cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Incorrect compliancy issue

RonaldvdMeer
Iron Contributor

‎Aug 27 2021 12:09 AM

‎Aug 27 2021 12:09 AM

Incorrect compliancy issue

We sometme have an issue with users where the signin logs show that they have in incompliant device which causing issue with logging in applications because of the conditional access policies.

 

When we check the device compliance al is green and compliant. We have no clue why the signin logs show incompliancy and so we do not know where to start to check what the cause of this issue is.

4,444 Views
0 Likes
17 Replies
Reply
17 Replies
Rudy_Ooms_MVP

‎Aug 27 2021 01:32 AM

‎Aug 27 2021 01:32 AM

Re: Incorrect compliancy issue

@RonaldvdMeer 

 

Hi,

Did you check it out on the device itself in the company portal app?

 

Rudy_Ooms_0-1630052886089.png

 

ANd did you expand the compliance settings in the device in Intune to be 100% sure its not blocking. SOmetimes it looks green... but when opening the device properties and clicking on device compliance and clicking on each policy to unfold it. It could show you some more information

 

And maybe this blog helps you to get a good understanding about compliant devices and ca
https://call4cloud.nl/2021/08/the-death-of-compliance/

0 Likes
Reply
RonaldvdMeer

‎Aug 27 2021 03:07 AM

‎Aug 27 2021 03:07 AM

Re: Incorrect compliancy issue

Thx. When clicking on each policy all is green. I haven't been able to let the affected user to check the device in the company portal yet. So i do not yet know what that will bring. I will look in to your blog. I have seen this blog yesteraday being post.
0 Likes
Reply
RonaldvdMeer

‎Aug 27 2021 03:24 AM

‎Aug 27 2021 03:24 AM

Re: Incorrect compliancy issue

Another observation had that the signin log of one particular user showed that if he used Chrome as browser Compliant and Managed stated Yes. When using Edge (chromium based) Compliant en Managed stated No.
0 Likes
Reply
Rudy_Ooms_MVP

‎Aug 27 2021 03:33 AM

‎Aug 27 2021 03:33 AM

Re: Incorrect compliancy issue

When using chrome normally you would need the account extension to pass/report the compliance status/prt otherwise they report as non compliant. Does chrome has the account extension active, as it is compliant etc?
0 Likes
Reply
RonaldvdMeer

‎Aug 27 2021 04:37 AM

‎Aug 27 2021 04:37 AM

Re: Incorrect compliancy issue

Yes it has the extension. But that doesn't explain to me why Chrome shows compliant and Edge doesn't
0 Likes
Reply
Rudy_Ooms_MVP

‎Aug 27 2021 06:35 AM - edited ‎Aug 27 2021 06:42 AM

‎Aug 27 2021 06:35 AM - edited ‎Aug 27 2021 06:42 AM

Re: Incorrect compliancy issue

To be sure... is edge logged in with the same azure ad account?

 

The explanation behind it

 

Microsoft Edge has native support for PRT-based SSO, and you don't need an extension. On Windows 10 RS3 and above, if a user is signed into their browser profile, they will get SSO with the PRT mechanism to websites that support PRT-based SSO.

0 Likes
Reply
RonaldvdMeer

‎Aug 27 2021 06:44 AM

‎Aug 27 2021 06:44 AM

Re: Incorrect compliancy issue

Yes same azure ad account
0 Likes
Reply
Rudy_Ooms_MVP

‎Aug 27 2021 06:46 AM

‎Aug 27 2021 06:46 AM

Re: Incorrect compliancy issue

No weird errors in the AAD event log or/and dsregcmd /status?
0 Likes
Reply
RonaldvdMeer

‎Aug 27 2021 06:50 AM

‎Aug 27 2021 06:50 AM

Re: Incorrect compliancy issue

I will get the log from the users device via intune. dsregcmd /status will check next week
0 Likes
Reply
RonaldvdMeer

‎Aug 27 2021 07:44 AM

‎Aug 27 2021 07:44 AM

Re: Incorrect compliancy issue

I got the dsregcmd status log from the downloaded diagnostics
This is what the User state en SSO state says. Not the way it should compare to a device with no issues. Next question is what is the best way to repair it.

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : ERROR
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : NO
AzureAdPrtAuthority :
EnterprisePrt : NO
EnterprisePrtAuthority :


0 Likes
Reply
Rudy_Ooms_MVP

‎Aug 27 2021 07:47 AM

‎Aug 27 2021 07:47 AM

Re: Incorrect compliancy issue

Is that report from the same user? As the prt doesnt show up when you run it as a local user… the azureadprt doesnt look good
0 Likes
Reply
RonaldvdMeer

‎Aug 27 2021 07:49 AM

‎Aug 27 2021 07:49 AM

Re: Incorrect compliancy issue

thats the report of the user that had no trouble using Google chrome as browser but Edge was not working for him.
0 Likes
Reply
RonaldvdMeer

‎Aug 27 2021 08:00 AM

‎Aug 27 2021 08:00 AM

Re: Incorrect compliancy issue

The device was is perfect health until the user reported the issue
0 Likes
Reply
RonaldvdMeer

‎Aug 27 2021 08:05 AM

‎Aug 27 2021 08:05 AM

Re: Incorrect compliancy issue

Also the NGC Prereq check says this.
I am starting to wonder if the particular user has another work or school account present
+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+
IsDeviceJoined : YES
IsUserAzureAD : NO
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision
0 Likes
Reply
Rudy_Ooms_MVP

‎Aug 27 2021 09:44 AM

‎Aug 27 2021 09:44 AM

Re: Incorrect compliancy issue

Looking at the outputs you showed....I have the idea I am looking at information from a non azure ad joined device...?
0 Likes
Reply
RonaldvdMeer

‎Aug 27 2021 09:47 AM

‎Aug 27 2021 09:47 AM

Re: Incorrect compliancy issue

Yes but is joined. All our laptops are. They are All provisioned with Windows autopilot. This device was working perfect until last monday.
0 Likes
Reply
Rudy_Ooms_MVP

‎Aug 27 2021 09:55 AM

‎Aug 27 2021 09:55 AM

Re: Incorrect compliancy issue

Its hard to tell from a “distance” but i would start with looking at the aad and modern deployment eventlogs… it looks like something is reallt broken in the device. Is the intune mdm certificate still valid ? (I am mentioning this in one of my blogs)
0 Likes
Reply