Share via

How is Active non compliance state works in Intune

Ritesh Sharma 266 Reputation points
2023-01-20T16:51:08.9466667+00:00

Hi, please help to confirm. Which scenarios devices mark non compliance under in active state.

Microsoft Intune Compliance
Microsoft Intune Compliance
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Compliance: Adhering to rules, standards, policies, and laws.
142 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,463 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SanthiSwaroopNaikBukke-4908 595 Reputation points
    2023-01-20T17:04:48.17+00:00

    In Microsoft Intune, devices can be marked as non-compliant when they fail to meet certain security or compliance policies. Some examples of scenarios that can cause a device to be marked as non-compliant under an active state in Intune are:

    1. Missing software updates: If a device is missing critical software updates, it can be marked as non-compliant.
    2. Outdated operating system: If a device is running an outdated version of an operating system, it can be marked as non-compliant.
    3. Unapproved apps: If a device has apps installed that are not approved by the organization, it can be marked as non-compliant.
    4. Unsecured device settings: If a device's settings do not meet the organization's security requirements, it can be marked as non-compliant.
    5. Missing security software: If a device is missing required security software, such as antivirus or a firewall, it can be marked as non-compliant.
    6. Encryption: If a device is not encrypted or the encryption is not up to date, it can be marked as non-compliant.
    7. Jailbreak/root: If a device has been jailbroken or rooted, it can be marked as non-compliant.
    8. Device is not active: If a device is not being used and is inactive, it can be marked as non-compliant.
    1 person found this answer helpful.
  2. Crystal-MSFT 44,321 Reputation points Microsoft Vendor
    2023-01-23T02:01:50.24+00:00

    @Ritesh Sharma, Thanks for posting in Q&A.

    For the compliance setting "Is active", it is configured in the built-in device compliance policy under Compliance policies->Compliance policy settings.

    User's image

    This is controlled by "Compliance status validity period (days)" which specify a period in which devices must successfully report on all their received compliance policies. If a device fails to report its compliance status for a policy before the validity period expires, the device is treated as noncompliant under "Is active".

    User's image

    Hope it can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
  3. Ruud Gijsbers Rademakers 551 Reputation points
    2023-01-22T20:21:40.8566667+00:00

    Hi Ritesh,

    There are two parts to compliance policies in Intune:

    • Compliance policy settings – Tenant-wide settings that are like a built-in compliance policy that every device receives. Compliance policy settings set a baseline for how compliance policy works in your Intune environment, including whether devices that haven’t received any device compliance policies are compliant or noncompliant.
    • Device compliance policy – Platform-specific rules you configure and deploy to groups of users or devices. These rules define requirements for devices, like minimum operating systems or the use of disk encryption. Devices must meet these rules to be considered compliant.

    Compliance policy settings include the following settings ([https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started#compliance-policy-settings):

    • Mark devices with no compliance policy assigned as Compliant / Non-Compliant
    • Enhanced jailbreak detection (applies only to iOS/iPadOS)
    • Compliance status validity period (days)

    Intune device compliance policies([https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started#device-compliance-policies):

    • Define the rules and settings that users and managed devices must meet to be compliant. Examples of rules include requiring devices run a minimum OS version, not being jail-broken or rooted, and being at or under a threat level as specified by threat management software you’ve integrated with Intune.
    • Support actions that apply to devices that don’t meet your compliance rules. Examples of actions include being remotely locked, or sending a device user email about the device status so they can fix it.
    • Deploy to users in user groups or devices in device groups. When a compliance policy is deployed to a user, all the user's devices are checked for compliance. Using device groups in this scenario helps with compliance reporting.

    If you use Conditional Access, your Conditional Access policies can use your device compliance results to block access to resources from noncompliant devices.

    The available settings you can specify in a device compliance policy depend on the platform type you select when you create a policy. Different device platforms support different settings, and each platform type requires a separate policy.

    Depending on the configuration of your compliance policies, the device will be marked as non-compliant. The compliance state is checked according to the following process ([https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned)

    Intune notifies the device to check in with the Intune service. The notification times vary, including immediately up to a few hours. These notification times also vary between platforms.

    If a device doesn't check in to get the policy or profile after the first notification, Intune makes three more attempts. An offline device, such as turned off, or not connected to a network, may not receive the notifications. In this case, the device gets the policy or profile on its next scheduled check-in with the Intune service. The same applies to checks for non-compliance, including devices that move from a compliant to a non-compliant state.

    Estimated frequencies:
    Platform Refresh Cycle
    iOS/iPadOS About every 8 hours
    macOS About every 8 hours
    Android About every 8 hours
    Windows 10/11 PCs enrolled as devices About every 8 hours
    Windows 8.1 About every 8 hours

    If devices recently enroll, then the compliance, non-compliance, and configuration check-in runs more frequently. The check-ins are estimated at:
    Platform Frequency
    iOS/iPadOS Every 15 minutes for 1 hour, and then around every 8 hours
    macOS Every 15 minutes for 1 hour, and then around every 8 hours
    Android Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours
    Windows 10/11 PCs enrolled as devices Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours
    Windows 8.1 Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours

    At any time, users can open the Company Portal app, Devices > Check Status or Settings > Sync to immediately check for policy or profile updates.

    I hope this helps

    0 comments