Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, July 23, 2019 12:04 PM
Dear community,
I have a strange problem on several devices, which I can´t explain and need a bit help in order to get them compliant.
We deployed Intune with our company policy, requiring Bitlocker, AV, and minimum OS Version. All devices are Hybrid joined, auto enrolled via GPO, Bitlocker Key is stored in AD/AAD and all users got EM+S E3 license. Policy works on over 750 clients, but on some it won´t because of several reasons, which is okay because most of them can be figured out. But on some devices we have a strange behavior which causes trouble, let me try to explain:
On some devices the policy is applied, but the device does not turn compliant, saying Bitlocker state "Not Compliant". TPM is enabled, Bitlocker enabled and so on... Now here is the thing: When I log on with another user, mine for example, The policy gets applied a second time to the device, but now saying Bitlocker state: "Compliant".
Because of strict compliance requirement with 0 grace period, the device is not allowed to access Office 365 resources immediately from nowhere.
Now knowing that my user is compliant on that device, I log on back again with the prior user account, this account gets compliant too, resulting that the whole device now turns compliant.
Can someone explain me this behavior and how to avoid/solve it? Logging on twice with several users to solve the non-compliance seems a bit non professional, also I think that this will come back to me sometime when the built-in policy applied from my user account to the device some day turns into "non compliant" because it is too long inactive.
Do I need to delete and re-enroll the device from Azure AD completely?
PS: can´t add images or links due to my account is not yet verified.
Help is greatly appreciated
Michael
All replies (2)
Tuesday, July 23, 2019 12:40 PM
Hi Michael,
I've also noticed that compliance policies targeted to devices will check their compliance rules for every user that logs on the device, and I believe that is currently by design.
If a user marks the device as non-compliant, it is that user that needs to logon the device again to get it compliant. If the device shows compliant for other users afterwards, Intune will still look at it as if it is non-compliant.
This is problematic in environments where devices are shared among multiple users.
Currently, your options are to either issue personal devices or create a compliance policy for shared devices that will mark devices as compliant earlier. You can also monitor and act to devices to are not yet encrypted using the encryption report found in the device configuration tab.
The feedback to supported multiple user context with Device Compliance policies has also been posted on the Microsoft Intune UserVoice: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/34679338-support-multiple-user-contexts-with-device-complia
Regards,
John
Tuesday, July 23, 2019 1:49 PM
Hi John,
thanks for the quick reply, I saw the Uservoice earlier and voted for it too. We do not really use shared workplace all over the office, but it happens sometimes, that a user sits at another desk with a foreign laptop. Hopefully there will be a solution for this scenario, until then I try to get a workaround for this.
regards
Michael