Forum Discussion
Intune Compliance Policy: Device not compliant because of missing machine risk score: deactivated?
TeknaDan Thanks for the info. That is good to know. We will check it on our systems as well. That is indeed an elegant solution! Although in the end Microsoft still needs to fix this. 🙂
This issue still exists today..
Device: Setup with personal (offline or Microsoft account)
Added Work or School Account
Intune: Made corporate and assigned policies / apps
Defender for Enpoint: Enrolled
Azure AD shows: AAD Registered
AAD Registered machines don't get compliant in Intune because of their risk Score. The devices are Active in the Microsoft Security Portal (Defender for Endpoint).
The company portal says: "Enroll your device in Microsoft Defender for Endpoint" --> It is!
When I test it with eicar.com it detects and show that on the Defender for Endpoint portal.
What else to do..
Joining the device to AAD is not an option at this moment.
molislaegers Thanks for the info. When we originally had this issue and created this thread our machines were already HAAD joined, and we had the issue nevertheless. I would need to check on the current status with my colleague, but it is odd that the ticket mentions that as a solution.
- Thank you for the fast reply. Oh, hmm, I completely missed this prerequisite.
Well, it is strange, because everything else is working, so it is not that "totally not supported", just Risk Score is not working, everything else seems to be connected and active. Very missleading.
I will create the same workaround as you.
Thank you once more. - The answer I've got on my service ticket:
A machine has to be AAD / HAAD Joined to detect the risk score. It's in the prerequisites on: https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection#prerequisites
What I've done is making a second Compliance Policy for registered devices without the Risk Score component. I have exact same issue as you are describing. Were you able to somehow overcome this? I needed to deploy some BYOD devices, Azure AD Joined devices are not an option. ( we already have that for company-owned devices, and it is working just fine )
Devices are properly AD Registered, Intune Managed, onboarded into Microsoft Defender for Endpoint, but in the Endpoint manager admin center, the computer is failing at compliance policy with "Require the device to be at or under the machine risk score: Not Compliant."In the Company portal, I am receiving the same error message "Enroll your device in Microsoft Defender for Endpoint".
In the defender portal, I can see, that the Device is Onboarded properly, Active but at the Exporuse level, there is: "No data available".
It seems like the portal is not able to somehow properly get the data from the device, to calculate exposure level.I have tried re-deploying defender manually with no luck ( currently deploying with policy ). I have re-imaged the testing device and re-enrolled into the system countless times.
Thank you for any hint.
