Forum Discussion

Baljit Aujla's avatar
Baljit Aujla
Copper Contributor
Dec 06, 2018
Solved

Device Compliance

Hi All,   Is anyone else see incorrect reporting of device compliance due to the "System Account"? As per Microsoft documentation:   "Windows 10 devices that are Azure AD joined may show the Syst...
Conditional Access
Intune
  • Hrvoje Kusulja's avatar
    Hrvoje Kusulja
    Mar 18, 2019

    Baljit Aujla I have figured out the solution.

    When you have Compliance policy, assigned to All Users, it will reflect all your Azure AD users with those logins. But what about other (local accounts), like "system account" etc.., they are not compliant.

    Resolution is to have another additional (same) compliance policy, assigned to Azure AD security group, and add those (shared) windows 10 devices to the group.

    In that case, Compliance policy is assigned on device level to the specific device, and then "system account" does not cause the problem.

    It is poorly documented, but this is something that Microsoft Support given to me...

dustintadam's avatar
dustintadam
Iron Contributor
Jan 30, 2019

Did you ever get any response or resolution to this issue? we are having the same problem, doesn't seem to be any obvious resolution to the problem.

  • Baljit Aujla's avatar
    Baljit Aujla
    Copper Contributor
    Jan 31, 2019

    Hi Dustin,

     

    Hope you are well. Unfortunately I have now left the company were I was deploying the above solution. However, as per the engineers onsite they have advised the issue is resolved with the January update to 1709.

     

    Microsoft related the fault to this issue: https://support.microsoft.com/en-us/help/4469342/november292018kb4469342osbuild17763167

     

    Despite this being an 1809 quality update:

     

    "Addresses an issue with Microsoft Intune that causes devices to be incorrectly marked as not compliant because a firewall incorrectly returns a 'Poor' status. As a result, the affected devices will not receive conditional access compliance approval and may be blocked from access to corporate resources such as email."

     

    So upgrade to the latest version of 1709 and see if it resolves the problem.

     

    My issue was sporadic so I am guessing you will probably need to patch 50+ machines to truly see results.

    • dustintadam's avatar
      dustintadam
      Iron Contributor
      Jan 31, 2019

      Our workstations are all on 1803, rapidly upgrading to 1809. Interestingly, even though we already knew about the firewall issue and opted to exclude the check from our CA policies for the moment, most of the non-compliant machines are failing the AV check for the "System Account", even though the same check shows compliance under the user identity.

       

      Perhaps, as is often the case, the code base will fix that as well for the machines that haven't yet upgraded to 1809, have to wait a few weeks to know for sure.

       

      Thanks for the response though.

      • hkusulja's avatar
        hkusulja
        MVP
        Feb 28, 2019

        I also have issue, where we deploy Intune "Compliance policy" to "All Users", and is also effecting the integrated "System Account" and overall device compliance status.

        Example is also, for shared devices (shared meeting room windows pc etc.)

        We have latest Windows 10 - 1809 with all further updates

Resources