What is the difference between "machine risk score" and "risk level"?

Marius R 20 Reputation points
2023-11-23T16:09:42.2266667+00:00

We have configured an intune policy in called "Require the device to be at or under the machine risk score" that we set up for our iPads. The goal was to make sure that iPads check in regularly to maintain the connection to Defender 365.

On this link, you can find all the documentation there exists on this topic: https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-ios#microsoft-defender-for-endpoint

The documentation talks about risk score, but this terminology isn't used anywhere in Microsoft Security Center. The only reference we have is one column when looking at the devices in Defender, that is called "Risk level". However, we saw that when a device is inactive for 7 days, it becomes non compliant for our policy, even though the Risk level wasn't elevated at all by this inactivity. So we know that Risk score is not identical to Risk level. So what defines Risk score? How can we predict how this policy will behave?

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,802 questions
{count} votes

Accepted answer
  1. ZhoumingDuan-MSFT 10,975 Reputation points Microsoft Vendor
    2023-11-24T07:11:31.0133333+00:00

    @Marius Ruymaekers,Thanks for posting in Q&A.

    From your description, I know that you want to know what is the difference between "machine risk score" and "risk level".

    Based on my research, I found that the machine risk score and the risk level are two different metrics that can be used to evaluate the security status of a device in Intune policy.

    The machine risk score is a measure of the likelihood that the device used to conduct a transaction or access a service is compromised or fraudulent. The machine risk score is based on various factors such as the device’s IP address, geolocation, device ID, and device fingerprint. The machine risk score can range from 0.01 to 99, where higher scores indicate higher risk.

    The risk level is a measure of the overall security posture of the device, based on various factors such as compliance, exposure, and configuration. The risk level is based on a combination of factors, including the types and severity of active alerts on the device. The exposure level is based on the pending security recommendations. The risk level can be low, medium, or high, where higher levels indicate higher risk.

    The machine risk score and the risk level are not necessarily the same, as they may use different criteria and thresholds to evaluate the device. For example, a device may have a low machine risk score if it has not been involved in any suspicious activity, but it may have a high-risk level if it has many vulnerabilities or outdated software. Conversely, a device may have a high machine risk score if it has been flagged by Microsoft Defender for Endpoint as potentially compromised, but it may have a low risk level if it meets the security requirements and policies set by the organization.

    The machine risk score and the risk level can be used together to assess the device’s security status and take appropriate actions. For example, you can use Intune to create and assign compliance policies that set the device risk level based on the machine risk score reported by Microsoft Defender for Endpoint. You can also use conditional access policies to block or allow access to resources based on the device risk level. For Android and iOS/iPadOS devices, you can use app protection policies that set the device risk level based on the machine risk score.

    Moreover, the device compliance status is dependent on the Compliance status validity period you set.

    User's image

    Hope this can be helpful.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful