Forum Discussion

Baljit Aujla's avatar
Baljit Aujla
Copper Contributor
Dec 06, 2018
Solved

Device Compliance

Hi All,   Is anyone else see incorrect reporting of device compliance due to the "System Account"? As per Microsoft documentation:   "Windows 10 devices that are Azure AD joined may show the Syst...
Conditional Access
Intune
  • Hrvoje Kusulja's avatar
    Hrvoje Kusulja
    Mar 18, 2019

    Baljit Aujla I have figured out the solution.

    When you have Compliance policy, assigned to All Users, it will reflect all your Azure AD users with those logins. But what about other (local accounts), like "system account" etc.., they are not compliant.

    Resolution is to have another additional (same) compliance policy, assigned to Azure AD security group, and add those (shared) windows 10 devices to the group.

    In that case, Compliance policy is assigned on device level to the specific device, and then "system account" does not cause the problem.

    It is poorly documented, but this is something that Microsoft Support given to me...

SamTeerlinck's avatar
SamTeerlinck
Brass Contributor
Jun 06, 2019

I've had this problem too and I'll share my experience here:

If you assign policies to a device it applies the policies to all accounts on that device, including the system account (which will usually bring trouble for the compliance and such). I've not had any cases in which the system account was actually needed in Intune.
In most cases it is better to just assign the policies to the users and I usually use a dynamic group with all enabled users in it instead of 'All users'. If they then change device it will automatically migrate all policies and apps to that device as well, which will save us some time. Only when you work with special shared devices is assigning them to the device itself useful in my opinion (and even then there are some good cases for user assignment).
Simply reassigning the policies to users instead of devices won't make that system account go away in the portal though. You will have to delete the policy and make a new one, then assign it to the users only, then there won't appear a system account.

This is what I have found out from experience. I might be wrong but it has worked for me in the past. If someone wants to correct me about my policy assignment best practices, feel free to do so. I'm relatively new to Intune.

RobdeRoos's avatar
RobdeRoos
Iron Contributor
Jun 14, 2019

SamTeerlinck In many cases customers of ours have allready Intune implemented or partialy implemented. If I would be building an enviroment based on user assignment it would also impact devices that are allready in use by users.

 

Another case where I don't want user assignments is when we have a customer that has BYOD devices. Those devices are personaly owned and most of the times policies for BYOD and corporate owned devices will deffer from eachother.

 

A third example is development users versus "standard" users. But in that case it's not the policies that we don't want to target to users but just the applications.\

 

As long as we can't exclude devices on policies that are assigned to users, I need to have policies applied to devices most of the time.

Resources