Forum Discussion
Device Compliance - Should non-applicable compliance policy trigger not compliant flag?
An update on this, if anyone ever runs into similar "stuck with non-compliant" issues.
Steps I did to resolve this:
- Delete all the policies that may interfere with the devices, even if they are not being applied
- Create a simple policy with which every device would comply with and assigned it to everyone
- (This reset the stuck non-compliant devices to compliant status)
- Deleted the 'fake' policy which turned them to compliant
- Created the old policies which still exclude those devices that were stuck in non-compliant
After this, the devices stayed compliant with them properly excluded from the policy.
What I think happened - when I originally included all the devices in the Defender policy, the Crowdstrike AV softvare interfered and made them non-compliant.
Excluding those devices from the policy DOES NOT actually force them to re-evaluate their compliance. They just stay stuck in non-compliant status.
This would probably apply to any such case. Excluding devices from policies they are not compliant with won't make them re-evaluate. Maybe that is the case ONLY when there are actually no other policies being applied to the devices, other than the built in one.
That's just guessing though, although I have a hunch the built-in one does not function the same as a proper compliance policy.