Compliance
The Compliance tab on the agent detail page shows how the endpoint scores against its assigned compliance frameworks. Each framework evaluates hundreds of individual controls, and this tab breaks down the results to the control level.
Summary
At the top, a summary strip shows aggregate counts:
- Passed: Controls where the endpoint meets the requirement
- Failed: Controls where the endpoint does not meet the requirement
- Manual Review: Controls that require human judgment to evaluate
- Exempt: Controls excluded from scoring
- Overall Score: The compliance percentage (passed / total applicable controls)
The score is color-coded: green at 90% and above, yellow at 70%, orange at 50%, and red below 50%.
Framework Scores
Each assigned compliance framework is listed as an expandable row showing:
- Framework name (e.g., "CIS Windows 11 Enterprise L1")
- Compliance score as a percentage
- Level breakdown: Separate scores for L1 and L2 controls (for CIS frameworks)
- Trend indicator: Whether the score is improving, stable, or declining compared to the prior evaluation
Click a framework row to expand it and see all controls within that framework.
Control Details
Each control row shows:
| Field | Description |
|---|---|
| Control ID | The framework control number (e.g., "1.1.1") |
| Title | The requirement description (e.g., "Ensure 'Enforce password history' is set to '24 or more password(s)'") |
| Status | Passed, Failed, Manual Review, Not Applicable, or Unknown |
| Level | L1, L2, or Next Gen (for CIS frameworks) |
Click a control to expand and see the full evaluation:
- Evaluation method: How the control was checked (registry value, security policy, service state, certificate, etc.)
- Expected value: What the framework requires
- Actual value: What was found on the endpoint
- Registry path: The specific registry key checked (if applicable)
- Validation command: A PowerShell command you can run manually to verify (Windows endpoints)
- Failure reason: Why the control failed, when applicable
Filtering
- Search: Filter controls by ID or title text
- Level filter: Show only L1, L2, or Next Gen controls
- Framework expansion: Only the expanded framework's controls are loaded, keeping the view fast even with thousands of controls
Actions
- Refresh: Triggers a new compliance evaluation against the agent's current state. The agent collects fresh telemetry and the compliance evaluator re-scores all controls.
- Exempt controls: Select multiple failing controls and click "Exempt Selected" to navigate to the compliance baseline page where you can create exemptions with documented reasons.
- Enforce: For individual failing controls, click "Enforce" to open a remediation modal that can push the correct configuration to the agent.
Framework Assignment
Compliance frameworks are assigned to agents through tags, not directly. If no frameworks are assigned to any of the agent's tags, the Compliance tab shows an empty state explaining how to assign frameworks.
To assign a framework:
- Navigate to the fleet-wide Compliance page
- Select a baseline and assign it to a tag
- All agents with that tag will be evaluated on the next compliance cycle
Evaluation Schedule
Compliance evaluations run automatically every 24 hours and can be triggered on-demand using the Refresh button. After system updates or configuration changes, a new evaluation runs automatically to reflect the updated state.