The Intune team is aware of compliance reporting behavior in the Microsoft Endpoint Manager admin center that causes confusion among some of our customers. With this post, we’d like to make you aware of these issues while we work on providing better experiences in the future.
Compliance policy status is “Not applicable” on some devices when the settings actually are applicable
We are aware of an issue where targeting a device with a compliance policy that has one or more of the following settings enabled can cause the compliance policy to show a “Not applicable” status, even though the settings actually do apply:
Custom compliance (Windows 10 and later)
Require the device to be at or under the machine risk score (iOS/iPadOS, Android device administrator, Android Enterprise)
Require the device to be at or under the Device Threat Level (iOS/iPadOS, Android device administrator, Android Enterprise, Windows 10 and later)
Jailbroken devices (iOS/iPadOS)
Note: This issue does not occur if you include another setting in the same policy, such as a minimum or maximum OS version.
The reason this occurs is due to how reporting data is calculated. The reporting data for these settings may not be immediately reflected until the system has had a chance to process all of the reporting data, usually within 24 hours.
While this is a known issue, the compliance setting status should resolve itself within 24 hours. If it doesn’t resolve after 24 hours, ensure that the device configuration profile has been applied appropriately. We are working to fix this issue so that the correct compliance status is always shown.
Understanding device counts in the Setting compliance report
Compliance reports help you understand when devices fail to meet your compliance configurations and help you identify compliance-related issues in your organization. The Setting compliance report (Devices > Monitor > Setting compliance) displays the number of devices in each compliance state for each compliance setting within a compliance policy in your environment. So, you may notice the number of compliant devices listed doesn’t match the number of enrolled devices the policy has been applied to.
Setting compliance report in Microsoft Endpoint Manager admin center
The numbers in each column reflect the number of compliance records Intune has for each compliance setting. When multiple users check-in on the same device, multiple reporting records are captured for the same policy for each user. This occurs most often with devices shared among multiple users, such as desktop PCs.
We are working on improving reporting views, including the Setting compliance report, to only count each device once.
Some noncompliant devices don’t appear in the Retire noncompliant devices list
When a device becomes noncompliant to a policy, the device is added to the Noncompliant devices report and may be included in the Retire noncompliant devices list if the Retire the noncompliant deviceaction for noncompliance is configured. While the report and list may appear similar, they have different purposes:
The Noncompliant devices report allows you to monitor and manage devices that have become noncompliant. Use this report to determine whether to troubleshoot specific devices or manage or update compliance policies.
The Retire noncompliant devices list shows devices where the Retire the noncompliant device action has been triggered. Use this list to review these devices and then use the buttons on this list to either retire the devices or restore them to their previous compliance state.
We are working on changes to make the purpose of the Retire noncompliant devices list clearer in the Endpoint Manager admin center.
We will continue to update this post as new information becomes available. If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.