Microsoft Endpoint Manager - Configuration for Vanta

  • Updated

When using Microsoft Endpoint Manager, Vanta will only read in compliance policies and will not read in configuration profiles. Shown below is how to properly configure compliance policies for Vanta.


  • For Windows devices - the attached compliance policy must contain the following system security settings:
    • Require a password to unlock mobile devices = Require
    • Maximum minutes of inactive before password is required = 1 hour (Note: this setting must be less than or equal to 1 hour
    • Require password when device returns from idle state = Require


  • For MacOS devices- the attached compliance policy must contain the following settings:



Hard Disk Encryption

Vanta looks at information provided on the hardware section of a device:


If Encrypted is set to "Yes", Vanta will say that the device is encrypted.

You can ensure that devices are encrypted by attaching a compliance policy that contains the system security setting Require encryption of data storage on device:



Password Manager

  • Vanta will recognize the Password Manager is installed on the machine provided it is one of our supported Password Managers AND it appears in the Discovered Apps list

    • Applications appearing only in the Managed Apps list are not detected by Vanta:




There are two ways Vanta will recognize antivirus is installed on the machine:

1. One of our supported antivirus applications is installed on the machine and available in the Discovered Apps list as mentioned above.


2. The attached compliance policy requires antivirus to be installed (Windows Only):




  • Check that settings for antivirus and screenlock are set in compliance policies and not in configuration profiles.
  • Ensure that any devices that aren't reporting correctly are attached to the correct compliance policy.
  • Ensure that the device is compliant with the compliance policy and\or not in a "not evaluated" state.
  • If a device is showing for the incorrect user, note that Vanta will use the "enrolled by" field for the device to determine owner. This is due to a limitation of Microsoft's Graph API as it only shows "enrolled by" and not the "primary user."