Forum Discussion
Intune marks Not Compliant if device does not sign in regularly, then permanently blocks the device
Thanks for responding. Here are my settings:
 
I'm not able to do manual syncs because the device is logged out and you have to log back in before you can do any kind of sync, which gets blocked by CA. The only way I can get the device functioning again is to disable CA and log in, then re-enable. I'm not even sure I'd be able to completely unenroll the device and re-enroll. CA's blocking is quite belligerent.
I have only encountered this a couple times so far (of course, I'm only managing a handful of devices at this point), so I'm not sure if there's something else going on in addition.
Thanks again.
Really curious what error you are receiving when you are trying to log in, could you share that information? and what conditional access rule you are turning off to allow it again.
And maybe the error in the sign in log? As I am also writing a blog about this topic :)... it could be very useful in to troubleshooting what happened and of course how to solve it
Thanx
- Hi I found this error too, actually is no error only that when u try to check device compliance manually is failing and request to retry. Doesn't matter how many times you retry will not work if mark as non compliant is not disabled. Once you disable that is checking ok and u have to enable it again. As the original poster said is not a solution in a big environment when any change needs approvals and time windows for changes.
Thanx- Ahh okay I was assuming there wasnt a possibility to login.. but it fails to check the device compliance... (as I cant yet test it... need to wait 12 hours or so before the 1 day not active will expire) what happens when you sync the device from the company portal... or the device itself?
COuld you take a look at the event logs (aad ) what it is telling you.- As I like to reply with the logs, I don't have access at the device with the issue(user is on another continent) and is not a tech guy so I could not rely on him to retrieve the logs. And as the current policy is in place for 60 days off before marked as non compliant, I 'am sure I'll not wait that long to get the logs.
I had it happen just now on a test device that I haven't used in a while. Here is the error message when you try to log in.
Azure AD reports this sign-in error.
Forcing manual syncs from the device and/or the portal make no change.
To correct, I don't actually disable the CA policy. I remove the user from the Group to which the policy is applied. It's less disruptive, but still not an acceptable workaround.
When you say, "event logs (aad)," can you be more specific? I've tried looking at the Intune device logs. There are a zillion of them and I get a headache the moment I open even one.
Thanks,
- I will take a look at my own device tomorrow hopefully the last check in has expired so i can test it
- Hi,
Just to be 100% we having the same sa rule setup for requiring a compliant device... which apps are you targeting ? all apps or office 365 apps ?- My environment is basically based on Office apps but we have some outside Microsoft environment. So is for all company apps (office and non office)
