cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Intune marks Not Compliant if device does not sign in regularly, then permanently blocks the device

Dr_Snooze
Brass Contributor

‎Dec 10 2021 10:56 AM

‎Dec 10 2021 10:56 AM

Intune marks Not Compliant if device does not sign in regularly, then permanently blocks the device

I'm using Intune's Conditional Access to block non-compliant devices on my O365 tenant. A problem I'm encountering is that the "Built-in Device Compliance Policy" turns Not Compliant if the device fails to log in for a long period of time. When this happens, the device gets blocked for being Not Compliant, so is unable to refresh the Built-in Device Compliance Policy that would make it compliant again. The only solution I've found is to stop enforcing CA on the user until the device is able to sign in successfully again. Then I can resume CA. This is obviously not an ideal solution. 

 

Am I the only one dealing with this? 

23.8K Views
0 Likes
31 Replies
Reply
31 Replies
Dr_Snooze

‎Dec 15 2021 07:25 AM

‎Dec 15 2021 07:25 AM

Re: Intune marks Not Compliant if device does not sign in regularly, then permanently blocks the dev

I was set up for "All cloud apps". I've changed it, but will have to root around here for another stale device to test it. For others who may find this thread, Intune doesn't show the entire list of cloud apps. You have to know what you're looking for and then search for it. I left the policy as "All cloud apps" with "Microsoft Intune" and "Microsoft Intune Enrollment" excluded from the policy.

 

The van Surksom link brings up a big spreadsheet. Lots of detail, but no discussion. Not sure if that's what you wanted. 

0 Likes
Reply
Dr_Snooze

‎Dec 15 2021 09:52 AM

‎Dec 15 2021 09:52 AM

Re: Intune marks Not Compliant if device does not sign in regularly, then permanently blocks the dev

Update: Excluding the Intune apps made no difference. Stale device is still blocked after reboots and forced syncs from both sides.
0 Likes
Reply
best response confirmed by Dr_Snooze (Brass Contributor)
Rudy_Ooms_MVP

‎Dec 15 2021 10:57 PM

‎Dec 15 2021 10:57 PM

Solution

Re: Intune marks Not Compliant if device does not sign in regularly, then permanently blocks the dev

@Dr_Snooze 

 

Hi , could you also share if there are any device cleanup rules configured ?

Rudy_Ooms_0-1639637794163.png

 

0 Likes
Reply
Amidah1

‎Dec 15 2021 11:45 PM

‎Dec 15 2021 11:45 PM

Re: Intune marks Not Compliant if device does not sign in regularly, then permanently blocks the dev

Yes. They get retire command after 90 days.
0 Likes
Reply
Rudy_Ooms_MVP

‎Dec 15 2021 11:47 PM - edited ‎Dec 16 2021 03:23 AM

‎Dec 15 2021 11:47 PM - edited ‎Dec 16 2021 03:23 AM

Re: Intune marks Not Compliant if device does not sign in regularly, then permanently blocks the dev

is this more or less than the "is active" setting before not getting compliant?

 

Skip that question :) 14 days and 90 days clean up rules.. So after 14 days you are experiencing the issue... not after 90 days?

0 Likes
Reply
Amidah1

‎Dec 16 2021 03:25 AM

‎Dec 16 2021 03:25 AM

Re: Intune marks Not Compliant if device does not sign in regularly, then permanently blocks the dev

I do not have 14 day policy. Only the clean up policy after 90 days on inactivity to get retired.
0 Likes
Reply
Rudy_Ooms_MVP

‎Dec 16 2021 03:36 AM

‎Dec 16 2021 03:36 AM

Re: Intune marks Not Compliant if device does not sign in regularly, then permanently blocks the dev

Ahh wait.. responding to different persons.. with 2 different kind of settings :)

so dr_snooze has set the compliance policy to 14 days and a cleanup policy...(not sure how many day?)

And amidah1 is using cleanup rules ... and after the 90 days the device isn't compliant because it has been "removed" from intune.. Am i right about that one? so before the 90 days, it still works?
0 Likes
Reply
Amidah1

‎Dec 16 2021 03:43 AM

‎Dec 16 2021 03:43 AM

Re: Intune marks Not Compliant if device does not sign in regularly, then permanently blocks the dev

@Rudy
If ask me the retire policy is useless. After u get non compliant from 30 day without activity you don't get any command to the device because the device will no longer sync with the platform. If command change to delete to remove the registry of the device from the platform will be more effective(at least do something, clearing the useless device registers from the platform). But I wasn't the enlighten engineer who set up this way I just come along in this Frankenstein.
0 Likes
Reply
Dr_Snooze

‎Dec 16 2021 08:15 AM - edited ‎Dec 17 2021 08:01 AM

‎Dec 16 2021 08:15 AM - edited ‎Dec 17 2021 08:01 AM

Re: Intune marks Not Compliant if device does not sign in regularly, then permanently blocks the dev

I thought I had them set up, but I didn't. I just set them for a 60 day deletion.

0 Likes
Reply
Rudy_Ooms_MVP

‎Dec 16 2021 11:36 PM

‎Dec 16 2021 11:36 PM

Re: Intune marks Not Compliant if device does not sign in regularly, then permanently blocks the dev

Hi, Good morning.. So we can rule out the "cleanup rules " :)
0 Likes
Reply
Dr_Snooze

‎Dec 17 2021 08:01 AM

‎Dec 17 2021 08:01 AM

Re: Intune marks Not Compliant if device does not sign in regularly, then permanently blocks the dev

@Rudy_Ooms_MVP 

 

Well, yesterday I would have said yes. This morning, however, the machine signed in without issue after a reboot. I found another stale device which also logged in without issue, so I guess this problem is fixed. Thank you so much!!

 

Out of curiosity, what made you think about cleanup rules in this context?

0 Likes
Reply