HOTSPOT -
You create two device compliance policies for Android devices as shown in the following table.
You have the Android devices shown in the following table.
The users belong to the groups shown in the following table.
The users enroll their device in Microsoft Endpoint Manager.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
References:
https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-android
NO NO YES
No. User 1, Device 1, Group 1, Not encrypted. Marked Not Compliant by Policy 1 No. User 2, Device 2, Groups 1&2, Google Play Services not configured. Marked Not Compliant by Policy 2. Yes. User 3, Device 3, Group 2, Not encrypted & Google Play Services configured. No policy can mark it "Not Compliant".
NO-NO-YES
NO-NO-YES Assign a resulting compliance policy status If a device has multiple compliance policies, and the device has different compliance statuses for two or more of the assigned compliance policies, then a single resulting compliance status is assigned. This assignment is based on a conceptual severity level assigned to each compliance status. Each compliance status has the following severity level: ASSIGN A RESULTING COMPLIANCE POLICY STATUS Status Severity Unknown 1 NotApplicable 2 Compliant 3 InGracePeriod 4 NonCompliant 5 Error 6 When a device has multiple compliance policies, then the highest severity level of all the policies is assigned to that device. For example, a device has three compliance policies assigned to it: one Unknown status (severity = 1), one Compliant status (severity = 3), and one InGracePeriod status (severity = 4). The InGracePeriod status has the highest severity level. So, all three policies have the InGracePeriod compliance status. https://docs.microsoft.com/en-us/mem/intune/protect/create-compliance-policy
question doesn't make sense, but Mark devices with no compliance policy assigned as This setting determines how Intune treats devices that haven't been assigned a device compliance policy. This setting has two values: Compliant (default): This security feature is off. Devices that aren’t sent a device compliance policy are considered compliant. Not compliant: This security feature is on. Devices that haven’t received a device compliance policy are considered noncompliant. If you use Conditional Access with your device compliance policies, we recommended you change this setting to Not compliant to ensure that only devices that are confirmed as compliant can access your resources.
Remind me if there is some form of precedence here -- like if one policy marks it as compliant, can a second one mark it as non-compliant? If it can't, N,Y,Y. If it can N,N,Y.
If a device is assigned to one or more applicable policies, then its compliance is tied to all assigned policies. So, if the device is compliant by the terms of policy one, but is not compliant by the terms of policy 2, then the device is rendered not-compliant.