Intune Custom Compliance Policy - Struggling
Any assistance or guidance on this is greatly appreciated. For over a week I struggled with a custom compliance policy that will do the following. - Search for a specific installed software and version and produce the following results: - Application is not installed - Compliance Status set to "Not Applicable" - Application is installed but is not the desired version. - Compliance status set to "Not Compliant" - Application is installed, meets the version requirements - Compliance status set to "Compliant" - Multiple versions of application exist, one of which meet the requirements. Compliance status set to "Not Compliant" If I run the discovery script on a local device and output the findings it is 100% successful, every time. However, when applying the policy in Intune not every works correctly. Here are both the JSNO file and discovery script. -------JSON------ { "Rules": [ { "SettingName": "ComplianceStatus", "Operator": "IsEquals", "DataType": "String", "Operand": "Compliant", "MoreInfoUrl": "https://example.com/compliance-info", "RemediationStrings": [ { "Language": "en_US", "Title": "Software Compliance Check", "Description": "The required software version is installed and compliant." } ] }, { "SettingName": "ComplianceStatus", "Operator": "IsEquals", "DataType": "String", "Operand": "NonCompliant", "MoreInfoUrl": "https://example.com/compliance-info", "RemediationStrings": [ { "Language": "en_US", "Title": "Software Compliance Check", "Description": "The required software version is not installed or is outdated. Please install or update to the required version." } ] }, { "SettingName": "ComplianceStatus", "Operator": "IsEquals", "DataType": "String", "Operand": "NotApplicable", "MoreInfoUrl": "https://example.com/compliance-info", "RemediationStrings": [ { "Language": "en_US", "Title": "Software Compliance Check", "Description": "The software is not applicable for this device." } ] } ] } ------- Discovery Script _------- $softwareName = "Autodesk Single Sign On Component" $requiredVersion = [version]"13.7.7.1807" # Get the installed software information $installedSoftware = Get-CimInstance -ClassName Win32_Product | Where-Object { $_.Name -eq $softwareName } # Initialize the result hash $result = @{ SoftwareInstalled = $false SoftwareVersion = "0.0.0.0" ComplianceStatus = "NotApplicable" } # Process each instance if any are found if ($installedSoftware) { $result.SoftwareInstalled = $true $isCompliant = $false $multipleCopies = ($installedSoftware.Count -gt 1) foreach ($software in $installedSoftware) { $installedVersion = [version]$software.Version $result.SoftwareVersion = $installedVersion.ToString() if ($installedVersion -ge $requiredVersion) { $isCompliant = $true } } # Determine overall compliance status if ($multipleCopies) { $result.ComplianceStatus = "NonCompliant" } else { $result.ComplianceStatus = $isCompliant ? "Compliant" : "NonCompliant" } } # Return the result as JSON $result | ConvertTo-Json -Compress
iOS Microsoft Defender Compliance Policy not showing compliance despite successfull setup of the app
I am having an issue on multiple tenants and after a lot of try and error I am not getting it. All tenant enroll their devices through the Apple DEP in supervised mode and deploy the Microsoft Defender app using a VPP token with a device based license. The app is successfully installed on the devices and users are able to sign in to the app and the defender is showing everything is green. However the Compliance policy does not switch to compliant even after long waiting and the security center is not showing the device. Strangely this is not happening always... around half of the enrollments switch to compliant while the other half does not. Sometimes the issue also resolve by reinstalling the app. I have this issue on multiple tenants. I am using the Filter profile with auto enrollment (which also does not start always) but the VPN onboarding has the same issue. So if someone else had this issue and has an idea where this comes from: Please give me a comment.
Security Baselines
Hi, I'm having an issue after enabling the baseline securities. When we connect our laptop to the docking station via the Thunderbolt port, the peripherals (mouse, keyboard, and network connection) get blocked. We suspected the policy "Disable new DMA devices when this computer is locked," but disabling it didn't help. Does any body have any idea, which policy it might be blocking the peripherals ? this is a headache to find.
Migration from 3rd party MDM to Intune - Compliance Partnership issues
Hello Community, we are currently in the situation, that smartphones are managed via a 3rd party device management system, which is connected via Partner Compliance Management to Intune. We are in the process of migrating MDM from the 3rd party system to Intune. Users unenroll their devices (removal of the Management Profile and App), install the company portal and enroll into Intune. This works so far, but suddenly after some time we started having issues that the smartphones that got migrated switch into a not compliant and not managed state, but in Entra ID only. In Intune they are still compliant. This happened to devices that have been enrolled to Intune since several months, as well as devices that have been enrolled only a few weeks. Also not all at the same time, first 1, then 2, then suddenly 10ish a few days later... In the Entra ID device audit log we can see, that "Microsoft Intune" executed a "Device no longer managed" activity on the device. But it seems as the the Activity is always listed as Intune, no matter if its really initiated by Intune or via the Compliance Partnership in Intune. We cannot find any logfile that let's us nail it down to if this really triggered by the 3rd party mdm via the compliance partner interface, or maybe some weird hidden Intune Cleanup job, that sets this if devices are no longer synced from the partner management. As a workaround, we currently assign a Compliance Policy that is impossible to fulfill by the device, wait until the device also turns not compliant in Intune, then unassign the policy again. When the device now turns compliant in Intune again, it also synchronizes the status to Entra ID again and the Device Object in Entra is back in a compliant and managed state. Do you have any suggestions for that case? One idea was, to delete the Entra ID Objekt and have a new object created when the user enrolls his device to Intune again, but that would cause a lot more efforts in the rollout. (Currently the Entra ID Device Object stays the same). Thank you
Device Compliance
Hi Team, I have a case where devices enrolled into intune sometime do not get logged in for more then 2 month which intune marks as non-complient device. After user log in to the device even after a few days the device is still marked as non-compliant. I've run sync on device and manually from device but no luck, is there specific reason or something I am missing here? Device is only marked as non-compliance as status is Active shown non-compliant.
How to Resolve Microsoft Intune Laptop Compliance Status: Not Evaluated
Hi Intune Community, I have a system in our environment with a compliance status I have not seen before: Not Evaluated. I can only find one KBA that addresses this from Microsoft: https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor To address the items that can cause this state: Devices that aren't assigned a compliance policy and don't have a trigger to check for compliance - this is still a viable potential issue with this system Devices that haven't checked in since the compliance policy was last updated - this is not the case with this system because I can see a check in time of today Devices not associated to a specific user, such as: iOS/iPadOS devices purchased through Apple's Device Enrollment Program (DEP) that don't have user affinity or Android kiosk or Android Enterprise dedicated devices - this is N/A because this is a new laptop device (2 months old) Devices enrolled with a device enrollment manager (DEM) account - this would be N/A as I understand DEM to only relate to mobile devices, not laptops My ultimate question here is how to I verify the cause of the Compliance: Not Evaluated error & how do I fix it - the fix looks like the compliance status being: Compliant. Thank you for your help!Where to find CIS Benchmarks/Baselines for Windows 10
Hello I am trying to locate CIS benchmarks/compliance baselines specifically targeting Windows 10. This documentation implies that these exist somewhere within the scope of the Azure/Intune/Endpoint/Defender/Security portals: https://learn.microsoft.com/en-us/microsoft-365/security/defender-vulnerability-management/tvm-security-baselines?view=o365-worldwide "Security baselines provide support for Center for Internet Security (CIS) benchmarks for Windows 10, Windows 11, and Windows Server 2008 R2 and above, as well as Security Technical Implementation Guides (STIG) benchmarks for Windows 10 and Windows Server 2019" However, I have been unable to locate these. The documentation says: "Go to Vulnerability management > Baselines assessment in the Microsoft 365 Defender portal". However, the menu item "Baselines assessment" does not show at all in my view of that portal using a GA login. I have tried activating a trial which I thought may hold the answer, but this does not appear to have surfaced anything new: https://security.microsoft.com/tvmPremiumTrial180daySolution We're a UK-based CSP customer, if that matters. I would be grateful for any advice as to where we can find these benchmarks and make use of them for our endpoint managed devices. If these benchmarks represent a feature which is yet to be made generally available, any information as to timelines to a release would also be immensely useful. Many thanks in advance, RobertAndroid - Not Compliant
Hello All, We have some android personal(enrolled with personally owned work profile) and corporate devices (enrolled with Corporate-owned, fully managed user devices) which are not compliant due to "Require the device to be at or under the Device Threat Level". When the devices are enrolled, all the required apps are installed including Microsoft Defender. Employees have to manually provision Microsoft Defender and sync the device and then it becomes compliant. However after a few days it again becomes non compliant. I'm trying to figure out if Microsoft Defender provisioning can be automated and if the devices can be synced automatically on a daily basis and somehow it stays compliant. Thank you for your valuable suggestions and solution. Benny SPersonal iOS enrollment with work profile
Hello All, I have enrolled my personal iOS device in Intune. During the enrollment, it has installed all the required applications including Microsoft Defender. I have provisioned Microsoft Defender and it says device is protected. I have also created an app protection policy which blocks copying corporate data to personal iCloud. I am getting non stop notification that iCloud is blocked. Also, another issue is the websites which are blocked in Microsoft Cloud App security is somehow affecting the personal devices and I am not able to open the blocked websites. we had to manually create an exclusion group and exclude them for personal device but the challenge is that we have to exclude this manually for every apps in MCAS which is time consuming and not practical. I'm trying to figure out if we can setup work profile for iOS devices to limit these restrictions for work profile and shouldn't be applied on the personal profile. Thank you for your valuable suggestions and solution. Benny S
