Understanding a Compliance Policy Question

Copper Contributor



I have been studying for the MD-101, and have been going through a number of practice tests. I am wracking my brain to try and understand why I got this question wrong. Could someone explain why my thinking is incorrect? Here is the question:




You have the following device compliance policies within Intune:

NameTypeEncryptionWindows Defender AntimalwareMark device as not compliantAssigned to
Policy1Windows 8RequireNot applicable5 daysGroup1
Policy2Windows 10Not configuredRequire7 DaysGroup2
Policy3Windows10RequiredRequire10 DaysGroup2


The Intune Compliance policy settings are configured as follows:


Mark Devices with no compliance policy assigned as: Not Compliant

Enhanced jailbreak detection: Disabled

Compliance status validity period (days): 30


On June 1st, you enroll Windows 10 devices in Intune as shown in the following table.

NameUse Bitlocker Drive Encryption (Bitlocker)Windows DefenderMember of



On June 4th, Device1 is marked as compliant. Yes/No

On June 6th, Device 1 is marked as compliant. Yes/No

On June 9th Device2 is marked as compliant. Yes/No




Unless I am thinking about the 'Mark device as not compliant' incorrectly, I would think that on June 4th, Device1 would be marked as compliant. Device1 is a member of Group1, which has Policy1 assigned to it. Policy1 requires encryption, so Device1 would be considered non-compliant but only after 5 days have passed. Therefore, on June 4th, the device would still be considered compliant. Practice test says the device would be marked as non-compliant on June 4th, despite the 5 days not having fully passed. The device being marked as non-compliant in the second question makes more sense, since by June 6th, 5 days have passed since the compliance policy was applied.


For the last question, the practice test says Device 2 would be marked as non-compliant on June 9th. Device2 is in Group2, which has both Policy2 and Policy3 applying to it. 8 days have passed since the policies were applied, enough for any devices that don't fulfill Policy2's conditions to be marked as not compliant. However, Device2 meets the requirements and can be considered complaint regardless. Policy3 on the other hand, requires encryption, which Device2 does not have. But since devices will only be marked as not compliant by that policy after a 10 day grace period, it would still be considered complaint until a few more days pass. If either Policy2 OR Policy3 marked Device2 as non-compliant, the device would be considered non-complaint as a whole. But with my thinking, on June 9th, both policies would consider the device as compliant. 


The answer sheet disagrees with me. What am I misunderstanding about how these policies are applied?


Thank you for the help.



1 Reply
Device1 will be immediately marked as not compliant due to:
Mark Devices with no compliance policy assigned as: Not Compliant
So 1,2 question will be NO
Third is tricky because until grace period in policy pass device will have in-grace state. After 7 days it will be evaluated for statements in policy2 and if it pass it should be marked as compliant. But will it stay complaint or revert to in-grace the next day or so... :thinking_face: