Device In Azure AD showing as not compliant, yet in Intune the device is fine and compliant

I have a couple of soultions which I'm still testing, I still don't know whats causing this which worries me.

Fix 1
This works and is quick, but I waiting to see if the device stays compliant or if it falls back in to the mismatch.

From PowerShell import the AADInternals modules

import-module -Name aadinternals

Next need to grab an access token for MSGraph

Get-AADIntAccessTokenForAADGraph -savetocache

This will prompt you to log in to Azure, you will need admin creds

To confirm the device is showing as not compliant in Azure,

Get-AADIntDeviceCompliance -deviceId AzureDeviceIDHere

Now to switch is from noncompliant to compliant

Set-AADIntDeviceCompliant -DeviceId AzureDeviceIDHere -Compliant

This does fix the device and the user is able to login without Conditional Access getting in the way, but I don't know what caused this to go non compliant in the first place or if the root cause will trip it again later (but its been fine for 24 hours so far)

Fix 2
This also works, does not need PowerShell but takes a long time to fix
In InTune, we created a policy that was impossible to achieve, I used must have a max windows version and set an old version.

Applied this policy to the device, and waited for InTune to apply it and then mark the device as not compliant in InTune. Now Azure and InTune both agree the device status.

Once it was not compliant in InTune, I removed that policy from it and waited for Intune to mark it as compliant, at that point Azure also updated correctly.
This method takes ages as we need to wait for the device to Sync with Intune a couple of times, on my test device it took several hours.

To me it seems Azure got out of Sync with InTune some how, and would not update until there is a change on the InTune side,  which is would explain why both fixes seem to work.