Share via

Intune Policies Displaying as Duplicates and Causing Non-Compliance Issues

Jeffery Tingle 11 Reputation points
2025-04-21T18:56:06.08+00:00

User's image

In Intune, duplicate policies are being displayed for all devices in a specific tenant. This issue is resulting in devices being marked as "Non-Compliant." Assistance is needed to identify a resolution for this problem.

Microsoft Intune Compliance
Microsoft Intune Compliance
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Compliance: Adhering to rules, standards, policies, and laws.
191 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pauline Mbabu 755 Reputation points Microsoft Employee
    2025-04-23T14:22:06.3233333+00:00

    Hello @Jeffery Tingle ,
    When using Conditional Access and requiring compliant devices to access Microsoft 365, it's crucial to understand the built-in device compliance policies in Intune. These policies ensure devices meet specific requirements and can impact access if not properly configured.

    Built-in Device Compliance Policies

    There are three main built-in compliance policies for Windows devices:

    Enrolled User Exists

    • The user who enrolled the device must still exist and have a valid Intune license.
      • If the user is deleted, the device becomes non-compliant. You can fix this by changing the primary user in the device preferences.

    Has Compliance Policy Assigned

    • Devices must have at least one compliance policy assigned to be compliant.
    • It's best practice to create additional compliance policies, such as requiring Bitlocker DHA.
    • Change the default setting from "Compliant" to "Not Compliant" to ensure all devices have a compliance policy assigned.
      To manage the compliance policy settings, sign in to Microsoft Intune admin center and go to Endpoint security > Device compliance > Compliance policy settings

    Is Active

    • Devices must regularly contact Intune to be considered compliant.
      • The default compliance status validity period is 30 days, but it can be adjusted between 1 and 120 days.
        • Devices that don't report status within the validity period are treated as non-compliant.

    Monitoring and Fixing Compliance Issues

    • Enrolled User Exists: Change the primary user if the enrolled user no longer exists.
    • Is Active: Manually sync the device in the Company Portal app to update compliance status.
    • Has Compliance Policy Assigned: Ensure compliance policies are assigned to users rather than devices to avoid issues with the system account.

    The Reason why you are seeing Two of each Policy settings is most likely due to assigning Policy to Device group instead of the User group. This creates a Record for the System account. Look at this doc to evaluate and see when it is preferred to use Device group over User group
    https://learn.microsoft.com/en-us/intune/intune-service/configuration/device-profile-assign#user-groups-vs-device-groups

    Reference Docs: https://learn.microsoft.com/en-us/intune/intune-service/protect/device-compliance-get-started#compliance-policy-settings
    I hope this helps to answer your question.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.