HOTSPOT
-
You have a Microsoft 365 subscription that includes Microsoft Intune.
You have computers that run Windows 11 as shown in the following table.
You have the groups shown in the following table.
You create and assign the compliance policies shown in the following table.
The next day, you review the compliance status of the computers.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
should be Y,Y,Y ? no ?
The third device is just registered in AAD. The status is N/A.
table indicate Device3 as registered
Answer from ChatGPT: If a device is only registered with Azure AD but not enrolled in Intune, it does not have to comply with Intune compliance policies. Compliance policies in Intune are used to set rules for devices managed with Intune1. However, there is a setting in Intune’s compliance policy settings that determines how Intune treats devices that haven’t been assigned a device compliance policy. This setting has two values1: Compliant (default): Devices that aren’t sent a device compliance policy are considered compliant. Not compliant: Devices that haven’t received a device compliance policy are considered noncompliant. So, if you want to apply a compliance policy from Intune to a device, it needs to be enrolled in Intune. It does not matter if the device is Azure AD registered or joined as long as the device is enrolled in Intune2
Y,Y,Y to me. Computer 1 is in a grace period because policy 1 applies to it and it does not have bitlocker activated. Computer 2 is compliant because policy 1 applies to it and bitlocker is activated. Computer 3 is not compliance (SO THE ANSWER IS Y) because policy 2 applies to it and firewall is disabled.
computer 3 is not enrolled on Intune.
it is registered.
yes but computer 3 is only register but not joined Azure AD so policy do not apply to this device and leave this device as compliant.
But device 3 is not enrolled to Intune so Policy not apply so will leave device as compliant.
I think the key is with Device 3 is "monitoring", Device 3 can't report back if not enrolled according to this: https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor If I understand right. It seems the device needs to be enrolled anyway, according to some other article too. Device 3 should be No I think
Computer 3 is not enrolled in Intune, therefore it can't receive the compliance policies. It may be registered in Azure AD but Intune ultimately is what plays the role here.
I would say the answer is YYY. Third one is not intune joined, so compliance policy does not apply. Anyway, I still say device is compliant. I have not found a single compliant device in my test tenant. They were either n/a or not compliant.
Computer 1 (intune) - Bitlocker: Disabled - Firewall : Enabled - Policy: Policy 1 Result: not compliant (currently is grace period) Computer 2 (intune) - Bitlocker: Enabled - Firewall : Enabled - Policy: Policy 1 Result: compliant Computer 3 (not enrolled) - Bitlocker: Enabled - Firewall : Disabled - Policy: None (Because not intune joined) - Result: Not compliant!
I have a question... IF computer 3 is not registered (or joined), how does it belong to group 3) Beyond this joke, the answers seem to be correct Computer 1 is in a grace period because policy 1 applies to it and it does not have bitlocker activated. Team 2 is compliance because pass the policy1. Team 3 is not compliance because it does not belong to the Azure Ad in question
It clearly says its registered (computer3) Compliance policy applies on all registered, hybrid, enrolled devices.
It can belong a group if it in AAD. But it cannot be compliant or not compliant if it is not in Intune.
No Yes Yes Looks like is wrong, correct me.
I think that you are right.
Why No for the first one? This is after 1 day, it has 10 days
My answer is wrong. Look away from this
This a tricky question when it comes to the evaluation of device 2. There's two types of compliance in devices in the Intune portal, one being the Intune compliance and the other one being the Entra ID compliance. Device 2 will meet the compliance requirements for Intune compliance, but not the Entra ID compliance because it is registered and not in a Joined/Hybrid state.
resposta correta
amckinson_Android_10/16/2023_4:38 PM Intune Personal Noncompliant Android (device administrator) 9.0 <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e3828e80888a8d908c8da390938c91978a8d8484918c9693cd808ccd9688">[email protected]</a> 29/11/2023, 04:29 Microsoft Entra registered anutbrown_Android_3/15/2023_1:34 PM Intune Personal In grace period Android (device administrator) 13.0 <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="9cfdf2e9e8feeef3ebf2dcefecf3eee8f5f2fbfbeef3e9ecb2fff3b2e9f7">[email protected]</a> 08/11/2023, 15:06 Microsoft Entra registered The answer is Yes Yes Yes, if you can put a device in a group you can apply a compliance policy.
Device must be joined to AAD and/or registered in Intune to receive compliance policy. Usually: AADJ: Corporate device, AADR: private device (does not apply with this question)