Forum Discussion
Intune Compliance Policy: Device not compliant because of missing machine risk score: deactivated?
Dear all, I have this curious compliance issue for which I cannot find any information online or on docs.microsoft.com. Any help or suggestions are appreciated. We are testing Windows Defende...
I am having a very similar issue. On my Device compliance policy I am showing "Require the device to be at or under the machine risk score" as not compliant. The device appears to be onboarded but is now showing up in the Windows Defender Security Center Portal. Only machines I have onboarded manually with a script appear there. I have gone through the Intune - WDATP onboarding instructions located here https://docs.microsoft.com/en-us/intune/advanced-threat-protection several times and everything seems to be set correctly. If I look on the device WDATP shows that there are no threats and no action needed. Why is the device not showing up in the console and why am I getting the compliance issue?
Thanks for the comment.
After the initial post in this thread I did not make any more changes due to business travel. After about a week suddenly the machines became compliant. Again: with no changes. Could it be that some process needs to run in the course of about a week before a client really is marked as compliant?
Are you seeing this too?
Best regards,
Wim
Still having issues getting devices to join to WDATP through the Intune process. I have switched to a hybrid deployment because of some of the limitations of transferring all of our GPO settings to Intune. I can join devices using the script. I do not really trust Intune at this point to not mark one of my devices not compliant and cut off the VP while he is out of the office. Not a great feeling. We are going to do more testing with a rollout to IT staff.
RyanReynoldsThanks for the feedback. That is indeed not a comfortable situation to be in. I just checked our device list and they are still marked as compliant, with the exception of one device for another reason.
In any case, the behaviour seems flaky to it would be great if this could be addressed by the Intune team.
I am having the same issue, I have tested this on 6 Win10 computers at this point, it seems that if I Azure AD Domain Join the computers everything works fine, if I Azure AD Register and MDM Manage the device, it will show up as clear or level 1 in WATP poral and as Deactivated in Intune portal.
I've read conflicting information in the documentation, is Azure AD Domain Join mandatory? Seems ridiculous if it is, I mean the Mac client was releases and how are you supposed to deal with BYOD if this is the case? I am working a support case with Microsoft and they are adamant about the fact that MDM Managed devices should report correctly but we have been working the case for 15 days so far and no changes. The strange thing is I can configure ASR, cloud protection, and set any of the other policies with no trouble. This makes it seem it may just not currently work unless the system is Domain Joined and MDM Managed and not Domain Registered and MDM Managed.
If anyone has any details at all, would love to hear them. We have several deals closed with clients to deploy M365 E5 and I want to prepare them if Intune isn't going to show their security status in Intune as this is going to effectively kill our ability to use Conditional Access to limit access based on risk.
Thanks!
