Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

RonaldvdMeer Hi Ronald,

Hard to troubleshoot these kind of issues. The issue is that when no Device ID is send, no compliance check is done.
But what is the cause.... No idea from this place.

PKlapwijk 

I did not see any difference between the dsregcmd status of a working device and the device that didn't work.

dsregcmd /leave did work

but dsregcmd /join didn't i got the message failed to complete task.

The only option left after that was a clean install of the device.

After complete rollout of the device the conditional access rules work as expected.

So problem is solved, although i am curious how this could have happened.

PKlapwijk 

I will do that next Monday. I am working from home right now due to..... You know.

I will roll out a new device. See what happens. 

I will get back to you next Monday

RonaldvdMeer seems that something is wrong with the AAD registration as no Device ID is send and without that compliance status isn`t checked (and fails).

You should compare the outcome of dsregcmd /status as Thijs says, from a working Windows device with a none working. See if there is a difference which can point you in the right direction.

You can also try

dsregcmd /leave

dsregcmd /join

Restart the laptop and try again.

Thijs Lecomte 

I always login as a AAD user. Our devices do not have a local account.

Thijs Lecomte 

Same result. 

Only Operating System and Browser version are reported back

Thijs Lecomte 

+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO

Thijs Lecomte 

AzureADJoined