Forum Discussion
Intune Compliance Policy: Device not compliant because of missing machine risk score: deactivated?
Dear all,
I have this curious compliance issue for which I cannot find any information online or on docs.microsoft.com. Any help or suggestions are appreciated.
We are testing Windows Defender ATP in combination with Intune compliance policies on a limited amount of devices. We had a first test group of three devices, and a second test group of four devices. So 7 in total.
In Intune our 'second wave' of test devices is somehow marked as "non compliant" because a violation of our rule that "Require the device to be at or under the machine risk score = clean, low,...". However, these machines are onboarded in Windows Defender ATP and are showing to have no issues. In Intune the table in Device Compliance -> Device Compliance shows that for these machines the Device Threat Level is "Deactivated". (Our other test machines report "Secured", machines outside the test group are reporting "Unknown".)
I cannot find any documentation where this state of "deactivated" is discussed.
We identified three other differences between or first test group and the second test group:
- License level was on Microsoft E3 for the non-compliant machines, instead of E5
- Windows version was 1803 for the non-compliant machines, instead of 1809
- The very first test group was onboarded in Windows Defender ATP using a script. The second non-comliant group was onboarded using a configuration policy in Intune.
To test if any of these three differences could have caused the issue I did three separate tests:
1) I moved one user to Microsoft E5, as I understand for Windows Defender ATP this is required.
2) I had one other machine upgraded to Windows 10 1809
3) I ran the manual onboarding script once more on a third machine
But none of these machines would be compliant afterwards.
I onboarded the first test group to ATP using a script downloaded from ATP. They were active for a few weeks with just the ATP link. I then assigned both the compliance policy and the final ATP configuration at the same time to this first group.
The second group was onboarded by the ATP configuration policy in Intune. I assigned the identical compliance policy a day later.
I assume that the compliance check fails because the machines do not communicate their threat level (shown as "deactivated" in the Intune portal) properly.
One widget in the device compliance screen does show 5 of the 7 devices to be clean:
I do not understand why it counts 5 devices. What with the remaining two? And if these 5 are indeed clean, why do at least two of them (7 minus 5) report as having a threat level "deactivated" and "non-compliant"?
Does anyone know why the Device Threat Level of the second test group is "deactivated"? What causes this? How can I solve this?
Thanks for your help!
Best regards,
Wim
- We have a similar issue with one device that is failing compliance due to an AAD error. We are cloud only and all devices are joined to AAD and MDM enrolled. However, one device shows as AAD registered when viewed in AAD, but shows as AAD joined on the device. It is enrolled in MDM. Defender for Endpoint returns a low risk score, but the compliance policy think it is non-compliant for reason of the risk score being high. I have tried various fixes, but the only solution seems to be a complete reset (MDM fresh start, or wipe) because the error seems to stem from the AAD joining process.
I have few questions Did you configure all these policies ? Did you connect endpoint to intune through connector (toggle button ). Did you create any conditional policies that states the device to be non compliant if they are at certain risk level ?
I am having a very similar issue. On my Device compliance policy I am showing "Require the device to be at or under the machine risk score" as not compliant. The device appears to be onboarded but is now showing up in the Windows Defender Security Center Portal. Only machines I have onboarded manually with a script appear there. I have gone through the Intune - WDATP onboarding instructions located here https://docs.microsoft.com/en-us/intune/advanced-threat-protection several times and everything seems to be set correctly. If I look on the device WDATP shows that there are no threats and no action needed. Why is the device not showing up in the console and why am I getting the compliance issue?
Thanks for the comment.
After the initial post in this thread I did not make any more changes due to business travel. After about a week suddenly the machines became compliant. Again: with no changes. Could it be that some process needs to run in the course of about a week before a client really is marked as compliant?
Are you seeing this too?
Best regards,
Wim
Still having issues getting devices to join to WDATP through the Intune process. I have switched to a hybrid deployment because of some of the limitations of transferring all of our GPO settings to Intune. I can join devices using the script. I do not really trust Intune at this point to not mark one of my devices not compliant and cut off the VP while he is out of the office. Not a great feeling. We are going to do more testing with a rollout to IT staff.
