Forum Discussion
Hybrid Azure AD joined Devices WITHOUT Intune show up as Non Compliant
Hello,
We do not use Intune for Windows at the moment. Everything is blocked e.g. Enrollment Polices, not Autopilot etc.
At the moment we are seeing some devices in AAD under Devices that show up with a Compliance Status No but others not.
For example a valid device:
and a Device that with the Compliance Status
We do not know how this happens. We do have Compliance Polices for testing AzureAD joined devices but only via staged rollout (groups).
How is it possible that some devices get a compliance status without Intune ?
Many Greetings and thanks for any hint.
Erik
21 Replies
Just curious if you ever figured out what was going on. We are seeing the same thing and I have opened a ticket with MS but haven't heard back yet. I did notice that this only happens in our environment for those Windows 10 workstations that hybrid join via federation (ADFS). If the ADFS process fails and the devices goes through the managed hybrid join (azure ad connect) then the compliance field is left at N/A. When going through ADFS the registration add sets iscompliant to FALSE.
- if the device is a hybrid AD join and without any owner it will show up as non compliant even if its not enrolled to Intune .
- This is correct but 50% of the total devices shows NA and other devices shows compliant = none which is **bleep** confusing and all user devices with either status able to pass conditional access and can access org resources. Opening a case and involving product team did not help as they have no clue why this is happening.
- Any updates?
- We just started seeing this today, which then broke some of our Conditional Access!
Did you ever figure it out? - How did you configured the default compliance policy.... "mark devices without compliance policy" compliant or not compliant.
Als wondering about the mdm scope etc as described here
https://call4cloud.nl/2021/08/the-battle-between-aadj-and-aadr/ (i know its aadr/aadj... but )Rudy_Ooms_MVP .. thanks for you comments
Default Compliance is configured as "not compliant" but the effected "Not Compliant Devices" without and MDM Scope (AADHJ devices) under AzureAD Devices do not show up in Endpoint Mgr.
But changing this would also effect not only windows devices right ... all the mobile devices too ...
Scope for Windows Enrollment is set to "Some" but is 100% sure that none of the affected devices/user where in that group.
- Mmm pretty weird... as you should normally say that when a device isn't enrolled into intune it doesn't have the possibility to get a compliant state.
Could you find out the reason why its not compliant? ( I assume the build in ones) or?
Hi ErikVet! As your Azure AD shows these devices as "MDM: None", we would indeed expect "Compliant: N/A".
Were these devices ever enrolled in Intune (accidentally, or for testing)? If so, check if there's a "Manage" button in the Azure AD device page. If there is, there's will be a Managed Device object (Intune) linked to the Azure AD Device object, which is probably marked non-compliant.
Thx for you reply.
Sadly not .. their not managed and the do not show in Intune/Enpoint undernon compliant devices.
Devices (multiple) no scheme recognizable 😞
Of course CA Policy are in place and are applied to those devices.
