ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MD-101 All Questions

View all questions & answers for the MD-101 exam
Go to Exam

Exam MD-101 topic 3 question 25 discussion

Actual exam question from Microsoft's MD-101
Question #: 25
Topic #: 3
[All MD-101 Questions]

HOTSPOT -
In Microsoft Intune, you have the device compliance policies shown in the following table.

The Intune compliance policy settings are configured as shown in the following exhibit.

On June 1, you enroll Windows 10 devices in Intune as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: No -
Policy1 requires encryption, but on June 4 Device1 is configured with No Drive Encryption, so it is not compliant.

Box 2: No -
Policy1 requires encryption, but on June 6 Device1 is configured with No Drive Encryption, so it is not compliant.

Box 3: Yes -
Both Policy2 and Policy3 applies to Device2. Policy3, which is the most restrictive applies, which result in Mark device as not compliant = 10 days.
Note: If you have deployed multiple compliance policies, Intune uses the most restrictive of these policies.
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/actions-for-noncompliance https://docs.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor#how-intune-resolves-policy-conflicts
by Test99 at May 4, 2021, 9:11 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
MikeMatt2020
Highly Voted 3 years, 11 months ago
I believe the answer is NO, NO, NO. That said, we need to understand some key settings: 1) *Mark devices as not compliant*, which is the "Schedule (days after noncompliance)" setting under the "Actions for Non-Compliance" tab when creating a Compliance Policy. Setting this to 5 days will put a non-compliant device in a "In-Grace Period" state. This does NOT make the device compliant. A device that is "In-Grace Period" is a level 4 severity status. https://docs.microsoft.com/en-us/mem/intune/protect/create-compliance-policy 2) *Compliance status validity period (days)* This sets the amount of days that a device MUST report its compliance status. "Specify a period in which devices must successfully report on all their received compliance policies. If a device fails to report its compliance status for a policy before the validity period expires, the device is treated as noncompliant"
upvoted 26 times
LordCaine
3 years, 7 months ago
Yes I agree with this, device 1 has no policy assigned (windows 8 policy is applied but a windows 10 device is enrolled) and it is specifically mentioned in the image that devices without a compliance policy are listed as non compliant. Device 2 has a policy but is not compliant and enters a grace period for 7 days. So whatever action is set to non-compliant devices doesn't matter in this question, the device is marked not compliant.
upvoted 2 times
LordCaine
3 years, 7 months ago
I want to edit this. I think the answer is No, No, Yes. Device 1 is Windows 10 - and policy 1 is for Windows 8. Default compliance for devices without a policy is not compliant so first 2 questions are NO. Then the third device has 2 policies, the first one is compliant and the second policy is not compliant but the device is not marked as non-compliant due to the fact that mark device as non-compliant is set to 10 days. This means that the machine will be compliant until june 10th. Source: Mark device non-compliant: By default, this action is set for each compliance policy and has a schedule of zero (0) days, marking devices as noncompliant immediately. When you change the default schedule, you provide a grace period in which a user can remediate issues or become compliant without being marked as non-compliant. This action is supported on all platforms supported by Intune. https://docs.microsoft.com/en-us/mem/intune/protect/actions-for-noncompliance
upvoted 18 times
john909
3 years, 5 months ago
Thank you! Indeed it says: "When you change the default schedule, you provide a grace period in which a user can remediate issues or become compliant *without being marked as non-compliant*."
upvoted 2 times
...
pogap64757
3 years, 2 months ago
From MikeMatt2020's link: "For example, a device has three compliance policies assigned to it: one Unknown status (severity = 1), one Compliant status (severity = 3), and one InGracePeriod status (severity = 4). The InGracePeriod status has the highest severity level. So, all three policies have the InGracePeriod compliance status." So policy 2 and 3 will we applied. even though policy 2 is giving it compliant status, policy 3 is overriding it as "ingrace" until policy 3 eventually marks it outright non compliant
upvoted 1 times
...
Load full discussion...
...
smart008
1 year, 2 months ago
The Policy is for Windows 8.1 or later which means the policy will implement on windows 10 and 11 too.
upvoted 1 times
...
...
...
Gonch
Highly Voted 3 years, 11 months ago
I think it is No, No, Yes: 1 No - Device 1 does not have a Compliance Policy (assigned a Windows 8 policy) so will be marked as non-compliant, as per Compliance Policy Settings (Mark devices with no compliance policy assigned as: Not compliant) 2 No - As above 3 Yes - Device 2 will have Policy 3 applied rather than Policy 2 (most secure as it requires encryption as well as AV - https://docs.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor#how-intune-resolves-policy-conflicts). On June 9th this will still be seen as compliant as within the 10 day compliance window for Policy 3.
upvoted 8 times
FrancisLai
3 years, 11 months ago
I agreed 1 & 2 however for 3 I don't agree, as you said most secure and stricter rules applied then it is with Policy 3, however Policy 3 required encryption but Device 2 not encrypted.
upvoted 2 times
RodrigoT
3 years ago
Policy3 will mark Device2 as non-compliant only on the 10th day. On day 9 Device2 is still compliant with Policy2. So, N N Y.
upvoted 6 times
...
...
...
smart008
Most Recent 1 year, 2 months ago
Box 1: Yes Device 1 is not compliant as bit locker is not enabled but is still in grace period which is 5 days. This means the device is yet compliant and still have 1 day to show non-compliant status. Box 2: No Device 1 is not compliant because the BitLocker is not enabled and the grace period is also over which was 5 days. Box 3: No Group 2 (device2) has two policies assigned, Policy 2 with grace period 7 days and Policy 3 with grace period 10 days. Under Policy 3, the device is not compliant due to lack of encryption but is till in grace period which is 10 days. However, under Policy 2, the device is not compliant due to BitLocker not configured but the grace period is over which was 7 days. Please correct me if I'm wrong
upvoted 1 times
smart008
1 year, 2 months ago
Apologies for incorrect interpretation: Box 1: Yes Device 1 is not compliant as bit locker is not enabled but is still in grace period which is 5 days. This means the device is yet compliant and still have 1 day to show non-compliant status. Box 2: No Device 1 is not compliant because the BitLocker is not enabled and the grace period is also over which was 5 days. Box 3: Yes Group 2 (device2) has two policies assigned, Policy 2 with grace period 7 days and no encryption required and Policy 3 with grace period 10 days. Under Policy 2, the device is compliant as BitLocker is not configured (not required) even though the grace period is over which was 7 days. Under Policy 3, the device is not compliant due to lack of encryption but is till in grace period which is 10 days. So device 2 is compliant in both cases. Please correct me if I'm wrong
upvoted 2 times
...
...
Amir1909
1 year, 3 months ago
Yes No Yes
upvoted 1 times
...
Altheus
2 years, 6 months ago
This question contradicts itselt, answer A is marked as non-compliant even though it is in the grace period. Answer C is marked as compliant because it is in the grace period.
upvoted 1 times
...
raduM
2 years, 7 months ago
no no no. it will be in grace period not compliant
upvoted 3 times
...
raduM
2 years, 7 months ago
the correct answer is no, no,no. the devices will be in grace period and not compliant.just tested this fyi. :)
upvoted 2 times
...
gotrekk
2 years, 8 months ago
NNN.. i agree with others
upvoted 1 times
...
CARO54
3 years, 3 months ago
https://docs.microsoft.com/en-us/mem/intune/protect/create-compliance-policy Device 1 is Windows 10 - and policy 1 is for Windows 8. Default compliance for devices without a policy is not compliant so first 2 questions are NO COMPLIANT Device 2 is no compliant but are in grace preriod so status is IN GRACE PERIOD
upvoted 1 times
...
Goofer
3 years, 5 months ago
N - Device1 = Group1 = Policy1 = Device requires Encryption --> Device1: No Drive Encryption = Not Compliant N - Device1 = Group1 = Policy1 = Device requires Encryption --> Device1: No Drive Encryption = Not Compliant N - Device2 = Group2 = Policy2 and 3 (policy conflict) = Device requires Encryption --> Device2: No Drive Encryption = Not Compliant - If you have deployed multiple compliance policies, Intune uses the most secure of these policies. - https://docs.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor#how-intune-resolves-policy-conflicts
upvoted 2 times
RodrigoT
3 years, 1 month ago
Policy1 is just for Windows 8 and Device1 is a Windows 10. So, Policy1 doesn't apply.
upvoted 1 times
bensrayan
2 years, 7 months ago
Policy1 is for Windows 8 AND LATER !
upvoted 2 times
...
...
...
Perycles
3 years, 10 months ago
on june 4 : device 1: no policy applies (groupe 1 only affect win8): so marked as non compliant because of "Markdevice with no compliance policy assigned" = NOT COMPLIANT on june 6: : device 1: no policy applies (groupe 1 only affect win8): so marked as non compliant because of "Markdevice with no compliance policy assigned" = NOT COMPLIANT on june 9 :Device 2: effected by 2 polycies (policicy 2 and 3) - when we have a confit,the most secure applies , so policy 3 applies ; "Mark device as not compliant = 10 days" understand " 10 Days before to be market as NON compliance"; That lets time for user to fix his problem (here for example, he has 10 days to activate is TPM, after that, his device will be non compliant). COMPLIANT
upvoted 5 times
...
Tomtom11
3 years, 10 months ago
Yes Default has 30 day to become compliant Yes Default has 30 day to become compliant No Policy from group 2 Excecced time limt No
upvoted 2 times
S4L4LMF
3 years, 10 months ago
This seems the correct answer. Its compliant because its windows 10 so it doesnt fall under windows 8 policy. Default time is 30 days. The last one is not compliant because the stricter rule applies. THe stricter rule is 7 days, not 10 days, so device 2 will not be compliant on 9th of june.
upvoted 2 times
S4L4LMF
3 years, 10 months ago
I think im changing this to NO - YES - NO. Why? Because even if the device isnt Win 8, it still has a policy asigned. It just isnt compliant to it (because its Win10, not W8), so it will be marked as non compliant in 5 days.
upvoted 1 times
S4L4LMF
3 years, 10 months ago
Okay. i mean the reverse -> Yes, NO, Yes. 1. is yes because 5 days arent done. 2. is No because those 5 days are over and the device isnt Win8 so it isnt complying to the policy. And again Yes because device 2 complies to policy 2 but not 3, which marks non compliant in 10 days, so on the 8th day it still complies.
upvoted 1 times
...
...
...
...
Tomtom11
3 years, 11 months ago
Compliance status validity period (days) Specify a period in which devices must successfully report on all their received compliance policies. If a device fails to report its compliance status for a policy before the validity period expires, the device is treated as noncompliant.
upvoted 3 times
...
George_83
3 years, 11 months ago
No, No, Yes: Policy1 require encryption and Device1 doesn't have BitLocker therefore wont be marked as compliant on the first two question Device 2 also doesn't have BitLocker but because policy2 is set to not configured will mark it as compliance
upvoted 5 times
MikeMatt2020
3 years, 11 months ago
Right...but Device2 receives policy 2 *AND* 3. So Device2 will not be marked as compliant for Policy3. A 10-day grace period is set but this does NOT mark the device as compliant. This puts the device in a level 4 severity status (next severity would be non-compliant) Also, it's irrelevant because even if Device2 was compliant with Policy2, it would still be marked generally as "non-compliant" because of its failure to comply with Policy3
upvoted 3 times
...
...
Alexbz
3 years, 11 months ago
No No Yes
upvoted 4 times
RodrigoT
3 years, 1 month ago
I agree. Endpoint > Devices > Compliance policies > Mark devices with no compliance policy assigned as NOT COMPLIANT Device1 is Win10 and Group1 - Policy1 (for Win8 so, doesn't apply). So, no policy assigned: NOT COMPLIANT by default, end of story. NO for the first and second answers. Device2 is Win10 and Group2 - Policy2 requires Win Defender that is enabled: COMPLIANT until day 9. YES for the third answer. Policy3 requires Encryption but is disabled: NOT COMPLIANT just from day 10.
upvoted 2 times
...
...
Test99
3 years, 11 months ago
Should be NO NO NO, first is no as it’s windows 10 so no policy applied and then device is marked as non compliant as per https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started Last is no as policy is applied for 10 as can see
upvoted 3 times
jeroenski
3 years, 11 months ago
Agreed, answer should be NO, NO, NO. A Grace Period does not make it compliant. Actions have to be performed to make it compliant "Mark device non-compliant: By default, this action is set for each compliance policy and has a schedule of zero (0) days, marking devices as noncompliant immediately. When you change the default schedule, you provide a grace period in which a user can remediate issues or become compliant without being marked as non-compliant."
upvoted 4 times
RodrigoT
3 years, 1 month ago
But Device2 is compliant because of Policy2. It won't be compliant just on the 10th day. On day 9 it's still compliant. So, NO NO YES.
upvoted 2 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago