Forum Discussion

ErikVet's avatar
ErikVet
Brass Contributor
Aug 18, 2022

Hybrid Azure AD joined Devices WITHOUT Intune show up as Non Compliant

Hello,

 

We do not use Intune for Windows at the moment. Everything is blocked e.g. Enrollment Polices, not Autopilot etc. 

At the moment we are seeing some devices in AAD under Devices that show up with a Compliance Status No but others not. 

For example a valid device: 

 

 

and a Device that with the Compliance Status 

 

 



We do not know how this happens. We do have Compliance Polices for testing AzureAD joined devices but only via staged rollout (groups). 

How is it possible that some devices get a compliance status without Intune ?

Many Greetings and thanks for any hint. 
Erik 

  • Hi ErikVet! As your Azure AD shows these devices as "MDM: None", we would indeed expect "Compliant: N/A".

     

    Were these devices ever enrolled in Intune (accidentally, or for testing)? If so, check if there's a "Manage" button in the Azure AD device page. If there is, there's will be a Managed Device object (Intune) linked to the Azure AD Device object, which is probably marked non-compliant.

     

     

    • ErikVet's avatar
      ErikVet
      Brass Contributor

      NielsScheffers 

       

      Thx for you reply.

      Sadly not .. their not managed and the do not show in Intune/Enpoint under

      non compliant devices. 

       

      Devices (multiple) no scheme recognizable 😞

      Of course CA Policy are in place and are applied to those devices. 

       

       

    • ErikVet's avatar
      ErikVet
      Brass Contributor

      Rudy_Ooms_MVP  .. thanks for you comments 

      Default Compliance is configured as "not compliant" but the effected "Not Compliant Devices" without and MDM Scope (AADHJ devices) under AzureAD Devices do not show up in Endpoint Mgr.

      But changing this would also effect not only windows devices right ... all the mobile devices too ... :suprised:

       

       

       

      Scope for Windows Enrollment is set to "Some" but is 100% sure that none of the affected devices/user where in that group. 

       

      • Mmm pretty weird... as you should normally say that when a device isn't enrolled into intune it doesn't have the possibility to get a compliant state.

        Could you find out the reason why its not compliant? ( I assume the build in ones) or?
  • jfdoyon's avatar
    jfdoyon
    Copper Contributor
    We just started seeing this today, which then broke some of our Conditional Access!

    Did you ever figure it out?
  • Steve Selaya's avatar
    Steve Selaya
    Copper Contributor

    ErikVet 

    Just curious if you ever figured out what was going on. We are seeing the same thing and I have opened a ticket with MS but haven't heard back yet. I did notice that this only happens in our environment for those Windows 10 workstations that hybrid join via federation (ADFS). If the ADFS process fails and the devices goes through the managed hybrid join (azure ad connect) then the compliance field is left at N/A. When going through ADFS the registration add sets iscompliant to FALSE.

Resources