Problem with Conditional Access rule Use app-enforced Restrictions for browser access.

Iron Contributor
I have a problem with a conditional Access rule called:
Use app-enforced Restrictions for browser access.
I can't get it to work properly. I followed all the documentation i could find, but it doesn't work.
In the conditions i have set the following.
1. locations to all locations and excluding trusted locations.
2. Client Apps i selected Browser and Other Clients.
3. Device state All device state excluding devices marked compliant.
Under access control i selected app Use app enforced restrictions.
The weird about this Conditional Access Rule does function as expected on an compliant Mac but not on Windows 10 Devices.
In the signin logs i noticed the following.
When i login on a Mac with for example the Chrome Browser in Device Info of the SignIn logs all fields such as Compliant are filled with info. But when i sign in from a any browser on a compliant Windows 10 device, only the fields browser and Operating System are filled.
I somehow get the feeling that because of missing info in the device info, the conditional access rule thinks that the windows 10 device is not compliant.
In Google Chrome i have the Windows 10 Accounts Extension and in Edge i am signed in.
Aantekening 2020-03-26 134634.pngAantekening 2020-03-26 134418.png
21 Replies
Is this device fully enrolled into Intune?
If you log into an Office app like Outlook, does this show correctly?
No it doesn't

But when i look at the device, Hardware under Monitor and look at the Conditional Access properties i see this.

3/27/2020, 8:32:06 AM
Conditional access

Activation lock bypass code
Azure AD registered Yes
Compliance Compliant
EAS activated Yes
EAS activation ID ***********************
EAS activation time 16-12-2019 1:56:19 p.m.
Supervised No
Encrypted Yes

But this is an iOS device, not a Windows device?
Have you tested with a different device?

If you run the command dsregcmd /status, you can find the deviceID.
Does this correspond with the device you have in Azure AD?

@Thijs Lecomte 


Yes i tested it on a other device and there works a expected.

The device id i got from dsregcmd is the same as in Azure.


I'd like to know why this partical device doesn't show the device info properly and how to fix it, whithout resetting the device. I have had two other devices with the same issue. 


If you run the dsregcmd /status command.
What does the 'device state' say?
Pleae share the entire Device State bit.

EnterpriseJoined : x
AzureADJoined: x

@Thijs Lecomte 


| Device State |

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO

That looks good...

If you try using the 'old' Edge or IE, does it report back then?

@Thijs Lecomte 


Same result. 

Only Operating System and Browser version are reported back

Are you logged in with a local user or an AAD user?

@Thijs Lecomte 


I always login as a AAD user. Our devices do not have a local account.

@RonaldvdMeer seems that something is wrong with the AAD registration as no Device ID is send and without that compliance status isn`t checked (and fails).

You should compare the outcome of dsregcmd /status as Thijs says, from a working Windows device with a none working. See if there is a difference which can point you in the right direction.

You can also try

dsregcmd /leave

dsregcmd /join

Restart the laptop and try again.

@Peter Klapwijk 

I will do that next Monday. I am working from home right now due to..... You know.

I will roll out a new device. See what happens. 


I will get back to you next Monday

@Peter Klapwijk 

I did not see any difference between the dsregcmd status of a working device and the device that didn't work.

dsregcmd /leave did work

but dsregcmd /join didn't i got the message failed to complete task.

The only option left after that was a clean install of the device.

After complete rollout of the device the conditional access rules work as expected.

So problem is solved, although i am curious how this could have happened.