Device1 is a member of Group2 and is assigned Policy2. Policy2 requires BitLocker and sets the noncompliance grace period to 10 days. Since BitLocker is disabled, Device1 is noncompliant and will be marked as such after 10 days.

Device2 is a member of Group2 (assigned Policy2: 10 days) and Group3 (assigned Policy3: 15 days). The device is noncompliant with Policy2 (BitLocker is required but disabled). When multiple policies apply and a device is noncompliant with one or more, the most restrictive settings apply. In this context, the shortest noncompliance grace period is 10 days (from Policy2).

Device3 is a member of Group3 and is assigned Policy3. Policy3 has "Require BitLocker" set to Not configured. Therefore, Device3 is compliant with Policy3's configuration regarding BitLocker being disabled. It will not be marked noncompliant based on the BitLocker requirement of Policy3.

Official vendor documentation (Microsoft Endpoint Manager/Intune Compliance Policies):

Reference: Microsoft Documentation on Device Compliance Policies, Section: "How compliance policy settings work" and "Conflict Resolution."

Content: States that if a device is assigned multiple policies, all policies are evaluated, and the device must comply with all of them. If multiple policies have conflicting settings, the device takes the most restrictive setting. For grace periods, the shortest time (most restrictive) is applied for marking the device as noncompliant if it fails a required setting. A "Not configured" setting does not enforce a requirement.

Official vendor documentation (Microsoft Intune Configuration Service Provider (CSP) Reference):

Reference: Microsoft Windows Client Management documentation, CSP for BitLocker (BitLocker CSP).

Content: Defines the 'Require BitLocker' setting in compliance policies. The 'Not configured' state means the setting is not evaluated as a requirement for compliance by that specific policy.