cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Intune Compliance issue

Xin3n
Copper Contributor

‎Apr 02 2024 10:11 AM

‎Apr 02 2024 10:11 AM

Intune Compliance issue

Hi Guys

 

I have been facing this issue regarding Intune compliance for sometime.

 

We have a CA policy in place which allows only complaint devices to access the company resources.

 

But for some users, Intune portal shows the device is compliant and all checks are green but they are unable to access company resources and face the error that device is not complaint due to which they cant access the resources.

 

Please advise. TIA

604 Views
0 Likes
9 Replies
Reply
9 Replies
rahuljindal-MVP

‎Apr 02 2024 12:06 PM

‎Apr 02 2024 12:06 PM

Re: Intune Compliance issue

@Xin3n what does it say in the entra sign-in logs? Also, under which scenarios is the access restricted? Browser, local apps?

0 Likes
Reply
Rudy_Ooms_MVP

‎Apr 02 2024 11:20 PM

‎Apr 02 2024 11:20 PM

Re: Intune Compliance issue

Well Intune can say its compliant... but that doesnt mean , Entra thinks the same :)... So just like rahuljindal was asking... the entra logs should tell you more

Did you also tried to t sync from the device?
0 Likes
Reply
Kaj

‎Apr 03 2024 12:33 AM

‎Apr 03 2024 12:33 AM

Re: Intune Compliance issue

I recommend configuring your compliance policy actions with a minimum schedule of 2 days. The compliance checks currently occur only every 8 hours. By doing so, you can avoid having any devices marked as non-compliant, which can be particularly challenging when combined with conditional access policies.

 

You also can for a compliance check on the device

Start-Process -FilePath "C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe" -ArgumentList "intunemanagementextension://synccompliance"

 

0 Likes
Reply
Rudy_Ooms_MVP

‎Apr 03 2024 12:44 AM

‎Apr 03 2024 12:44 AM

Re: Intune Compliance issue

Hi..

The checkcompliance script you posted ... doesnt check for compliance :)... it checks for the custom compliance scripts policies... nothing more... nothing less :)
Also... i assume you mean maximum of 2 days :)... if the user is prompted to reboot his device after it has been enrolled with autopilot, normally 1 day would be enough
0 Likes
Reply
Kaj

‎Apr 03 2024 01:09 AM

‎Apr 03 2024 01:09 AM

Re: Intune Compliance issue

Well yes, sorry for confusing - thanks for your blog post https://call4cloud.nl/2021/11/the-last-days-of-custom-compliance/
0 Likes
Reply
Xin3n

‎Apr 04 2024 06:32 AM

‎Apr 04 2024 06:32 AM

Re: Intune Compliance issue

Excuse my delayed response, I had to remove him from the exclusion and following are fresh Sign-in logs.
Status: Failure
Sign-in error code: 53000
Failure reason:
Device is not in required device state: {state}. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune.
Application: Microsoft Office
Client app: Mobile Apps and Desktop clients

Please advise . . .
0 Likes
Reply
NicklasOlsen

‎Apr 04 2024 11:24 AM

‎Apr 04 2024 11:24 AM

Re: Intune Compliance issue

Hi,

How is the device enrolled? Is it Azure AD joined, hybrid or registered?
0 Likes
Reply
Xin3n

‎Apr 05 2024 06:06 AM - edited ‎Apr 05 2024 06:07 AM

‎Apr 05 2024 06:06 AM - edited ‎Apr 05 2024 06:07 AM

Re: Intune Compliance issue

@NicklasOlsenThis is the status . ..

Microsoft Entra hybrid joined

Preview file
11 KB
0 Likes
Reply
NicklasOlsen

‎Apr 07 2024 10:52 PM

‎Apr 07 2024 10:52 PM

Re: Intune Compliance issue

Hi,

I assume that the device is fully compliant in the Intune portal?
Do you have more information from the sign-in logs in Entra, as an example check under device info.
0 Likes
Reply