Device Compliance for Devices only
Device Compliance reporting for devices only. We user shared devices in our enviroment. Compliance policies are running for all users that sign into a device messing up our reporting. For instance, a compliance policy for minimum OS version runs for all users that sign into a device. One user sets the device non-compliant because it does not meet the requirements. Next user signs in after it updates to minimum requirements and sets the compliance only for that user. The device still shows non-compliant because of the previous user who may never login to that device again to mark it compliant.
John Greble commented
Not sure if this is the same problem, or not. I have seen the problem with compliance policies. Now I am trying to deploy what I thought was a simple Configuration Profile for BitLocker to 6 machines and I must have 4 different states coming back.
4 Success, 2 Error
3 success with just the standard user
1 with success for the standard user and error for the system account but machine is encrypted
1 with success for the standard user and the system account.
1 with error for the standard user.
I do not even know why the user accounts are involved at all since I deployed it to a device group.
Tim Doel commented
Come on Product Group, this is over 2 years old and Device compliance (when all recommendations are to manage the device, not the user) STILL does not work properly. There are a ton of other solutions out there, so why are we still waiting ?
Marvin Goins commented
Am interested in this too; we're seeing non-compliant Android devices running in Kiosk/Dedicated mode, due to their being 'user-less'; 'user-less' devices need to be managed too; looking forward to seeing this be on the roadmap.
Alastair Bor commented
Microsoft claims it is "by design" that macOS and iOS/iPadOS devices will show as "Not Evaluated" when enrolled with Device Affinity. This is crazy since Microsoft KNOWS the devices are compliant when you click into each device and check each profile. It's an error in reporting that can't possibly be by design... it's a bug.
Micheal Heatley Jr commented
Agreed, this policy should be selectable based on the device usage. There should be options to disable this check when the device is in a shared setting; POS, conference PC, etc. As well as enforce the option when the device is associated with a primary user. To go a bit further... the ability to disregard specific accounts. I have numerous POS devices failing compliance as the System Account has not been active, while multiple users are active and compliant on the same device.
Alex Fields commented
This is crazy to me that we haven't seen any movement on it. Let's get this working! It makes implementing conditional access impossible in any environment where machines are shared--think rotating shifts, conference room PC's, even situations where a user departs and the machine is re-assigned. How is Intune so dumb that it cannot ignore inactive users? Just evaluate compliance for the current logged in user, or make it targeted at the device only, and not the user. Whatever produces a more stable experience.
Wolfgang Bach commented
Same here. this causing lots of issues...
Joran Olthof commented
We have the same issue here. Settings like secure boot causing the system as non-compliant and can only be "fixed" by the one non-compliant user(of 10 users which are compliant on the system). How is this possible and why this setting can only be fixed by the user? Please use device settings or else a way to reset this setting by an administrator. We removed this secure boot option but system keeps non-compliant.
Rob de Roos commented
Same issue here. We have device used by multiple users. We had to turn of compliancy policies for those devices in order to get them compliant for Conditional Access based VPN.....
How can it be that device based conditions (like bitlocker encryption) are checked and reported per user? And even worse how can a device condition triggered by 1 users have this much impact on another user after it has been remediated under that other users account? That doesn't make sense at all in my humble opinion....
Ronnie Jorgensen commented
I would like to hear about this too. I currently need shared iOS DEP enrolled devices without user affinity to get device compliance policies but have been told this is not a feature that is working at the moment.
This is causing us issues with Sharepoint conditional access. Users with a secondary logon from IT has put the device into a non-compliant state and therefore is putting Sharepoint/OneDrive into limited usage modes.
Chris Ocampo commented
having the same issues, is there an update or can you remove previous users that was marked as non compliant?
Hrvoje Kusulja commented
Any progress on this? this is still the issue, especially for windows 10 shared device mode with compliance policies...