Exam MS-500 topic 1 question 38 discussion

There are only two states in Endpoint Manager for devices; compliant or non-compliant. The screenshot shows that devices without a compliance policy assigned are marked non-compliant. All the devices have a compliance policy in this example so they will be marked as compliant as default. The devices are enrolled on March 1. They become compliant as a policy is assigned to them. Then the evaluation of the policy kicks in, which may or may not change the compliance state. On March 2, Device 2 is marked as compliant. Policy 2 states non-compliant after 10 days only. On March 6, Device 1 is marked as compliant. Policy 2 states non-compliant after 10 days only. On march 12, Device 1 is marked as _noncompliant_ as it has been 11 days and Policy2 states 10 days max. Answers are correct (Y/Y/N). Note that the default grace period is 0 days, but the example has 5 and 10 days instead. If there is no mention of this in the question, then always assume 0.

As per this article, the status of a device should be 'in-grace period' which is different from the 'compliant' state. So, should the answers be N, N, N in that case as the first two would be in the in grace period state? https://docs.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor

The given answer YYN is correct. The third question is about the conflict among policies. "If you have deployed multiple compliance policies, Intune uses the most secure of these policies." https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor

answers are correct but the explanation are not correct. As Device1 is not the member of group1 and grop2. It is actually the policy applied to both group which hits Device1

Valid on Exam, 29.08.22

can these get any more confusing... my god

The devices won’t be marked as compliant (green), they will be marked as “in grace period” for 5 days, upon which they will marked non compliant. This is nothing to do with access, just tagging on the portal. These machines never get marked as compliant, ever.

Surely NNN. Mark devices non compliant after 30 days just means the device (whether compliant or not) will be marked on compliant if it doesn’t report status (whatever status) after 30 days. These devices, once added will all report as non compliant immediately. The 5 day grace period is for machines that were previously compliant but have (for whatever reason) become non compliant. When two conflicting policies apply to a group, the most restrictive settings are adopted. These devices, once added will be non compliant, and remain non compliant.

N/Y/N Why everyone misses "Mark devices with no compliance policy assigned as Non Compliant"? N - Device2 has no Secure Boot Enabled which is a requirement of Policy2. So Device has no Compliance policy. Now Merge this with "Mark devices with no compliance policy assigned as Non Compliant" and we get the answer. Y - Device1 Has Bitlocker and does not have Secure Boot Enabled. So it passes Policy1 but does not passes Policy2. So, basically, it passes Policy1 requirements but does not Policy2 requirements. This upon device Enrollment will mark Device1 as Compliant during the period 2020-03-01 - 2020-03-11. At 2020-03-12 will kick in Policy2 "Mark device as not compliant" and device from this day on will be marked as not compliant. N - Device1 Has Bitlocker and does not have Secure Boot Enabled. So it passes Policy1 but does not passes Policy2. So, basically, it passes Policy1 requirements but does not Policy2 requirements. This upon device Enrollment will mark Device1 as Compliant during the period 2020-03-01 - 2020-03-11. At 2020-03-12 will kick in Policy2 "Mark device as not compliant" and device from this day on will be marked as not compliant.

Anyone consider leap year?

Don't trip yourself up over semantics. It's a boolean measurement, so it can only be one or the other. Very black and white determinations. - Is it non-compliant? - "Well, not right now. Technically." - Cool! I'll go ahead an mark it as the only other option then.

let us learn to understand scenarios here; yes the default ms compliance policy is 0 however in this scenario a grace period was mentioned. Having said that. The devices are enrolled on March 1. They become compliant as a policy is assigned to them. Then the evaluation of the policy kicks in, which may or may not change the compliance state. On March 2, Device 2 is marked as compliant. Policy 2 states non-compliant after 10 days only. the device is still within the grace period of 2days. On March 6, Device 1 is marked as compliant. Policy 2 states non-compliant after 10 days only. the device is still within the grace period of 6 days On march 12, Device 1 is marked as _noncompliant_ as it has been 11 days and Policy2 states 10 days max. Device 1 which is a member of group 1 and group 1 is a member of plicy 2 will become non-compliant as grace period of 10days has elasped.

YYN: "When you change the default schedule, you provide a grace period in which a user can remediate issues or become compliant without being marked as non-compliant." Source : https://docs.microsoft.com/en-us/mem/intune/protect/actions-for-noncompliance

I Prepared my Microsoft MS-500 Exam within 3 days with the help of Validexamdumps Updated Microsoft 365 Security Administration MS-500 Practice Test Material. On the Final Exam Day, I Easily Attempted All questions and I Got Success in Microsoft MS-500 exam the First Attempt.

I a gree with ZakS

Disagree with answers Device 1 won't be marked as compliant on March 6th. It will be marked as compliant once the compliance policy completes its checks. If it is non-compliant it would go in to grace-mode until such a time as it gets marked as non-compliant which would be on the 10th of March due to policy 2

given answers are correct, device1 is assigned to group1 and policy1 and policy2 are both assigned to group1 and policy2 is also assigned to group1. so device1 got both policies and 5 days later the device is still compliant due to the settings of policy2 :)