Aug 18 2022 07:09 AM
Hello,
We do not use Intune for Windows at the moment. Everything is blocked e.g. Enrollment Polices, not Autopilot etc.
At the moment we are seeing some devices in AAD under Devices that show up with a Compliance Status No but others not.
For example a valid device:
and a Device that with the Compliance Status
We do not know how this happens. We do have Compliance Polices for testing AzureAD joined devices but only via staged rollout (groups).
How is it possible that some devices get a compliance status without Intune ?
Many Greetings and thanks for any hint.
Erik
Aug 19 2022 02:16 AM - edited Aug 19 2022 02:17 AM
Hi @ErikVet! As your Azure AD shows these devices as "MDM: None", we would indeed expect "Compliant: N/A".
Were these devices ever enrolled in Intune (accidentally, or for testing)? If so, check if there's a "Manage" button in the Azure AD device page. If there is, there's will be a Managed Device object (Intune) linked to the Azure AD Device object, which is probably marked non-compliant.
Aug 19 2022 03:04 AM
Thx for you reply.
Sadly not .. their not managed and the do not show in Intune/Enpoint under
non compliant devices.
Devices (multiple) no scheme recognizable :(
Of course CA Policy are in place and are applied to those devices.
Aug 19 2022 04:49 AM
Aug 19 2022 05:13 AM
@Rudy_Ooms_MVP .. thanks for you comments
Default Compliance is configured as "not compliant" but the effected "Not Compliant Devices" without and MDM Scope (AADHJ devices) under AzureAD Devices do not show up in Endpoint Mgr.
But changing this would also effect not only windows devices right ... all the mobile devices too ...
Scope for Windows Enrollment is set to "Some" but is 100% sure that none of the affected devices/user where in that group.
Aug 19 2022 05:25 AM
Aug 19 2022 10:50 AM
Aug 23 2022 01:39 AM
Indeed that is pretty weird. It looks like only devices which where "setup" in last couple of months. But also older ones are affected.
As they show not in intune it is just guessing what compliance rules trigger it. Is this somehow possible of the Graph API but I have look for that in detail.
Maybe some Intune/Device/AzureAD MVP can ask the product team .. I do not have those connections . Or even MS is reading this and can give some hints as this is definitely not normal.
Thx
Erik
Aug 23 2022 01:41 AM
.. This is pretty weird but We are also a little bit relieved as we are not the only one.
Do you have find out why this is happening ?
Aug 23 2022 01:59 AM
Aug 23 2022 02:06 AM
Aug 23 2022 05:12 AM
Aug 23 2022 05:16 AM
Aug 23 2022 05:22 AM
We have GPO configured to push these devices as hybrid joined in Azure so they can pass the conditional access. there is nothing else configured to manage these devices in Intune. All users are currently licensed to Intune and other services under E5.
Aug 23 2022 06:24 AM
Aug 23 2022 06:59 AM
@Ketzpatel
I guess I have found something that may have something to do with this ...
MS changed the Device restriction to bei more granular (Could not find since when). Before you have device platform polices into one Policy as seen here in an old screenshot.
If i look now into the Intune device restriction portal we have different possibilities per platform (e.g Android, Windows)
If i look in our tenant i can see the restriction policy for windows, mac and ios with a weird behavior. The groups are not displayed correctly as they should. Maybe here is a issue and it happend when MS rollout out the new restriction policys - from general to platform specific.
Only Android works correctly
Greetings
Erik
Nov 15 2022 02:23 PM
Apr 17 2023 02:44 AM
Jul 03 2023 09:12 AM
Just curious if you ever figured out what was going on. We are seeing the same thing and I have opened a ticket with MS but haven't heard back yet. I did notice that this only happens in our environment for those Windows 10 workstations that hybrid join via federation (ADFS). If the ADFS process fails and the devices goes through the managed hybrid join (azure ad connect) then the compliance field is left at N/A. When going through ADFS the registration add sets iscompliant to FALSE.
Jul 03 2023 09:51 AM