Device marked as not compliant even it should be marked as compliant

Brass Contributor

Hi everyone,

I have some problems with an AADR Windows 10 Device.


I recently updated our windows compliance policy to check if secure boot is on. If not, the device is marked as not compliant.


I've updated the secure boot state on the affected machine to "on" after I updated the compliance policy. I've verified the state with the PowerShell cmdlet "Confirm-SecureBootUEFI" and it gave me "true" back. And also the security information app says "on".


However, Intune doesn't mark the device as compliant even if it should be marked as compliant. The report says that secure boot isn't enabled on the device, what is clearly a lie...


I've rebooted the machine several times and did manual syncs from the device and the endpoint manager platform, but nothing helps. 


Has anyone the same experience or some suggestions what I could do next? Thanks for your help <3

6 Replies
best response confirmed by preuley30 (Brass Contributor)



See this article and check the TPM. Possibly apply a firmware update to the device, if available.


Windows 10 device with secure boot enabled shows as Not Compliant in Intune 


Please like or mark this thread as answered if it's helpful, thanks!

Are you deploying your compliance policies to devices or users? If you're using devices try switching it to users instead.
Many thanks for your reply! Yeah, I think that's actually the problem. The affected machine has UEFI but only TPM 1.2 and there aren't any firmware update options...

@MrNeo Why should I assign a windows compliance policy to users? That's not making any sense tbh. The Device must be compliant not the User. Or do I miss a point?  

Hi @preuley30! First and foremost: @Kurt Mayer's solution is obviously the correct solution.


I do want to point out that assigning a "Windows" compliance policy to a user (like @MrNeo mentions) is absolutely valid. In fact, I'd prefer it that way. A user (and its assigned privileges) mandates a certain level of device security, on any (in this case Windows) device they use.


Now, that isn't always possible, so I'm not saying that assigning them to devices is bad practice, either. I'd just only use it for special circumstances.

Hi Niels. Thanks for your explanation. I think I got the point, but this depends on the organization's needs. All our users get company owned devices and they need to be compliant for conditional access. If we would assign a compliance policy to users, every device they sign in to would be checked if it's compliant. But we don't want to get devices marked as compliant which aren't company owned.