There are three execution modes that you may use for automated policy compliance:
- On Schedule evaluation mode uses SQL Server Agent jobs to verify that targets satisfy conditions and uses the application log to record instances of policy noncompliance. The conditions are checked on whatever schedule is configured for the SQL Server Agent job.
- On Change - Log Only evaluation mode monitors event notifications to identify any events that conflict with the DMF condition and then records the noncompliance in the log
- On Change - Prevent evaluation mode creates DDL triggers that enforce compliance by blocking any changes that would bring the target out of compliance.
When choosing an automated policy evaluation mode, you must ensure that the policy is enabled. Do this either by checking the Enabled box on the policy's General tab. Alternatively, you may right-click the policy in SSMS and choose Enable from the pop-up menu that appears.
It's likely that you'll want to select a variety of execution modes for your DMF policies depending upon your business requirements. You may have some hard-and-fast requirements that you definitely want to comply with at all times; On Change - Prevent mode is likely appropriate for those situations. On the other hand, you may wish to use On Change - Log Only mode or On Schedule modes to alert administrators to changes that are less urgent and don't require automated remediation.
