Forum Discussion
Device Compliance
Baljit Aujla I have figured out the solution.
When you have Compliance policy, assigned to All Users, it will reflect all your Azure AD users with those logins. But what about other (local accounts), like "system account" etc.., they are not compliant.
Resolution is to have another additional (same) compliance policy, assigned to Azure AD security group, and add those (shared) windows 10 devices to the group.
In that case, Compliance policy is assigned on device level to the specific device, and then "system account" does not cause the problem.
It is poorly documented, but this is something that Microsoft Support given to me...
The Admin Account Compliance problem wouldn't be solved when using bitlocker via user and not via computer assignment, isn't it?
PatrickF11 I believe it depends on if the policy is targeted to the admin user.
Just found the same problem with a BitLocker Configuration Profile. Machine is sitting next to me, and manage-bde says it is 100% encrypted. For my user account, the status of the machines is succeeded however, for the same machine and the System Account it shows error so then the overall status is error. Other machines have the system account and the user account as successful while one other machine just has the user account in error. Other machines do not have any system account status listed. And this is with just 6 machines targeted, 5 different states. 🙂 I am targeting by a device group because I figured machines are encrypted, not people.
-John
I still see devices showing as non-compliant and when I drill down to see I see User A as compliant for the Built-in Device Compliance Policy and User B non-compliant for the same Built-in Device Compliance Policy and also compliant for another policy. So in a Pandemic world, I have to some how get this PC back to the User B so they can logon to clear the non-compliance they triggered a month or so ago when I enrolled them before I defined any policies? Tell me it is not so.
-John
