Forum Discussion

preuley30's avatar
preuley30
Brass Contributor
Sep 07, 2022

Device marked as not compliant even it should be marked as compliant

Hi everyone,

I have some problems with an AADR Windows 10 Device.

 

I recently updated our windows compliance policy to check if secure boot is on. If not, the device is marked as not compliant.

 

I've updated the secure boot state on the affected machine to "on" after I updated the compliance policy. I've verified the state with the PowerShell cmdlet "Confirm-SecureBootUEFI" and it gave me "true" back. And also the security information app says "on".

 

However, Intune doesn't mark the device as compliant even if it should be marked as compliant. The report says that secure boot isn't enabled on the device, what is clearly a lie...

 

I've rebooted the machine several times and did manual syncs from the device and the endpoint manager platform, but nothing helps. 

 

Has anyone the same experience or some suggestions what I could do next? Thanks for your help ❤️

    • preuley30's avatar
      preuley30
      Brass Contributor
      Many thanks for your reply! Yeah, I think that's actually the problem. The affected machine has UEFI but only TPM 1.2 and there aren't any firmware update options...
  • MrNeo's avatar
    MrNeo
    Copper Contributor
    Are you deploying your compliance policies to devices or users? If you're using devices try switching it to users instead.
    • preuley30's avatar
      preuley30
      Brass Contributor

      MrNeo Why should I assign a windows compliance policy to users? That's not making any sense tbh. The Device must be compliant not the User. Or do I miss a point?  

      • NielsScheffers's avatar
        NielsScheffers
        Iron Contributor

        Hi preuley30! First and foremost: KurtBMayer's solution is obviously the correct solution.

         

        I do want to point out that assigning a "Windows" compliance policy to a user (like MrNeo mentions) is absolutely valid. In fact, I'd prefer it that way. A user (and its assigned privileges) mandates a certain level of device security, on any (in this case Windows) device they use.

         

        Now, that isn't always possible, so I'm not saying that assigning them to devices is bad practice, either. I'd just only use it for special circumstances.

Resources