question

mpazure-6320 avatar image
0 Votes"
mpazure-6320 asked mpazure-6320 answered

Intune/Microsoft Defender for Endpoint. All Device blade shows Compliance in 'grace period'

Hi,

I am using Endpoint Manager with Intune, and have a Defender ATP policy assigned. The devices appear in 'Security Center', the risk level for devices is 'no known risk'. If I configure a policy for Microsoft Defender for Endpoint, to Require the device to be at or under the machine risk score: (Medium), then when I view the 'All Devices; blade, the devices are shown as Compliance, 'in grace period'. If I drill down to each device, the policies are green. If I drill down to the policies, the devices are green. Why does the 'All Devices' blade show the compliance as 'in grace period', when the devices are compliant?

Thanks

Mike

mem-intune-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

mpazure-6320 avatar image
0 Votes"
mpazure-6320 answered

thanks for your help, I have ticket open with support.

Mike

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CiciWu2-MSFT avatar image
0 Votes"
CiciWu2-MSFT answered

In-grace period means the device is targeted with one or more device compliance policy settings. But, the user hasn't applied the policies yet. This status means the device is not-compliant, but it's in the grace-period defined by the admin.
Reference: https://docs.microsoft.com/en-us/mem/intune/protect/actions-for-noncompliance

I notice that if you drill down to each device, the policies are green. If you drill down to the policies, the devices are green. Do you mean that in the Device compliance states chart, the status are all complaint? Is it convenient to provide related screenshots?

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

mpazure-6320 avatar image
0 Votes"
mpazure-6320 answered

Hi,

The policy is assigned to a security group, which contains the devices. Attached are screenshots of the All Devices blade, the Device/Compliance page, and the policy page. The issue occurs, when the Microsoft Defender for Endpoint option is configured.
Devices in https://security.microsoft.com/machines have 'Risk Level' of 'no known risks' and 'Exposure Level' Low.


Thanks

Mike

89907-all-devices-compliance-grace-period.png89908-desktop-showing-state-compliant.png89951-compliance-policy.png



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CiciWu2-MSFT avatar image
0 Votes"
CiciWu2-MSFT answered

I have done the tests and research and find that if the compliance policies are all green, the compliance status of the device is complaint. In grace period can represent either Complaint or not Not Compliant. In our case, in grace period represent Complaint and we can safely ignore this warning. If you want to set the In grace period to Complaint, simply set Actions for noncompliance to 0 days.

Reference: https://docs.microsoft.com/en-us/mem/intune/protect/actions-for-noncompliance#add-actions-for-noncompliance

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

mpazure-6320 avatar image
0 Votes"
mpazure-6320 answered CiciWu2-MSFT rolled back

It doesn't make sense, that in the 'all devices' blade, devices are shown with 'compliance' in 'grace period', but when you view the devices via the policy, or via the device itself, it is 'compliant'. It cannot be correct to say, that a device in 'grace period' can be compliant or not. Surely it has to be one or the other? Changing the grace period to 0, is not a solution, because it defeats the purpose of having a 'grace period', and if I change the 'grace period' to 0, the devices in the 'all device' blade shows as 'non compliant', but when you view the devices via the policy, or via the device itself, it is 'compliant'.

90354-not-compliant.jpg

Mike



not-compliant.jpg (94.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

How about clicking each compliance policy and see if the per policy in this compliance policy has complaint? As follows:
90608-042301.png


0 Votes 0 ·
042301.png (31.3 KiB)
mpazure-6320 avatar image
0 Votes"
mpazure-6320 answered CiciWu2-MSFT commented

When the policy is viewed, on a device, all components are green

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks very much for your reply. I have done a lot of research and consult senior resource. At such situation, we may need to collect logs and troubleshoot from the backend. Due to limit resource from community, it is highly suggested to create a free online support ticket to resolve this issue more effectively. Here is the link: https://docs.microsoft.com/en-us/mem/get-support


0 Votes 0 ·