Intune device showing non compliant and per user status different

Occasional Contributor

Device is showing as non-compliant, when we click on the device-->Device Compliance, it shows multiple users on the same device, some showing compliant and some showing Not Compliant.

 

Question:

How the device compliance is decided when multiple users sign-in on a device?

 

Thanks

SM

7 Replies

Hi

It sort of says it here :
https://docs.microsoft.com/en-us/mem/intune/protect/create-compliance-policy#before-you-begin

"Enroll devices to one user, or enroll without a primary user. Devices enrolled to multiple users aren't supported."

Resume: Intune will track compliance for every user on that device, so if one fails... the whole device fails... And this is done for every user who logs in..

 

Did you also tried with a device with the primary user removed, so it really becomes a shared device?

Thanks, i didn't try that yet but got the answer, will try that.
So any user who logs in to that Hybrid azure ad join machine will be visible in Intune because same policies applies to all users, Any way to remove those additional users from compliance setting of the device? Cant find that option
You have your built in compliance policies, some custom-made compliance policies and your default set of compliance policies , (that you need to target to users.) so you could add "all users" and use the filters to exclude some devices/users.

But you will always have your built in compliance which you can't do anything about :) Like is active, enrolled user exists etc
Hmm.. thanks, yeah asking question here because these things not clear in MS Docs. One more question, we know if device is not complaint, then it is considered as "quarantined". Does it have any impact on user/device unless it is linked with conditional access policy?

Thanks in advance

@smf9211 

 

I know :)  compliance policies are not very well written about.... (creating a blog about it ... but I need to find some time I guess)

 

Compliance policies are only to measure something (except password policies on mobile devices if I am not mistaken... as they sort of enforce a user to change their password)

So you will need to have something to sort off enforce an action when its not compliant --> Conditional access... If --> then

Whenever we enroll a device using a DEM user then change the primary user from endpoint manager , why does the device become non-compliant after some days , any clue @Rudy_Ooms_MVP 

Depends on why it isnt compliant anymore :) ... any screenshots ?