policy as shown in the following exhibit.
That was also my guessed answer for the same reasons
Given answers seem correct to me. Device 1 is not included and marked as non-compliant Device 2 is marked non compliant only after 3 days, so not on August 2 Device 3 is retired 5 days after that, so not in August 6
N Y N device 1 = grp2 = exclude = non compliant device 2 = Bitlocker disabled = grp1 = compliant 08/02 but after 3 days he's no compliant device 2 = 08/04 no compliant, add 5 days before is retired = 08/09