Device Compliance - Should non-applicable compliance policy trigger not compliant flag?

Brass Contributor

Quite simple question, as the title says.

 

Got a compliance policy regarding AV protection set up, but since some of our devices have Crowdstrike installed (client requirement), I excluded those devices from the policy through a security group which has the owners of the devices as members. Otherwise Crowdstrike interferes with the policy and throws a non-compliant flag (which is expected).

 

The devices get excluded from the policy successfully, the compliance status of the policy says 'not applicable' for those 15 devices.

 

Problem is, in the main devices page - those devices get marked as 'Non-compliant'. Only other policy which they have assigned is the built-in one, which they are compliant with (pic below)

 

Untitled.png

 

 

 

 

 

 

 

 

 

This very device is marked as non-compliant! Is this an intended behavior? Should non-applicable policies trigger non-compliance? That REALLY does not make sense for me but that is what I am getting currently.

 

Thanks!

1 Reply

An update on this, if anyone ever runs into similar "stuck with non-compliant" issues.

 

Steps I did to resolve this:

  1. Delete all the policies that may interfere with the devices, even if they are not being applied
  2. Create a simple policy with which every device would comply with and assigned it to everyone
    1. (This reset the stuck non-compliant devices to compliant status)
  3. Deleted the 'fake' policy which turned them to compliant
  4. Created the old policies which still exclude those devices that were stuck in non-compliant

After this, the devices stayed compliant with them properly excluded from the policy.

What I think happened - when I originally included all the devices in the Defender policy, the Crowdstrike AV softvare interfered and made them non-compliant. 

Excluding those devices from the policy DOES NOT actually force them to re-evaluate their compliance. They just stay stuck in non-compliant status.

 

This would probably apply to any such case. Excluding devices from policies they are not compliant with won't make them re-evaluate. Maybe that is the case ONLY when there are actually no other policies being applied to the devices, other than the built in one.

That's just guessing though, although I have a hunch the built-in one does not function the same as a proper compliance policy.