Adaptive Application Control Recommendation: Understanding "No Recommendation" Behavior

Understanding "No Recommendation" Behavior

Question

You are reviewing the recommendation to enable Adaptive Application Control and found out that 10 machines appear under “No recommendation”

From the options below, which one better explain this behavior?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: B Option B is correct.

VMs will only appear under No recommendation tab when:

It's missing a Log Analytics agent.

The Log Analytics agent isn't sending events.

It's a Windows machine with a pre-existing AppLocker policy enabled by either a GPO or a local security policy.

Option A,C & D are incorrect.

They are not responsible for VM to appear under No recommendation tab.

Reference:

Adaptive Application Control (AAC) is a feature in Microsoft Defender for Endpoint that helps prevent malware and other malicious software from running on endpoints. AAC works by allowing only trusted applications to run on endpoints based on a set of security policies defined by the security operations team.

When reviewing the recommendation to enable AAC, if there are machines that appear under "No recommendation," it means that these machines do not meet the criteria for automatic recommendation. The reasons for this could be varied, but among the options given, the most likely reason is option B: it's a Windows machine with a pre-existing AppLocker policy enabled by either a GPO or a local security policy.

AppLocker is a Microsoft Windows feature that allows an organization to control which applications and files users can run on their computers. It is possible that the machines in question have a pre-existing AppLocker policy enabled through either a Group Policy Object (GPO) or a local security policy. In such a scenario, the machines may not need to have AAC enabled, as they are already being protected by AppLocker.

Option A, which suggests that the machine has Log Analytic Agent installed, is unlikely to be the reason for the "No recommendation" status, as the installation of Log Analytic Agent does not necessarily impact AAC recommendations.

Option C, which suggests that the machine has an older version of Log Analytic Agent, is also unlikely to be the reason for the "No recommendation" status, as the version of the Log Analytic Agent does not directly impact AAC recommendations.

Option D, which suggests that the Log Analytics agent is sending events, is also unlikely to be the reason for the "No recommendation" status, as the sending of events does not directly impact AAC recommendations.

In summary, the most likely reason for machines appearing under "No recommendation" in the context of enabling Adaptive Application Control is that they have a pre-existing AppLocker policy enabled by either a GPO or a local security policy.