Forum Discussion
Intune marks Not Compliant if device does not sign in regularly, then permanently blocks the device
I'm using Intune's Conditional Access to block non-compliant devices on my O365 tenant. A problem I'm encountering is that the "Built-in Device Compliance Policy" turns Not Compliant if the device fails to log in for a long period of time. When this happens, the device gets blocked for being Not Compliant, so is unable to refresh the Built-in Device Compliance Policy that would make it compliant again. The only solution I've found is to stop enforcing CA on the user until the device is able to sign in successfully again. Then I can resume CA. This is obviously not an ideal solution.
Am I the only one dealing with this?
- Hi
Good morning could you show us how you configured the Compliance status validity period (days): and the mark devices with no compliance policy as? non compliant i guess?
But normally when the device isn't active for the days you configured in the validity period the device gets non compliant indeed.. but normally when the user just logs in, it will report back its status to intune....it should be weird that conditional access breaks the remediation 🙂
What happens when the user logs in and does a manually sync or refresh from the company portal?Thanks for responding. Here are my settings:
 
I'm not able to do manual syncs because the device is logged out and you have to log back in before you can do any kind of sync, which gets blocked by CA. The only way I can get the device functioning again is to disable CA and log in, then re-enable. I'm not even sure I'd be able to completely unenroll the device and re-enroll. CA's blocking is quite belligerent.
I have only encountered this a couple times so far (of course, I'm only managing a handful of devices at this point), so I'm not sure if there's something else going on in addition.
Thanks again.
- Hi, good morning
Really curious what error you are receiving when you are trying to log in, could you share that information? and what conditional access rule you are turning off to allow it again.
And maybe the error in the sign in log? As I am also writing a blog about this topic :)... it could be very useful in to troubleshooting what happened and of course how to solve it
Thanx
- Update: Excluding the Intune apps made no difference. Stale device is still blocked after reboots and forced syncs from both sides.
- Yes. They get retire command after 90 days.
- I am also facing this issue nowadays.
And unable to fix it for few devices and ultimately we have to reset tye device and enroll again.
Is there any solution to fix such issues?
