SOLVED

Device Compliance

%3CLINGO-SUB%20id%3D%22lingo-sub-296721%22%20slang%3D%22en-US%22%3EDevice%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-296721%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20anyone%20else%20see%20incorrect%20reporting%20of%20device%20compliance%20due%20to%20the%20%22System%20Account%22%3F%20As%20per%20Microsoft%20documentation%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%22Windows%2010%20devices%20that%20are%20Azure%20AD%20joined%20may%20show%20the%20System%20Account%20as%20a%20non-compliant%20user.%20This%20is%20expected%20behavior%20and%20doesn't%20affect%20the%20overall%20device%20compliance.%22%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20seemed%20to%20be%20working%20OK%20until%20about%202%20weeks%20ago.%20We%20are%20using%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHybrid%20joined%20device%20in%20a%20co-managed%20state%20-%20Windows%2010%201709%20and%20SCCM%201806.%20The%20slider%20for%20device%20compliance%20is%20set%20completely%20to%20Intune.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20end%20up%20with%20results%20like%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F61981i16C81FFB6EB728D0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22compliance.png%22%20title%3D%22compliance.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eand%20the%20device%20is%20then%20overall%20marked%20as%20non-compliant%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20849px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F61985iF1C3CD9465ADEC27%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22compliance2.png%22%20title%3D%22compliance2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20example%20is%20just%20ridiculous%2C%20as%20everything%20is%20actually%20compliant%20yet%20the%20System%20Account%20is%20marked%20Not%20Compliant%20and%20the%20device%20is%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESeems%20to%20be%20so%20inconsistent...%20and%20we%20are%20using%20CA%20policies%20which%20are%20locking%20out%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-296721%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-382282%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-382282%22%20slang%3D%22en-US%22%3E%3CP%3EI%20had%20the%20same%20issue%20until%20we%20updated%20Windows%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F55317%22%20target%3D%22_blank%22%3E%40Dustin%20Adam%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-380741%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-380741%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305616%22%20target%3D%22_blank%22%3E%40pauljeffcott%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20didnt%20work%20for%20me%2C%20we%20still%20have%20a%20bunch%20of%20clients%20that%20are%20failing%20compliance%20because%20of%20the%20System%20Account.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-380723%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-380723%22%20slang%3D%22en-US%22%3EAny%20resolution%20for%20you%20Dustin%3F%20I%20still%20have%20System%20Account%20showing%20as%20not%20compliant%2C%20with%20the%20Compliance%20profile%20assigned%20to%20device%20security%20group%20as%20well%20as%20the%20user%20security%20group.%20Company%20Portal%20app%20tells%20the%20user%20they%20are%20out%20of%20compliance.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376165%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376165%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330%22%20target%3D%22_blank%22%3E%40Hrvoje%20Kusulja%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAwesome%2C%20thanks!%20I'll%20give%20it%20a%20shot.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376160%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376160%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F55317%22%20target%3D%22_blank%22%3E%40Dustin%20Adam%3C%2FA%3E%26nbsp%3Bin%20my%20case%20(all%20users)%20there%20is%20no%20option%20to%20assign%20the%20same%20policy%20to%20other%20things%20then.%20I%20think%20it%20should%20be%20enough%20to%20have%20one%20policy%20and%20assign%20to%20multiple%20security%20groups%20at%20the%20same%20time..%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376157%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376157%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330%22%20target%3D%22_blank%22%3E%40Hrvoje%20Kusulja%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20have%20to%20create%20a%20copy%20of%20the%20compliance%20policy%2C%20or%20simply%20assign%20the%20same%20policy%20to%20multiple%20groups%20that%20included%20both%20users%20and%20computers%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376156%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376156%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F55317%22%20target%3D%22_blank%22%3E%40Dustin%20Adam%3C%2FA%3E%26nbsp%3Bin%20that%20case%2C%20I%20am%20not%20sure%2C%20you%20can%20try%20and%20post%20feedback.%3C%2FP%3E%0A%3CP%3EMy%20case%2C%20i%20was%20assigned%20to%20(all)%20users%2C%20and%20additionally%20assigned%20to%20devices%2C%20to%20resolve%20system%20account%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376154%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376154%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330%22%20target%3D%22_blank%22%3E%40Hrvoje%20Kusulja%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20our%20case%2C%20our%20Compliance%20policy%20is%20targeted%20to%20an%20Azure%20AD%20Security%20group%20with%20all%20of%20our%20Windows%2010%20machines%20in%20it%20already%2C%20reading%20this%20it%20sounds%20like%20I%20have%20to%20duplicate%20the%20policy%20exactly%20then%20assign%20it%20to%20a%20group%20of%20Users%20as%20well%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-375948%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-375948%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106405%22%20target%3D%22_blank%22%3E%40Baljit%20Aujla%3C%2FA%3E%26nbsp%3BI%20have%20figured%20out%20the%20solution.%3C%2FP%3E%0A%3CP%3EWhen%20you%20have%20Compliance%20policy%2C%20assigned%20to%20All%20Users%2C%20it%20will%20reflect%20all%20your%20Azure%20AD%20users%20with%20those%20logins.%20But%20what%20about%20other%20(local%20accounts)%2C%20like%20%22system%20account%22%20etc..%2C%20they%20are%20not%20compliant.%3C%2FP%3E%0A%3CP%3EResolution%20is%20to%20have%20another%20additional%20(same)%20compliance%20policy%2C%20assigned%20to%20Azure%20AD%20security%20group%2C%20and%20add%20those%20(shared)%20windows%2010%20devices%20to%20the%20group.%3C%2FP%3E%0A%3CP%3EIn%20that%20case%2C%20Compliance%20policy%20is%20assigned%20on%20device%20level%20to%20the%20specific%20device%2C%20and%20then%20%22system%20account%22%20does%20not%20cause%20the%20problem.%3C%2FP%3E%0A%3CP%3EIt%20is%20poorly%20documented%2C%20but%20this%20is%20something%20that%20Microsoft%20Support%20given%20to%20me...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-375890%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-375890%22%20slang%3D%22en-US%22%3EHave%20the%20same%20issue%20on%20several%20configuration%20policies%20in%20Intune%20reporting%20Error%20or%20Failed%20on%20the%20System%20Account%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-358287%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358287%22%20slang%3D%22en-US%22%3E%3CP%3EGoing%20to%20%2B1%20this%2C%20while%20Microsoft's%20own%20documentation%20does%20state%20that%20non-compliance%20for%20the%20System%20Account%20will%20not%20impact%20a%20machines'%20overall%20compliance%2C%20it%20can%20make%20proactively%20addressing%20compliance%20issues%20more%20difficult.%20For%20example%2C%20the%20Machine%20compliance%20report%20in%20InTune%20seems%20to%20be%20correctly%20ignoring%20machines%20where%20the%20non-compliance%20is%20the%20System%20Account%20identity%2C%20but%20the%20Power%20BI%20report%20pack%20that%20leverages%20the%20InTune%20data%20warehouse%20does%20not.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIdeally%2C%20if%20the%20compliance%20state%20of%20the%20System%20Account%20doesn't%20matter%2C%20it%20would%20be%20preferable%20that%20InTune%20ignore%20the%20identity%20entirely%20and%20didnt%20report%20on%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-358149%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358149%22%20slang%3D%22en-US%22%3E%3CP%3EI%20also%20have%20issue%2C%20where%20we%20deploy%20Intune%20%22Compliance%20policy%22%20to%20%22All%20Users%22%2C%20and%20is%20also%20effecting%20the%20integrated%20%22System%20Account%22%20and%20overall%20device%20compliance%20status.%3C%2FP%3E%3CP%3EExample%20is%20also%2C%20for%20shared%20devices%20(shared%20meeting%20room%20windows%20pc%20etc.)%3C%2FP%3E%3CP%3EWe%20have%20latest%20Windows%2010%20-%201809%20with%20all%20further%20updates%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-328659%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-328659%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20workstations%20are%20all%20on%201803%2C%20rapidly%20upgrading%20to%201809.%20Interestingly%2C%20even%20though%20we%20already%20knew%20about%20the%20firewall%20issue%20and%20opted%20to%20exclude%20the%20check%20from%20our%20CA%20policies%20for%20the%20moment%2C%20most%20of%20the%20non-compliant%20machines%20are%20failing%20the%20AV%20check%20for%20the%20%22System%20Account%22%2C%20even%20though%20the%20same%20check%20shows%20compliance%20under%20the%20user%20identity.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPerhaps%2C%20as%20is%20often%20the%20case%2C%20the%20code%20base%20will%20fix%20that%20as%20well%20for%20the%20machines%20that%20haven't%20yet%20upgraded%20to%201809%2C%20have%20to%20wait%20a%20few%20weeks%20to%20know%20for%20sure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20response%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-328652%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-328652%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Dustin%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20you%20are%20well.%20Unfortunately%20I%20have%20now%20left%20the%20company%20were%20I%20was%20deploying%20the%20above%20solution.%20However%2C%20as%20per%20the%20engineers%20onsite%20they%20have%20advised%20the%20issue%20is%20resolved%20with%20the%20January%20update%20to%201709.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20related%20the%20fault%20to%20this%20issue%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4469342%2Fnovember292018kb4469342osbuild17763167%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4469342%2Fnovember292018kb4469342osbuild17763167%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDespite%20this%20being%20an%201809%20quality%20update%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22Addresses%20an%20issue%20with%20Microsoft%20Intune%20that%20causes%20devices%20to%20be%20incorrectly%20marked%20as%20not%20compliant%20because%20a%20firewall%20incorrectly%20returns%20a%20'Poor'%20status.%20As%20a%20result%2C%20the%20affected%20devices%20will%20not%20receive%20conditional%20access%20compliance%20approval%20and%20may%20be%20blocked%20from%20access%20to%20corporate%20resources%20such%20as%20email.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20upgrade%20to%20the%20latest%20version%20of%201709%20and%20see%20if%20it%20resolves%20the%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20issue%20was%20sporadic%20so%20I%20am%20guessing%20you%20will%20probably%20need%20to%20patch%2050%2B%20machines%20to%20truly%20see%20results.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-328241%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-328241%22%20slang%3D%22en-US%22%3E%3CP%3EDid%20you%20ever%20get%20any%20response%20or%20resolution%20to%20this%20issue%3F%20we%20are%20having%20the%20same%20problem%2C%20doesn't%20seem%20to%20be%20any%20obvious%20resolution%20to%20the%20problem.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-551420%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-551420%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106405%22%20target%3D%22_blank%22%3E%40Baljit%20Aujla%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106235%22%20target%3D%22_blank%22%3E%40Oliver%20Kieselbach%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20have%20this%20problem.%20Devices%20are%20set%20to%20AD%20security%20group%20%22windows%2010%20only%22%20devices.%3C%2FP%3E%3CP%3EWhen%20adding%20the%20laptops%20to%20Azure%20AD%2C%20they%20will%20get%20both%20the%20system%20account%20and%20user%20account.%3C%2FP%3E%3CP%3ESometimes%2C%20there's%20no%20problem%2C%20but%20other%20times%2C%20things%20like%20%22require%20bitlocker%22%20only%20fail%20on%20the%20system%20account%2C%20and%20the%20entire%20devices%20gets%20marked%20as%20non-compliant!%3C%2FP%3E%3CP%3ELaptops%20are%20on%201809.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EStill%20no%20fix%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-643933%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-643933%22%20slang%3D%22en-US%22%3E%3CP%3EMine%20is%20working%20%3Ap%3C%2Fimg%3E%20sorry%2C%20not%20be%20able%20to%20help%20more..%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-673597%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-673597%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20had%20this%20problem%20too%20and%20I'll%20share%20my%20experience%20here%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EIf%20you%20assign%20policies%20to%20a%20device%20it%20applies%20the%20policies%20to%20all%20accounts%20on%20that%20device%2C%20including%20the%20system%20account%20(which%20will%20usually%20bring%20trouble%20for%20the%20compliance%20and%20such).%20I've%20not%20had%20any%20cases%20in%20which%20the%20system%20account%20was%20actually%20needed%20in%20Intune.%3CBR%20%2F%3EIn%20most%20cases%20it%20is%20better%20to%20just%20assign%20the%20policies%20to%20the%20users%20and%20I%20usually%20use%20a%20dynamic%20group%20with%20all%20enabled%20users%20in%20it%20instead%20of%20'All%20users'.%20If%20they%20then%20change%20device%20it%20will%20automatically%20migrate%20all%20policies%20and%20apps%20to%20that%20device%20as%20well%2C%20which%20will%20save%20us%20some%20time.%20Only%20when%20you%20work%20with%20special%20shared%20devices%20is%20assigning%20them%20to%20the%20device%20itself%20useful%20in%20my%20opinion%20(and%20even%20then%20there%20are%20some%20good%20cases%20for%20user%20assignment).%3CBR%20%2F%3ESimply%20reassigning%20the%20policies%20to%20users%20instead%20of%20devices%20won't%20make%20that%20system%20account%20go%20away%20in%20the%20portal%20though.%20You%20will%20have%20to%20delete%20the%20policy%20and%20make%20a%20new%20one%2C%20then%20assign%20it%20to%20the%20users%20only%2C%20then%20there%20won't%20appear%20a%20system%20account.%3C%2FP%3E%3CP%3EThis%20is%20what%20I%20have%20found%20out%20from%20experience.%20I%20might%20be%20wrong%20but%20it%20has%20worked%20for%20me%20in%20the%20past.%20If%20someone%20wants%20to%20correct%20me%20about%20my%20policy%20assignment%20best%20practices%2C%20feel%20free%20to%20do%20so.%20I'm%20relatively%20new%20to%20Intune.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-688618%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-688618%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20my%20opinion%20there%20is%20a%20major!!%20flaw%20in%20compliance%20reporting%20by%20Intune.%20The%20problem%20we%20encounter%20with%20shared%20devices%20forced%20us%20to%20completely%20disable%20all%20compliancy%20checks%20for%20those%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20situation%3A%3C%2FP%3E%3CUL%3E%3CLI%3EUser%201%3A%20logs%20on%20to%20the%20device%3C%2FLI%3E%3CLI%3EUser%201%3A%20marks%20the%20device%20as%20not%20compliant%20for%20whatever%20reason%3C%2FLI%3E%3CLI%3EUser%201%3A%20Logs%20of%20from%20the%20device%20before%20remediation%20could%20be%20started%3C%2FLI%3E%3CLI%3EUser%202%3A%20Logs%20on%20to%20the%20device%3C%2FLI%3E%3CLI%3EUser%202%3A%20The%20device%20gets%20remediated%3C%2FLI%3E%3CLI%3EUser%202%3A%20tries%20to%20open%20a%20resource%20that%20requires%20a%20compliant%20device%20and%20is%20denied%20access%20because%20the%20device%20is%20NOT%20compliant%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThe%20only%20solution%20is...%20let%20User%201%20sign%20in%20again%20and%20remediate%20the%20device%20under%20User%201....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20my%20opinion%20this%20is%20absolutely%20unacceptable....%20The%20solution%20is%20called%20DEVICE%20compliance.%20So%20how%20the%20beep%20is%20it%20possible%20that%20the%20DEVICE%20wont%20be%20set%20to%20compliant%20when%20a%20different%20user%20logs%20on%20to%20the%20device%20and%20remediates%20the%20issue%20that%20marked%20the%20device%20to%20be%20non%20compliant.....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20another%20customer%20of%20ours%2C%20an%20admin%20needed%20to%20logon%20to%20a%20users%20device%20and%20marked%20that%20device%20as%20non%20compliant.%20Result%20was%20the%20user%20wasn't%20able%20to%20access%20resources%20that%20required%20a%20compliant%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEspecialy%20with%20shared%20devices%20we%20cannot%20trust%20the%20Device%20Compliance%20solution%20the%20way%20it%20works%20now.%20This%20is%20a%20huge%20issue%20in%20a%20world%20where%20compliancy%20is%20one%20of%20the%20key%20components%20to%20secure%20access%20to%20resources.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-689947%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-689947%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F320165%22%20target%3D%22_blank%22%3E%40RobdeRoos%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApart%20from%20this%2C%20Intune%20Device%20compliancy%20is%20way%20too%20unstable%20for%20me%20to%20use%20it%20as%20a%20conditional%20access.%3C%2FP%3E%3CP%3ELuckily%20we%20don't%20have%20thousands%20of%20users%20so%20I%20can%20manually%20check%20if%20one%20of%20the%20devices%20becomes%20incompliant.%20Usually%20it's%20just%20an%20intune%20bug.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-691781%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-691781%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F299283%22%20target%3D%22_blank%22%3E%40SamTeerlinck%3C%2FA%3E%26nbsp%3BIn%20many%20cases%20customers%20of%20ours%20have%20allready%20Intune%20implemented%20or%20partialy%20implemented.%20If%20I%20would%20be%20building%20an%20enviroment%20based%20on%20user%20assignment%20it%20would%20also%20impact%20devices%20that%20are%20allready%20in%20use%20by%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20case%20where%20I%20don't%20want%20user%20assignments%20is%20when%20we%20have%20a%20customer%20that%20has%20BYOD%20devices.%20Those%20devices%20are%20personaly%20owned%20and%20most%20of%20the%20times%20policies%20for%20BYOD%20and%20corporate%20owned%20devices%20will%20deffer%20from%20eachother.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20third%20example%20is%20development%20users%20versus%20%22standard%22%20users.%20But%20in%20that%20case%20it's%20not%20the%20policies%20that%20we%20don't%20want%20to%20target%20to%20users%20but%20just%20the%20applications.%5C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20long%20as%20we%20can't%20exclude%20devices%20on%20policies%20that%20are%20assigned%20to%20users%2C%20I%20need%20to%20have%20policies%20applied%20to%20devices%20most%20of%20the%20time.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-827741%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-827741%22%20slang%3D%22en-US%22%3E%3CP%3ESame%20issue%20here%20as%20well.%20We%20assigned%20the%20device%20compliance%20policy%20to%20a%20Windows%2010%20device%20group.%20Because%20we%20have%20multi%20user%20devices%20we%20cannot%20switch%20to%20user%20groups.%20Very%20often%20devices%20are%20marked%20as%20non%20compliant%20because%20of%20the%20system%20account.%20This%20is%20really%20annoying%20and%20we%20can't%20use%20Device%20Compliance%20within%20CA.%20Already%20opened%20support%20ticket%20but%20no%20help%20from%20there%20yet....%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-856749%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-856749%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20our%20environment%20we%20use%20device%20assignment%2C%20too.%20(For%20device%20compliance%20and%20for%20device%20configurations.)%3C%2FP%3E%3CP%3ESome%20of%20the%20devices%20are%20only%20showing%20the%20compliance%20and%20configs%20for%20the%20user%2C%20some%20devices%20are%20showing%20them%20for%20user%20AND%20system%20account.%3C%2FP%3E%3CP%3EI%20really%20have%20no%20idea%20why.%20Anyone%20else%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20of%20course%20we%20have%20the%20same%20issues%20as%20everyone%20in%20here%3A%3C%2FP%3E%3CP%3ESome%20device%20configs%20are%20compliant%20for%20user%20AND%20system%20account%2C%20some%20configs%20are%20only%20compliant%20for%20the%20user.%3C%2FP%3E%3CP%3EBUT%3A%20When%20i%20have%20a%20device%20with%20user%20compliance%20marked%20as%20compliant%20and%20system%20account%20as%20non%20compliant%2C%20the%20whole%20device%20is%20marked%20as%20compiant%20in%20the%20GUI%20nevertheless.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1047202%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1047202%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F275685%22%20target%3D%22_blank%22%3E%40PatrickF11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20no%20I%20can't%20come%20up%20with%20any%20ideas%20either%20but%20I%20just%20wanted%20to%20post%20my%20screaming%20frustration%20with%20this%20scenario%2C%20it%20really%20is%20not%20good%20enough.%20We%20use%20device%20policies%20and%20fortunately%20we%20don't%20have%20that%20many%20machines%2C%20but%20we%20have%20compliance%20failures%20for%20System%20Accounts%20that%20should%20have%20no%20bearing%20on%20the%20situation.%20We%20also%20have%20situations%20where%20the%20System%20Account%20is%20Ok%20and%20the%20user%20account%20isn't!%20Go%20figure.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1093133%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1093133%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F275685%22%20target%3D%22_blank%22%3E%40PatrickF11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESame%20here%20-%20we%20thought%20device%20compliance%20was%20the%20best%20way%20to%20go%2C%20since%20we%20are%20cloud%20only%2C%20joined%20to%20AzureAD%20and%20other%20users%20could%20theoretically%20log%20in%20to%20other%20devices%20even%20though%20they%20hardly%20ever%20do%20that.%26nbsp%3B%20Win10%20is%20at%20least%20v1803%20on%20our%20machines.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%2C%20like%20you%20and%20a%20few%20other%20posters%20here%20mentioned%2C%20some%20devices%20report%20complaint%20with%20both%20'system'%20and%20user%20account%2C%20then%20others%20are%20marked%20non-compliant%20with%20either%20the%20'system%20account'%20or%20user%20account%20not%20compliant.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F41501%22%20target%3D%22_blank%22%3E%40microsoft%3C%2FA%3E%3A%26nbsp%3B%3C%2FP%3E%3CP%3Ebeing%20that%20we%20as%20system%20admins%20have%20no%20control%20over%20this%20'system%20account'%2C%20I'd%20like%20to%20request%20it%20officially%20removed%20from%20compliance%20checking%2C%20or%20at%20least%20see%20a%20check-box%20in%20the%20policy%20to%20exclude%20it.%26nbsp%3B%20Additionally%2C%20if%20assigning%20most%20policies%20to%20devices%20is%20not%20the%20preferred%20method%2C%20update%20the%20documentation%20to%20include%20explanations%20that%20system%20admins%20can%20understand%2C%20then%20we%20can%20make%20an%20informed%20decision%20as%20to%20which%20way%20we'd%20like%20to%20go%20for%20our%20organization.%26nbsp%3B%20Also%20add%20some%20explanation%20as%20to%20what%20the%20'system%20account'%20is%20and%20how%20it%20is%20controlled%2Fadministered%2Fused.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1094678%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1094678%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F38589%22%20target%3D%22_blank%22%3E%40Peter%20Osborne%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20had%20some%20advice%20from%20MS%20Intune%20support%20and%20they%20say%20that%20in%20my%20case%20(a%20Bitlocker%20policy)%20it%20should%20be%20applied%20to%20the%20User%20and%20not%20the%20machine%20to%20solve%20the%20issue.%20It%20seems%20counter%20intuitive%20(to%20me%20anyway)%20to%20apply%20a%20policy%20which%20really%20only%20can%20apply%20to%20machines%20(it%20is%20encrypted%20or%20it%20isn't)%2C%20to%20users%20who%20aren't%20going%20to%20be%20encrypted.%20Anyway%2C%20I%20am%20going%20to%20test%20this%20advice%20and%20see%20what%20happens%2C%20but%20it%20does%20feel%20like%20a%20'fudge'.%3C%2FP%3E%3CP%3EIf%20I%20remember%20correctly%20(and%20I%20might%20not)%2C%20it%20seems%20a%20System%20A%5CC%20is%20created%20when%20the%20machine%20is%20added%20to%20the%20system%20(Intune%3F)%20before%20the%20primary%20user%20is%20created.%20The%20trouble%20is%20this%20System%20A%5CC%20can%20either%20be%20compliant%20or%20not%2C%20depending%20on%20something%20as%20yet%20unknown.%20One%20way%20to%20get%20rid%20of%20it%20is%20to%20remove%20the%20machine%20from%20AAD%20and%20re-join%20it.%20Simple%20enough%20in%20AD%20but%20not%20so%20in%20AAD%2C%20and%20anyway%20there%20is%20the%20extra%20gotcha%20in%20making%20sure%20that%20you've%20not%20named%20your%20machine%20with%20over%2015%20characters%2C%20which%20is%20allowed%2C%20(maybe%2016%2C%20but%20just%20to%20be%20on%20the%20safe%20side)%20as%20it%20makes%20the%20process%20of%20creating%20a%20local%20admin%20that%20you%20need%20to%20log%20into%20when%20off%20the%20domain%2C%20impossible.%20Believe%20me%2C%20I%20have%20stumbled%20into%20that%20one%20which%20took%20days%20and%20was%20solved%20by%20accident%20and%20luck.%26nbsp%3B%3C%2FP%3E%3CP%3EOverall%20I%20can%20see%20the%20point%20of%20Intune%2C%20especially%20if%20you%20need%20to%20back%20up%20your%20security%20principles%2Fmanagement%20of%20devices%20with%20some%20sort%20of%20verifiable%20evidence.%20However%2C%20every%20policy%20is%20a%20complex%20slog%20and%20I%20have%20now%20started%20to%20create%20policies%20with%20only%20one%20or%20the%20minimum%20changes%20possible%20to%20keep%20things%20simple.%20Plus%2C%20on%20advice%2C%20I%20am%20now%20testing%20things%20that%20directly%20and%20obviously%20affect%20the%20user%2C%20one%20at%20a%20time%2C%20which%20makes%20it%20an%20even%20bigger%20slog.%20For%20example%2C%20I'm%20testing%20a%20policy%20to%20block%20access%20to%20Defender%20settings%2C%20so%20no-one%20can%20switch%20them%20off.%20One%20setting%2C%20which%20according%20to%20Intune%20has%20worked%2C%20but%20on%20the%20machine%20no%20change.%20Spotted%20in%20the%20(awful)%20documentation%20that%20for%20this%20setting%20the%20machine%20requires%20a%20reboot.%20Rebooted%20it%2C%20no%20change.%20So%20Intune%20says%20the%20policy%20is%20successful%20but%20the%20machine%20has%20clearly%20not%20got%20the%20message.%20Incidentally%20the%20'Disable%20Autoplay'%20setting%20doesn't%20make%20any%20visible%20changes%20and%20the%20Autoplay%20button%20remains%20'on'%20in%20the%20Settings%20panel.%20You%20would%20think%20this%20would%20be%20fairly%20easy%20to%20test%20before%20it%20is%20shown%20the%20light%20of%20day!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096223%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096223%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F411078%22%20target%3D%22_blank%22%3E%40AJRoy%3C%2FA%3E%26nbsp%3BDid%20you%20already%20tested%20assigning%20the%20bitlocker%20policy%20to%20users%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096258%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096258%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F275685%22%20target%3D%22_blank%22%3E%40PatrickF11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20just%20in%20the%20throes%20of%20testing%20it%20now.%20Although%20as%20most%20of%20our%20machines%20have%20Bitlocker%20installed%2C%20to%20properly%20test%20it%20I'll%20have%20to%20remove%20it%20and%20then%20see%20what%20happens.%20Currently%20it%20has%20succeeded%20on%20the%20two%20active%20machines%20that%20I'm%20the%20primary%20user%20on%20where%20Bitlocker%20is%20installed%2C%20so%20the%20process%20looks%20like%20it%20works.%20No%20sign%20of%20a%20System%20A%5Cc%20but%20wasn't%20expecting%20one.%20I'll%20and%20keep%20you%20informed%20as%20things%20progress%2C%20remind%20me%20if%20I%20haven't.%20Regards.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096294%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096294%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F411078%22%20target%3D%22_blank%22%3E%40AJRoy%3C%2FA%3E%26nbsp%3BI%20can%20imagine%20this%20would%20solve%20the%20system%20account%20issue%20because%20the%20policy%20isn't%20applied%20to%20the%20system%20account.%20But%20what%20if%2C%20on%20a%20shared%20device%2C%201%20user%20breaks%20compliance%20and%20another%20user%20logs%20on%20before%20remediation%20can%20me%20done%20for%20that%20one%20user%3F%20I%20recon%20the%20device%20would%20still%20be%20marked%20as%20non%20compliant%20even%20though%20the%20second%20user%20is%20marked%20as%20compliant%20again.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20is%20the%20issue%20I%20have%20ran%20into%20in%20the%20past.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20what%20MS%20states%20is%20not%20the%20solution%20to%20the%20issue%20but%20a%20workarround.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096397%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096397%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F320165%22%20target%3D%22_blank%22%3E%40RobdeRoos%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAgreed.%20However%20I%20have%20just%20written%20a%20longish%20reply%20which%2C%20when%20posted%2C%20disappeared%20and%20I%20hadn't%20had%20the%20foresight%20to%20make%20a%20copy%20just%20in%20case!%20Hugely%20frustrating%20as%20I%20didn't%20really%20commit%20it%20to%20memory%20and%20it%20just%20goes%20to%20show%20how%20we%20lazily%20rely%20on%20everything%20working%20properly%20and%20not%20building%20in%20contingency%20when%20it%20unexpectedly%20fails.%20This%20is%20the%20modern%20way%2C%20as%20building%20in%20fail%20safes%20and%20stress%20testing%20is%20expensive%20and%20time%20consuming%2C%20Boeing%20could%20well%20be%20an%20example%20of%20this%2C%20we%20shall%20see.%20Anyway%2C%20I%20digress.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhilst%20we%20are%20gradually%20building%20up%20the%20way%20we%20use%20Intune%20to%20manage%20our%20devices%2C%20I%20am%20finding%20it%20very%20frustrating.%20The%20casual%20approach%20to%20compliance%5Cnon-compliance%20is%20perplexing.%20In%20my%20particular%20case%20I%20fundamentally%20only%20need%20to%20know%20whether%20Bitlocker%20is%20on%20or%20off%20as%20this%20is%20a%20device%20centric%20issue.%20Getting%20a%20non-compliance%20because%20of%20a%20spurious%20System%20A%5Cc%20is%20frustrating%20and%20cannot%20be%20left%20as%20a%20'false%20positive'%20as%20any%20auditor%20would%20rightly%20flag%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20way%20of%20managing%20devices%20in%20the%20modern%20world%20is%20changing%20especially%20around%20the%20security%20of%20data%20which%2C%20in%20Europe%2C%20the%20GDPR%20regulations%20have%20rightly%20highlighted.%20It%20is%20difficult%20enough%20getting%20users%20to%20modify%20their%20mindsets%20about%20data%20without%20the%20management%20systems%20being%20a%20little%20vague%2C%20as%20fundamentally%20I%20want%20to%20set%20up%20the%20device%20to%20a%20set%20of%20security%20principles%2C%20I%20want%20it%20to%20be%20monitored%20to%20ensure%20that%20it%20stays%20that%20way%20and%20I%20want%20it%20to%20be%20flagged%20if%20somehow%20it%20isn't%2C%20plus%20I%20want%20sensible%20error%20messages%20if%20things%20don't%20work%2C%20is%20that%20too%20much%20to%20ask%3F%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20devices%20that%20are%20predominantly%20off%20site%2C%20reliance%20on%20the%20accuracy%20of%20monitoring%20tools%20is%20paramount%2C%20and%20it%20just%20doesn't%20feel%20that%20that's%20in%20mind.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096419%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096419%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Admin%20Account%20Compliance%20problem%20wouldn't%20be%20solved%20when%20using%20bitlocker%20via%20user%20and%20not%20via%20computer%20assignment%2C%20isn't%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096425%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096425%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F275685%22%20target%3D%22_blank%22%3E%40PatrickF11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20good%20point%20and%20I%20don't%20know.%20I'm%20only%20following%20instructions%20that%20I%20haven't%20completed%20yet.%20I'm%20getting%20into%20a%20real%20plate%20spinning%20exercise%20where%20all%20my%20attempts%20to%20apply%20some%20sort%20of%20MDM%20hit%20some%20sort%20of%20issue%2C%20usually%20in%20the%20area%20of%20confirming%20what%20I've%20asked%20is%20actually%20done.%20I%20spend%20a%20lot%20of%20my%20time%20dealing%20with%20MS%20Intune%20support%2C%20who%20are%20very%20nice%2C%20but%20can't%20really%20help%20when%20the%20product%20is%20not%20helping%20them%2C%20in%20my%20opinion%20of%20course%2C%20but%20it%20is%20frustrating.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096429%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096429%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F275685%22%20target%3D%22_blank%22%3E%40PatrickF11%3C%2FA%3E%26nbsp%3BI%20believe%20it%20depends%20on%20if%20the%20policy%20is%20targeted%20to%20the%20admin%20user.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Baljit Aujla
Occasional Contributor

Hi All,

 

Is anyone else see incorrect reporting of device compliance due to the "System Account"? As per Microsoft documentation:

 

"Windows 10 devices that are Azure AD joined may show the System Account as a non-compliant user. This is expected behavior and doesn't affect the overall device compliance."

 

This seemed to be working OK until about 2 weeks ago. We are using:

 

Hybrid joined device in a co-managed state - Windows 10 1709 and SCCM 1806. The slider for device compliance is set completely to Intune.

 

We end up with results like this:

 

compliance.png

 

and the device is then overall marked as non-compliant:

 

compliance2.png

 

This example is just ridiculous, as everything is actually compliant yet the System Account is marked Not Compliant and the device is as well.

 

Seems to be so inconsistent... and we are using CA policies which are locking out users.

 

33 Replies

Did you ever get any response or resolution to this issue? we are having the same problem, doesn't seem to be any obvious resolution to the problem.

Hi Dustin,

 

Hope you are well. Unfortunately I have now left the company were I was deploying the above solution. However, as per the engineers onsite they have advised the issue is resolved with the January update to 1709.

 

Microsoft related the fault to this issue: https://support.microsoft.com/en-us/help/4469342/november292018kb4469342osbuild17763167

 

Despite this being an 1809 quality update:

 

"Addresses an issue with Microsoft Intune that causes devices to be incorrectly marked as not compliant because a firewall incorrectly returns a 'Poor' status. As a result, the affected devices will not receive conditional access compliance approval and may be blocked from access to corporate resources such as email."

 

So upgrade to the latest version of 1709 and see if it resolves the problem.

 

My issue was sporadic so I am guessing you will probably need to patch 50+ machines to truly see results.

Our workstations are all on 1803, rapidly upgrading to 1809. Interestingly, even though we already knew about the firewall issue and opted to exclude the check from our CA policies for the moment, most of the non-compliant machines are failing the AV check for the "System Account", even though the same check shows compliance under the user identity.

 

Perhaps, as is often the case, the code base will fix that as well for the machines that haven't yet upgraded to 1809, have to wait a few weeks to know for sure.

 

Thanks for the response though.

I also have issue, where we deploy Intune "Compliance policy" to "All Users", and is also effecting the integrated "System Account" and overall device compliance status.

Example is also, for shared devices (shared meeting room windows pc etc.)

We have latest Windows 10 - 1809 with all further updates

Going to +1 this, while Microsoft's own documentation does state that non-compliance for the System Account will not impact a machines' overall compliance, it can make proactively addressing compliance issues more difficult. For example, the Machine compliance report in InTune seems to be correctly ignoring machines where the non-compliance is the System Account identity, but the Power BI report pack that leverages the InTune data warehouse does not. 

 

Ideally, if the compliance state of the System Account doesn't matter, it would be preferable that InTune ignore the identity entirely and didnt report on it.

Have the same issue on several configuration policies in Intune reporting Error or Failed on the System Account
Solution

@Baljit Aujla I have figured out the solution.

When you have Compliance policy, assigned to All Users, it will reflect all your Azure AD users with those logins. But what about other (local accounts), like "system account" etc.., they are not compliant.

Resolution is to have another additional (same) compliance policy, assigned to Azure AD security group, and add those (shared) windows 10 devices to the group.

In that case, Compliance policy is assigned on device level to the specific device, and then "system account" does not cause the problem.

It is poorly documented, but this is something that Microsoft Support given to me...

@Hrvoje Kusulja 

 

In our case, our Compliance policy is targeted to an Azure AD Security group with all of our Windows 10 machines in it already, reading this it sounds like I have to duplicate the policy exactly then assign it to a group of Users as well?

@Dustin Adam in that case, I am not sure, you can try and post feedback.

My case, i was assigned to (all) users, and additionally assigned to devices, to resolve system account issue.

@Hrvoje Kusulja 

Did you have to create a copy of the compliance policy, or simply assign the same policy to multiple groups that included both users and computers?

@Dustin Adam in my case (all users) there is no option to assign the same policy to other things then. I think it should be enough to have one policy and assign to multiple security groups at the same time..

@Hrvoje Kusulja 

Awesome, thanks! I'll give it a shot. 

Any resolution for you Dustin? I still have System Account showing as not compliant, with the Compliance profile assigned to device security group as well as the user security group. Company Portal app tells the user they are out of compliance.

@pauljeffcott 

It didnt work for me, we still have a bunch of clients that are failing compliance because of the System Account.

I had the same issue until we updated Windows@Dustin Adam 

@Baljit Aujla 

@Oliver Kieselbach 

 

I also have this problem. Devices are set to AD security group "windows 10 only" devices.

When adding the laptops to Azure AD, they will get both the system account and user account.

Sometimes, there's no problem, but other times, things like "require bitlocker" only fail on the system account, and the entire devices gets marked as non-compliant!

Laptops are on 1809.


Still no fix?

Mine is working :p sorry, not be able to help more..

I've had this problem too and I'll share my experience here:

If you assign policies to a device it applies the policies to all accounts on that device, including the system account (which will usually bring trouble for the compliance and such). I've not had any cases in which the system account was actually needed in Intune.
In most cases it is better to just assign the policies to the users and I usually use a dynamic group with all enabled users in it instead of 'All users'. If they then change device it will automatically migrate all policies and apps to that device as well, which will save us some time. Only when you work with special shared devices is assigning them to the device itself useful in my opinion (and even then there are some good cases for user assignment).
Simply reassigning the policies to users instead of devices won't make that system account go away in the portal though. You will have to delete the policy and make a new one, then assign it to the users only, then there won't appear a system account.

This is what I have found out from experience. I might be wrong but it has worked for me in the past. If someone wants to correct me about my policy assignment best practices, feel free to do so. I'm relatively new to Intune.

Highlighted

In my opinion there is a major!! flaw in compliance reporting by Intune. The problem we encounter with shared devices forced us to completely disable all compliancy checks for those devices.

 

The situation:

  • User 1: logs on to the device
  • User 1: marks the device as not compliant for whatever reason
  • User 1: Logs of from the device before remediation could be started
  • User 2: Logs on to the device
  • User 2: The device gets remediated
  • User 2: tries to open a resource that requires a compliant device and is denied access because the device is NOT compliant

The only solution is... let User 1 sign in again and remediate the device under User 1....

 

In my opinion this is absolutely unacceptable.... The solution is called DEVICE compliance. So how the beep is it possible that the DEVICE wont be set to compliant when a different user logs on to the device and remediates the issue that marked the device to be non compliant.....

 

For another customer of ours, an admin needed to logon to a users device and marked that device as non compliant. Result was the user wasn't able to access resources that required a compliant device.

 

Especialy with shared devices we cannot trust the Device Compliance solution the way it works now. This is a huge issue in a world where compliancy is one of the key components to secure access to resources.

@RobdeRoos 

 

Apart from this, Intune Device compliancy is way too unstable for me to use it as a conditional access.

Luckily we don't have thousands of users so I can manually check if one of the devices becomes incompliant. Usually it's just an intune bug.

@SamTeerlinck In many cases customers of ours have allready Intune implemented or partialy implemented. If I would be building an enviroment based on user assignment it would also impact devices that are allready in use by users.

 

Another case where I don't want user assignments is when we have a customer that has BYOD devices. Those devices are personaly owned and most of the times policies for BYOD and corporate owned devices will deffer from eachother.

 

A third example is development users versus "standard" users. But in that case it's not the policies that we don't want to target to users but just the applications.\

 

As long as we can't exclude devices on policies that are assigned to users, I need to have policies applied to devices most of the time.

Same issue here as well. We assigned the device compliance policy to a Windows 10 device group. Because we have multi user devices we cannot switch to user groups. Very often devices are marked as non compliant because of the system account. This is really annoying and we can't use Device Compliance within CA. Already opened support ticket but no help from there yet....

In our environment we use device assignment, too. (For device compliance and for device configurations.)

Some of the devices are only showing the compliance and configs for the user, some devices are showing them for user AND system account.

I really have no idea why. Anyone else?

 

And of course we have the same issues as everyone in here:

Some device configs are compliant for user AND system account, some configs are only compliant for the user.

BUT: When i have a device with user compliance marked as compliant and system account as non compliant, the whole device is marked as compiant in the GUI nevertheless.

@PatrickF11 

Hi, no I can't come up with any ideas either but I just wanted to post my screaming frustration with this scenario, it really is not good enough. We use device policies and fortunately we don't have that many machines, but we have compliance failures for System Accounts that should have no bearing on the situation. We also have situations where the System Account is Ok and the user account isn't! Go figure. 

@PatrickF11 

Same here - we thought device compliance was the best way to go, since we are cloud only, joined to AzureAD and other users could theoretically log in to other devices even though they hardly ever do that.  Win10 is at least v1803 on our machines.

 

But, like you and a few other posters here mentioned, some devices report complaint with both 'system' and user account, then others are marked non-compliant with either the 'system account' or user account not compliant.

 

@microsoft: 

being that we as system admins have no control over this 'system account', I'd like to request it officially removed from compliance checking, or at least see a check-box in the policy to exclude it.  Additionally, if assigning most policies to devices is not the preferred method, update the documentation to include explanations that system admins can understand, then we can make an informed decision as to which way we'd like to go for our organization.  Also add some explanation as to what the 'system account' is and how it is controlled/administered/used.

 

@Peter Osborne 

I have had some advice from MS Intune support and they say that in my case (a Bitlocker policy) it should be applied to the User and not the machine to solve the issue. It seems counter intuitive (to me anyway) to apply a policy which really only can apply to machines (it is encrypted or it isn't), to users who aren't going to be encrypted. Anyway, I am going to test this advice and see what happens, but it does feel like a 'fudge'.

If I remember correctly (and I might not), it seems a System A\C is created when the machine is added to the system (Intune?) before the primary user is created. The trouble is this System A\C can either be compliant or not, depending on something as yet unknown. One way to get rid of it is to remove the machine from AAD and re-join it. Simple enough in AD but not so in AAD, and anyway there is the extra gotcha in making sure that you've not named your machine with over 15 characters, which is allowed, (maybe 16, but just to be on the safe side) as it makes the process of creating a local admin that you need to log into when off the domain, impossible. Believe me, I have stumbled into that one which took days and was solved by accident and luck. 

Overall I can see the point of Intune, especially if you need to back up your security principles/management of devices with some sort of verifiable evidence. However, every policy is a complex slog and I have now started to create policies with only one or the minimum changes possible to keep things simple. Plus, on advice, I am now testing things that directly and obviously affect the user, one at a time, which makes it an even bigger slog. For example, I'm testing a policy to block access to Defender settings, so no-one can switch them off. One setting, which according to Intune has worked, but on the machine no change. Spotted in the (awful) documentation that for this setting the machine requires a reboot. Rebooted it, no change. So Intune says the policy is successful but the machine has clearly not got the message. Incidentally the 'Disable Autoplay' setting doesn't make any visible changes and the Autoplay button remains 'on' in the Settings panel. You would think this would be fairly easy to test before it is shown the light of day!!

@AJRoy Did you already tested assigning the bitlocker policy to users?

@PatrickF11 

Hi, just in the throes of testing it now. Although as most of our machines have Bitlocker installed, to properly test it I'll have to remove it and then see what happens. Currently it has succeeded on the two active machines that I'm the primary user on where Bitlocker is installed, so the process looks like it works. No sign of a System A\c but wasn't expecting one. I'll and keep you informed as things progress, remind me if I haven't. Regards.

@AJRoy I can imagine this would solve the system account issue because the policy isn't applied to the system account. But what if, on a shared device, 1 user breaks compliance and another user logs on before remediation can me done for that one user? I recon the device would still be marked as non compliant even though the second user is marked as compliant again.

 

That is the issue I have ran into in the past.

 

I believe what MS states is not the solution to the issue but a workarround.

@RobdeRoos 

Agreed. However I have just written a longish reply which, when posted, disappeared and I hadn't had the foresight to make a copy just in case! Hugely frustrating as I didn't really commit it to memory and it just goes to show how we lazily rely on everything working properly and not building in contingency when it unexpectedly fails. This is the modern way, as building in fail safes and stress testing is expensive and time consuming, Boeing could well be an example of this, we shall see. Anyway, I digress.

 

Whilst we are gradually building up the way we use Intune to manage our devices, I am finding it very frustrating. The casual approach to compliance\non-compliance is perplexing. In my particular case I fundamentally only need to know whether Bitlocker is on or off as this is a device centric issue. Getting a non-compliance because of a spurious System A\c is frustrating and cannot be left as a 'false positive' as any auditor would rightly flag it.

 

The way of managing devices in the modern world is changing especially around the security of data which, in Europe, the GDPR regulations have rightly highlighted. It is difficult enough getting users to modify their mindsets about data without the management systems being a little vague, as fundamentally I want to set up the device to a set of security principles, I want it to be monitored to ensure that it stays that way and I want it to be flagged if somehow it isn't, plus I want sensible error messages if things don't work, is that too much to ask?? 

 

With devices that are predominantly off site, reliance on the accuracy of monitoring tools is paramount, and it just doesn't feel that that's in mind.

 

 

 

 

 

The Admin Account Compliance problem wouldn't be solved when using bitlocker via user and not via computer assignment, isn't it?

@PatrickF11 

Hi, good point and I don't know. I'm only following instructions that I haven't completed yet. I'm getting into a real plate spinning exercise where all my attempts to apply some sort of MDM hit some sort of issue, usually in the area of confirming what I've asked is actually done. I spend a lot of my time dealing with MS Intune support, who are very nice, but can't really help when the product is not helping them, in my opinion of course, but it is frustrating. 

 

@PatrickF11 I believe it depends on if the policy is targeted to the admin user.

Related Conversations
How to view global admins from Admin Center?
Kalimanne J in Office 365 on
6 Replies
New-ComplianceSearch list of mailboxes
Robert Bollinger in Office 365 on
4 Replies
Export to PST via Powershell
Deleted in Office 365 on
31 Replies