This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 19%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
We have configured an intune policy in called "Require the device to be at or under the machine risk score" that we set up for our iPads. The goal was to make sure that iPads check in regularly to maintain the connection to Defender 365.
On this link, you can find all the documentation there exists on this topic: https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-ios#microsoft-defender-for-endpoint
The documentation talks about risk score, but this terminology isn't used anywhere in Microsoft Security Center. The only reference we have is one column when looking at the devices in Defender, that is called "Risk level". However, we saw that when a device is inactive for 7 days, it becomes non compliant for our policy, even though the Risk level wasn't elevated at all by this inactivity. So we know that Risk score is not identical to Risk level. So what defines Risk score? How can we predict how this policy will behave?
Both are the same. The risk level indicates an exploited vulnerability on the device resulting in alerts and an incident. Depending on the risk score value you select in the compliance policy for MDE, the compliance will be evaluated for the targeted devices. Did you check why the devices fell out of compliance after 7 days? Is it because it didn’t check into Defender thus not having up to date risk level data or was it because other parameters in the compliance policy related to Intune?
Hi Rahul,
Thanks for getting back to me!
The reason is as you say, a device that isn't used for 7 days becomes inactive in Defender and this causes the device to become non compliant for the configuration "Require the device to be at or under the machine risk score". We have set the policy to "Clear", which means there isn't supposed to be any elevation in risk level.
But for the devices that become non compliant because of inactivity, we don't see any elevated risk in the risk level column in Microsoft Security Center. So it looks like being inactive does have an influence on the Risk Score, but the Risk Level column seems unaffected. That's why we were wondering if maybe there was a difference between the two. If there isn't a difference, is this a bug? Or can the be explained otherwise?
Thanks again!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 22%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
Hi, posting this for anyone else who comes across this issue. Although the comment selected as answer is true in that machine risk score is a combination of things. To find more documentation as to what determines this score go here.
Furthermore, looking in the settings in the security portal and going to Defender XDR > Alert Tuning you can see the following sources:
My guess is that these all contribute, but I am not sure because there is no direct documentation.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@Marius Ruymaekers,Thanks for posting in Q&A.
From your description, I know that you want to know what is the difference between "machine risk score" and "risk level".
Based on my research, I found that the machine risk score and the risk level are two different metrics that can be used to evaluate the security status of a device in Intune policy.
The machine risk score is a measure of the likelihood that the device used to conduct a transaction or access a service is compromised or fraudulent. The machine risk score is based on various factors such as the device’s IP address, geolocation, device ID, and device fingerprint. The machine risk score can range from 0.01 to 99, where higher scores indicate higher risk.
The risk level is a measure of the overall security posture of the device, based on various factors such as compliance, exposure, and configuration. The risk level is based on a combination of factors, including the types and severity of active alerts on the device. The exposure level is based on the pending security recommendations. The risk level can be low, medium, or high, where higher levels indicate higher risk.
The machine risk score and the risk level are not necessarily the same, as they may use different criteria and thresholds to evaluate the device. For example, a device may have a low machine risk score if it has not been involved in any suspicious activity, but it may have a high-risk level if it has many vulnerabilities or outdated software. Conversely, a device may have a high machine risk score if it has been flagged by Microsoft Defender for Endpoint as potentially compromised, but it may have a low risk level if it meets the security requirements and policies set by the organization.
The machine risk score and the risk level can be used together to assess the device’s security status and take appropriate actions. For example, you can use Intune to create and assign compliance policies that set the device risk level based on the machine risk score reported by Microsoft Defender for Endpoint. You can also use conditional access policies to block or allow access to resources based on the device risk level. For Android and iOS/iPadOS devices, you can use app protection policies that set the device risk level based on the machine risk score.
Moreover, the device compliance status is dependent on the Compliance status validity period you set.
Hope this can be helpful.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks so much for this clear response!
I have one more remark simply for clarification's sake.
When I refer to the compliance of the affected devices, I am referring not to the general Intune compliance, but to the compliance with regards to the specific compliance policy that this question is about. We did configure grace period and non compliance timings as to not block our users every time they don't use their tablet for 7 days.
@Marius Ruymaekers,Thanks for your update.