Forum Discussion
Hybrid Azure AD joined Devices WITHOUT Intune show up as Non Compliant
Hello,
We do not use Intune for Windows at the moment. Everything is blocked e.g. Enrollment Polices, not Autopilot etc.
At the moment we are seeing some devices in AAD under Devices that show up with a Compliance Status No but others not.
For example a valid device:
and a Device that with the Compliance Status
We do not know how this happens. We do have Compliance Polices for testing AzureAD joined devices but only via staged rollout (groups).
How is it possible that some devices get a compliance status without Intune ?
Many Greetings and thanks for any hint.
Erik
- NielsScheffersIron Contributor
Hi ErikVet! As your Azure AD shows these devices as "MDM: None", we would indeed expect "Compliant: N/A".
Were these devices ever enrolled in Intune (accidentally, or for testing)? If so, check if there's a "Manage" button in the Azure AD device page. If there is, there's will be a Managed Device object (Intune) linked to the Azure AD Device object, which is probably marked non-compliant.
- ErikVetBrass Contributor
Thx for you reply.
Sadly not .. their not managed and the do not show in Intune/Enpoint undernon compliant devices.
Devices (multiple) no scheme recognizable 😞
Of course CA Policy are in place and are applied to those devices.
- How did you configured the default compliance policy.... "mark devices without compliance policy" compliant or not compliant.
Als wondering about the mdm scope etc as described here
https://call4cloud.nl/2021/08/the-battle-between-aadj-and-aadr/ (i know its aadr/aadj... but )- ErikVetBrass Contributor
Rudy_Ooms_MVP .. thanks for you comments
Default Compliance is configured as "not compliant" but the effected "Not Compliant Devices" without and MDM Scope (AADHJ devices) under AzureAD Devices do not show up in Endpoint Mgr.
But changing this would also effect not only windows devices right ... all the mobile devices too ...Scope for Windows Enrollment is set to "Some" but is 100% sure that none of the affected devices/user where in that group.
- Mmm pretty weird... as you should normally say that when a device isn't enrolled into intune it doesn't have the possibility to get a compliant state.
Could you find out the reason why its not compliant? ( I assume the build in ones) or?
- jfdoyonCopper ContributorWe just started seeing this today, which then broke some of our Conditional Access!
Did you ever figure it out? - JurgenKooleCopper ContributorAny updates?
- Steve SelayaCopper Contributor
Just curious if you ever figured out what was going on. We are seeing the same thing and I have opened a ticket with MS but haven't heard back yet. I did notice that this only happens in our environment for those Windows 10 workstations that hybrid join via federation (ADFS). If the ADFS process fails and the devices goes through the managed hybrid join (azure ad connect) then the compliance field is left at N/A. When going through ADFS the registration add sets iscompliant to FALSE.
- if the device is a hybrid AD join and without any owner it will show up as non compliant even if its not enrolled to Intune .
- Steve SelayaCopper ContributorInteresting. According to the documentation (https://learn.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal) Hybrid Azure AD joined Windows 10 or newer devices don't have an owner which is what we see. This doesnt explain why Windows 10 devices that hybrid join via azure ad connect have N/A for compliant (isCompliant=null) which appears to be more consistent with the documentation.