09-30-2020 07:09 AM
09-30-2020 07:09 AM
Quite simple question, as the title says.
Got a compliance policy regarding AV protection set up, but since some of our devices have Crowdstrike installed (client requirement), I excluded those devices from the policy through a security group which has the owners of the devices as members. Otherwise Crowdstrike interferes with the policy and throws a non-compliant flag (which is expected).
The devices get excluded from the policy successfully, the compliance status of the policy says 'not applicable' for those 15 devices.
Problem is, in the main devices page - those devices get marked as 'Non-compliant'. Only other policy which they have assigned is the built-in one, which they are compliant with (pic below)
This very device is marked as non-compliant! Is this an intended behavior? Should non-applicable policies trigger non-compliance? That REALLY does not make sense for me but that is what I am getting currently.
10-01-2020 07:25 AM - edited 10-01-2020 07:26 AM
An update on this, if anyone ever runs into similar "stuck with non-compliant" issues.
Steps I did to resolve this:
After this, the devices stayed compliant with them properly excluded from the policy.
What I think happened - when I originally included all the devices in the Defender policy, the Crowdstrike AV softvare interfered and made them non-compliant.
Excluding those devices from the policy DOES NOT actually force them to re-evaluate their compliance. They just stay stuck in non-compliant status.
This would probably apply to any such case. Excluding devices from policies they are not compliant with won't make them re-evaluate. Maybe that is the case ONLY when there are actually no other policies being applied to the devices, other than the built in one.
That's just guessing though, although I have a hunch the built-in one does not function the same as a proper compliance policy.