Intune Compliance issue

Copper Contributor

Hi Guys

 

I have been facing this issue regarding Intune compliance for sometime.

 

We have a CA policy in place which allows only complaint devices to access the company resources.

 

But for some users, Intune portal shows the device is compliant and all checks are green but they are unable to access company resources and face the error that device is not complaint due to which they cant access the resources.

 

Please advise. TIA

9 Replies

@Xin3n what does it say in the entra sign-in logs? Also, under which scenarios is the access restricted? Browser, local apps?

Well Intune can say its compliant... but that doesnt mean , Entra thinks the same :)... So just like rahuljindal was asking... the entra logs should tell you more

Did you also tried to t sync from the device?

I recommend configuring your compliance policy actions with a minimum schedule of 2 days. The compliance checks currently occur only every 8 hours. By doing so, you can avoid having any devices marked as non-compliant, which can be particularly challenging when combined with conditional access policies.

 

You also can for a compliance check on the device

Start-Process -FilePath "C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe" -ArgumentList "intunemanagementextension://synccompliance"

 

Hi..

The checkcompliance script you posted ... doesnt check for compliance :)... it checks for the custom compliance scripts policies... nothing more... nothing less 🙂
Also... i assume you mean maximum of 2 days :)... if the user is prompted to reboot his device after it has been enrolled with autopilot, normally 1 day would be enough
Well yes, sorry for confusing - thanks for your blog post https://call4cloud.nl/2021/11/the-last-days-of-custom-compliance/
Excuse my delayed response, I had to remove him from the exclusion and following are fresh Sign-in logs.
Status: Failure
Sign-in error code: 53000
Failure reason:
Device is not in required device state: {state}. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune.
Application: Microsoft Office
Client app: Mobile Apps and Desktop clients

Please advise . . .
Hi,

How is the device enrolled? Is it Azure AD joined, hybrid or registered?

@NicklasOlsenThis is the status . ..

Microsoft Entra hybrid joined

Hi,

I assume that the device is fully compliant in the Intune portal?
Do you have more information from the sign-in logs in Entra, as an example check under device info.