Forum Discussion
Intune Compliance Policy: Device not compliant because of missing machine risk score: deactivated?
Dear all, I have this curious compliance issue for which I cannot find any information online or on docs.microsoft.com. Any help or suggestions are appreciated. We are testing Windows Defende...
Thanks for the comment.
After the initial post in this thread I did not make any more changes due to business travel. After about a week suddenly the machines became compliant. Again: with no changes. Could it be that some process needs to run in the course of about a week before a client really is marked as compliant?
Are you seeing this too?
Best regards,
Wim
Still having issues getting devices to join to WDATP through the Intune process. I have switched to a hybrid deployment because of some of the limitations of transferring all of our GPO settings to Intune. I can join devices using the script. I do not really trust Intune at this point to not mark one of my devices not compliant and cut off the VP while he is out of the office. Not a great feeling. We are going to do more testing with a rollout to IT staff.
RyanReynoldsThanks for the feedback. That is indeed not a comfortable situation to be in. I just checked our device list and they are still marked as compliant, with the exception of one device for another reason.
In any case, the behaviour seems flaky to it would be great if this could be addressed by the Intune team.
I am having the same issue, I have tested this on 6 Win10 computers at this point, it seems that if I Azure AD Domain Join the computers everything works fine, if I Azure AD Register and MDM Manage the device, it will show up as clear or level 1 in WATP poral and as Deactivated in Intune portal.
I've read conflicting information in the documentation, is Azure AD Domain Join mandatory? Seems ridiculous if it is, I mean the Mac client was releases and how are you supposed to deal with BYOD if this is the case? I am working a support case with Microsoft and they are adamant about the fact that MDM Managed devices should report correctly but we have been working the case for 15 days so far and no changes. The strange thing is I can configure ASR, cloud protection, and set any of the other policies with no trouble. This makes it seem it may just not currently work unless the system is Domain Joined and MDM Managed and not Domain Registered and MDM Managed.
If anyone has any details at all, would love to hear them. We have several deals closed with clients to deploy M365 E5 and I want to prepare them if Intune isn't going to show their security status in Intune as this is going to effectively kill our ability to use Conditional Access to limit access based on risk.
Thanks!
- Thanks for the adding your experiences to this thread. Short update on our experience: in the end all our device will be set to compliant, but it can take days. That poses a problem when you want to activate conditional access based on compliancy.
When looking at the device status of the compliance policy most devices are shown twice. Once with the user 'system account' and once with the regular user of the machine. In the end it does not seem to affect the compliance status of the device itself but it is annoying and makes it very hard to find that one device that is in fact not compliant.
