mdatp device compliance

%3CLINGO-SUB%20id%3D%22lingo-sub-1583811%22%20slang%3D%22en-US%22%3Emdatp%20device%20compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1583811%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3Eis%20there%20a%20recent%20change%20within%20the%20handling%20of%20mdatp%20compliance%20policy%20out%20of%20endpoint%20manager%3F%3C%2FP%3E%3CP%3EWe%20used%20to%20assign%20mdatp%20compliance%20policy%20to%20%22All%20Users%22%20which%2C%20in%20the%20past%2C%20only%20evaluates%20the%20related%20user%20account%2C%20which%20was%20matched%20to%20the%20policy%20assignment.%3C%2FP%3E%3CP%3ESince%20yesterday%2C%20we%20recognized%2C%20that%20the%20mdatp%20compliance%20policy%20is%20also%20scoped%20to%20the%20device%20itself%3A%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22mdatp-compliance.PNG%22%20style%3D%22width%3A%20693px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212001iB69B1FAA153DC918%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22mdatp-compliance.PNG%22%20alt%3D%22mdatp-compliance.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3Enow%20also%20the%20system%20account%20gets%20evaluated%2C%20and%20we%20have%20a%20new%20built-in%20compliance%20policy%20system%20account%20evaluation....%3C%2FP%3E%3CP%3EIn%20addition%2C%20the%20scoped%20user%20account%20remains%20as%20%22not%20applicable%22%20for%20this%20compliance%20policy.%3C%2FP%3E%3CP%3EAnyone%20knows%20more%20details%20about%20this%3F%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3CP%3EThomas%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1583811%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eendpoint%20manager%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMDATP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1971386%22%20slang%3D%22en-US%22%3ERe%3A%20mdatp%20device%20compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1971386%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239335%22%20target%3D%22_blank%22%3E%40Thomas%20H%C3%B6hner%3C%2FA%3E%26nbsp%3BAFAIK%2C%20device%20compliance%20policies%20have%20come%20in%20picture%20for%20the%20devices%20which%20have%20active%20threat%20present%20on%20it.%20In%20such%20cases%20irrespective%20of%20the%20user%2C%20device%20can%20marked%20as%20compliant%20or%20non-compliant.%20So%20that%20further%20it%20can%20be%20combined%20with%20conditional%20access%20policy%20to%20allow%2Fblock%20connectivity%20to%20that%20particular%20device.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

is there a recent change within the handling of mdatp compliance policy out of endpoint manager?

We used to assign mdatp compliance policy to "All Users" which, in the past, only evaluates the related user account, which was matched to the policy assignment.

Since yesterday, we recognized, that the mdatp compliance policy is also scoped to the device itself:

 

mdatp-compliance.PNG

now also the system account gets evaluated, and we have a new built-in compliance policy system account evaluation....

In addition, the scoped user account remains as "not applicable" for this compliance policy.

Anyone knows more details about this?

Thank you

Thomas

1 Reply

@Thomas Höhner AFAIK, device compliance policies have come in picture for the devices which have active threat present on it. In such cases irrespective of the user, device can marked as compliant or non-compliant. So that further it can be combined with conditional access policy to allow/block connectivity to that particular device.