Forum Discussion

ErikVet's avatar
ErikVet
Brass Contributor
Aug 18, 2022

Hybrid Azure AD joined Devices WITHOUT Intune show up as Non Compliant

Hello,   We do not use Intune for Windows at the moment. Everything is blocked e.g. Enrollment Polices, not Autopilot etc.  At the moment we are seeing some devices in AAD under Devices that s...
Conditional Access
Intune
ErikVet's avatar
ErikVet
Brass Contributor
Aug 19, 2022

Rudy_Ooms_MVP  .. thanks for you comments 

Default Compliance is configured as "not compliant" but the effected "Not Compliant Devices" without and MDM Scope (AADHJ devices) under AzureAD Devices do not show up in Endpoint Mgr.

But changing this would also effect not only windows devices right ... all the mobile devices too ... :suprised:

 

 

 

Scope for Windows Enrollment is set to "Some" but is 100% sure that none of the affected devices/user where in that group. 

 

Rudy_Ooms_MVP's avatar
Rudy_Ooms_MVP
MVP
Aug 19, 2022
Mmm pretty weird... as you should normally say that when a device isn't enrolled into intune it doesn't have the possibility to get a compliant state.

Could you find out the reason why its not compliant? ( I assume the build in ones) or?
  • ErikVet's avatar
    ErikVet
    Brass Contributor
    Aug 23, 2022

    Rudy_Ooms_MVP 

     

    Indeed that is pretty weird. It looks like only devices which where "setup" in last couple of months. But also older ones are affected. 

     

    As they show not in intune it is just guessing what compliance rules trigger it. Is this somehow possible of the Graph API but I have look for that in detail. 

     

    Maybe some Intune/Device/AzureAD MVP can ask the product team :cool: .. I do not have those connections :smile:. Or even MS is reading this and can give some hints as this is definitely not normal. 

    Thx

    Erik 

     

    • Rudy_Ooms_MVP's avatar
      Rudy_Ooms_MVP
      MVP
      Aug 23, 2022
      To do so i need way more information :)… as example those devices that havent a mdm set… the person who enrolled it… had that user a intune license… how does the dsregcmd /status output looks like…

      Feel free to gather some logs with this powershell command

      wget https://aka.ms/intuneps1 -outfile IntuneODCStandAlone.ps1

      powerShell -ExecutionPolicy Bypass -File .\IntuneODCStandAlone.ps1
  • Ketzpatel's avatar
    Ketzpatel
    Brass Contributor
    Aug 19, 2022
    I am having exactly same issue. some devices shows NA for compliant status and other devices shows NO. we have nothing configured in Intune at this time to manage any devices.
    • Rudy_Ooms_MVP's avatar
      Rudy_Ooms_MVP
      MVP
      Aug 23, 2022
      Okay but as you configured nothing in Intune and you are enrolling those devices into intune…? you also have no compliance policies configured etc so… one of the build in compliance policies is: has a compliance policy assigned… guess what happens when it doesnt gets or has one 🙂
      • Ketzpatel's avatar
        Ketzpatel
        Brass Contributor
        Aug 23, 2022
        So we have AAD conditional access policy configured to allow only hybrid AAD joined (Win10) devices or compliant devices(iOS & Android) using compliance partner configured in Intune with AirWatch. no Win devices are enrolled or show up in Intune - Device blade. These devices are only visible in AAD - All Devices blade. there are about 4000 devices hybrid joined and only half of the devices show Compliant = NO other shows compliant = NA.
    • ErikVet's avatar
      ErikVet
      Brass Contributor
      Aug 23, 2022

      Ketzpatel 

       

      :suprised: .. This is pretty weird but We are also a little bit relieved as we are not the only one. 

       

      Do you have find out why this is happening ? 

Resources