Forum Discussion
Device marked as not compliant even it should be marked as compliant
Hi everyone,
I have some problems with an AADR Windows 10 Device.
I recently updated our windows compliance policy to check if secure boot is on. If not, the device is marked as not compliant.
I've updated the secure boot state on the affected machine to "on" after I updated the compliance policy. I've verified the state with the PowerShell cmdlet "Confirm-SecureBootUEFI" and it gave me "true" back. And also the security information app says "on".
However, Intune doesn't mark the device as compliant even if it should be marked as compliant. The report says that secure boot isn't enabled on the device, what is clearly a lie...
I've rebooted the machine several times and did manual syncs from the device and the endpoint manager platform, but nothing helps.
Has anyone the same experience or some suggestions what I could do next? Thanks for your help ❤️
See this article and check the TPM. Possibly apply a firmware update to the device, if available.
Windows 10 device with secure boot enabled shows as Not Compliant in Intune
Please like or mark this thread as answered if it's helpful, thanks!
- KurtBMayerSteel Contributor
See this article and check the TPM. Possibly apply a firmware update to the device, if available.
Windows 10 device with secure boot enabled shows as Not Compliant in Intune
Please like or mark this thread as answered if it's helpful, thanks!
- preuley30Brass ContributorMany thanks for your reply! Yeah, I think that's actually the problem. The affected machine has UEFI but only TPM 1.2 and there aren't any firmware update options...
- MrNeoCopper ContributorAre you deploying your compliance policies to devices or users? If you're using devices try switching it to users instead.
- NielsScheffersIron Contributor
Hi preuley30! First and foremost: KurtBMayer's solution is obviously the correct solution.
I do want to point out that assigning a "Windows" compliance policy to a user (like MrNeo mentions) is absolutely valid. In fact, I'd prefer it that way. A user (and its assigned privileges) mandates a certain level of device security, on any (in this case Windows) device they use.
Now, that isn't always possible, so I'm not saying that assigning them to devices is bad practice, either. I'd just only use it for special circumstances.