Dec 10 2021 10:56 AM
I'm using Intune's Conditional Access to block non-compliant devices on my O365 tenant. A problem I'm encountering is that the "Built-in Device Compliance Policy" turns Not Compliant if the device fails to log in for a long period of time. When this happens, the device gets blocked for being Not Compliant, so is unable to refresh the Built-in Device Compliance Policy that would make it compliant again. The only solution I've found is to stop enforcing CA on the user until the device is able to sign in successfully again. Then I can resume CA. This is obviously not an ideal solution.
Am I the only one dealing with this?
Dec 11 2021 12:03 AM
Dec 13 2021 09:34 AM
Thanks for responding. Here are my settings:
I'm not able to do manual syncs because the device is logged out and you have to log back in before you can do any kind of sync, which gets blocked by CA. The only way I can get the device functioning again is to disable CA and log in, then re-enable. I'm not even sure I'd be able to completely unenroll the device and re-enroll. CA's blocking is quite belligerent.
I have only encountered this a couple times so far (of course, I'm only managing a handful of devices at this point), so I'm not sure if there's something else going on in addition.
Thanks again.
Dec 13 2021 10:20 PM
Dec 14 2021 12:09 AM
Dec 14 2021 12:48 AM
Dec 14 2021 12:56 AM
Dec 14 2021 01:03 AM
Dec 14 2021 02:11 AM
Dec 14 2021 12:40 PM
I had it happen just now on a test device that I haven't used in a while. Here is the error message when you try to log in.
Azure AD reports this sign-in error.
Forcing manual syncs from the device and/or the portal make no change.
To correct, I don't actually disable the CA policy. I remove the user from the Group to which the policy is applied. It's less disruptive, but still not an acceptable workaround.
When you say, "event logs (aad)," can you be more specific? I've tried looking at the Intune device logs. There are a zillion of them and I get a headache the moment I open even one.
Thanks,
Dec 14 2021 12:46 PM
Dec 15 2021 12:48 AM
Dec 15 2021 01:45 AM
Dec 15 2021 02:09 AM - edited Dec 15 2021 02:11 AM
Hi,
So you targetted "All cloud Apps? No exclusions ?
Like shown below, is the ca rule targgette dat all cloud apps or multiple selected apps?
Dec 15 2021 02:11 AM
Dec 15 2021 02:16 AM - edited Dec 15 2021 02:17 AM
Just wondering... but what happens when you exclude the "Microsoft Intune" and the "Microsoft Intune enrollment" from the ca?
Like mentioned in this blog
Dec 15 2021 02:19 AM
Dec 15 2021 02:23 AM
Dec 15 2021 02:38 AM
Dec 15 2021 02:49 AM
Dec 15 2021 10:57 PM
Solution
Hi , could you also share if there are any device cleanup rules configured ?