Forum Discussion
Intune Compliance Policy: Device not compliant because of missing machine risk score: deactivated?
simcpk Thanks for the update. That is useful info. Those who are experience the issue can now at least fix it.
I did mention this issue to Microsoft at the Defender ATP or Intune (forgot which) booth at Microsoft Ignite 2019. They told me that there were some synchronisation issues between Intune and Defender ATP and that they worked hard with both teams to resolve the sync issues. I was told some new code was released just before Ignite that should fix most issues. He did not reference or confirm this specific issue though.
Another Belgian consultant had the same issue, by the way. So we are certainly not the only ones who are battling with this.
The strange thing is that your test was after Ignite, so it is still unclear if it is fixed or not....
Wim Borgers Well, I'm fixed. They ran some sort of back-end sync and and all of my machines are reporting properly. I asked whether or not this fix was applied only to my tenant or whether it was a platform-wide change and I received the following response --
"Actually I was checking from the backend team whether the fix was only for specific to your tenant or there were other tenants on which this fix was deployed .
I got a confirmation that they have deployed a fix for the ATP service to get it working again over the weekend 12/7-8 and it was only for your tenant ."
So anyone else that is having this issue has two options:
- Start a support case to beg and plead that they run whatever back-end sync it is that fixes this. Keep in mind this took 2(!) months for me as the passed me back and forth between Intune and ATP support and ruled out all of the things that I may have mucked up.
- Run the WD ATP detection test script on all affected machines.
In fact, I would probably run the detection test script on a machine or two first to make sure that it resolved the problem and that you didn't have an entirely different issue at play. After verifying that this resolves it, you might pursue the support case for a back-end sync.
molislaegers Thanks for the info. When we originally had this issue and created this thread our machines were already HAAD joined, and we had the issue nevertheless. I would need to check on the current status with my colleague, but it is odd that the ticket mentions that as a solution.
- Thank you for the fast reply. Oh, hmm, I completely missed this prerequisite.
Well, it is strange, because everything else is working, so it is not that "totally not supported", just Risk Score is not working, everything else seems to be connected and active. Very missleading.
I will create the same workaround as you.
Thank you once more. - The answer I've got on my service ticket:
A machine has to be AAD / HAAD Joined to detect the risk score. It's in the prerequisites on: https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection#prerequisites
What I've done is making a second Compliance Policy for registered devices without the Risk Score component. I have exact same issue as you are describing. Were you able to somehow overcome this? I needed to deploy some BYOD devices, Azure AD Joined devices are not an option. ( we already have that for company-owned devices, and it is working just fine )
Devices are properly AD Registered, Intune Managed, onboarded into Microsoft Defender for Endpoint, but in the Endpoint manager admin center, the computer is failing at compliance policy with "Require the device to be at or under the machine risk score: Not Compliant."In the Company portal, I am receiving the same error message "Enroll your device in Microsoft Defender for Endpoint".
In the defender portal, I can see, that the Device is Onboarded properly, Active but at the Exporuse level, there is: "No data available".
It seems like the portal is not able to somehow properly get the data from the device, to calculate exposure level.I have tried re-deploying defender manually with no luck ( currently deploying with policy ). I have re-imaged the testing device and re-enrolled into the system countless times.
Thank you for any hint.
This issue still exists today..
Device: Setup with personal (offline or Microsoft account)
Added Work or School Account
Intune: Made corporate and assigned policies / apps
Defender for Enpoint: Enrolled
Azure AD shows: AAD Registered
AAD Registered machines don't get compliant in Intune because of their risk Score. The devices are Active in the Microsoft Security Portal (Defender for Endpoint).
The company portal says: "Enroll your device in Microsoft Defender for Endpoint" --> It is!When I test it with eicar.com it detects and show that on the Defender for Endpoint portal.
What else to do..
Joining the device to AAD is not an option at this moment.TeknaDan Thanks for the info. That is good to know. We will check it on our systems as well. That is indeed an elegant solution! Although in the end Microsoft still needs to fix this. 🙂
Wim Borgers I might have found a way to fix this issue without getting Microsoft involved. I had the same issue with new machines showing Non-Compliant and Deactivated in InTune but found that shortly after running the detection test against a machine (found in Microsoft Defender Security Center --> Settings --> Machine Management --> Onboarding) it checked into ATP and was then marked Compliant. Tested this with 3 machines so far and it worked for all of them.
simcpk Thanks for the info! Glad the issue got solved for you. I think the info will be useful for others in this thread as well. I will relay this info to our sysadmin and we will check our own tenant as well. 🙂
