Intune applies compliance policies to machines twice. One for the Signed in AAD user, and another for the 'System Account'. The devices in question become uncompliat due to the system account not getting logged into. When devices are marked not-compliant, and you have a conditional access policy this makes things difficult. Users will no longer be able to access company data when marked 'not-compliant'. Please have the compliance policy only apply to the signed in AAD user. Having to remote into PC's and sign into a root user just so the compliance policy hits is not good! Thanks

Hello,
Please allow Firefox to be used with Conditional Access policy to be able check for Device Compliance.
Many users use Firefox as primary browser, but then they are limited in SharePoint.

When creating rule for "Restricted Apps", the tooltip says

Device compliance can be viewed in the Restricted Apps Compliance report

However, there is no such report available in the Azure portal as confirmed by support. In the classic console, this report is called "Noncompliant Apps Reports".

Without such a report, the rule to specify noncompliant apps is actually useless. Please consider adding the feature to the new Azure portal to complete the migration.

Device Compliance reporting for devices only. We user shared devices in our enviroment. Compliance policies are running for all users that sign into a device messing up our reporting. For instance, a compliance policy for minimum OS version runs for all users that sign into a device. One user sets the device non-compliant because it does not meet the requirements. Next user signs in after it updates to minimum requirements and sets the compliance only for that user. The device still shows non-compliant because of the previous user who may never login to that device again to mark it compliant.

I love to use PowerBI to get data that I want. But I need to make a report which shows which compliance / configuration policy item fails and on which devices. Like report of devices that have one CI in Failed state.

It would be great to have the possibility to force a device compliance check on one or multiple devices or even a group of devices.

It could be an additional remote action.

I'd like to be able to 'detect' if a device is compliance or not from local processes such as PowerShell scripts. I'm currently using this method to locally detect if a device is compliant or not but this is a bit 'hacky' and doesn't seem future proof.

https://www.lieben.nu/liebensraum/2020/01/ps-oneliner-to-get-local-device-compliance-state/

Please expose compliance state through the registry, a local API call or WMI.

It would be useful that we could prevent access to company data if an application is installed. Currently we have an app to control internet access. As there is no policy to prevent an app being uninstalled can we have conditional access or a compliance policy to prevent access if an application is not installed on a device.

Please support WIndows edition with compliance policy. Because there is no way to eliminate the Home Edition now. I would like to have access control by dividing Home, Pro, Enterprise

End User & IT Admin must get the Non-Compliance alert & email notification with (Username, Device ID, Reason of non-compliance) and so on.

In the message option string option should be introduce for customize the notification template and end user will get the required Machine and device details in alert and email notification.

Hello,

we are using InTune on more then 1000 clients and now the need arises, the configuration policies can only be edited by the creator.

At the moment every service administrator is able to edit every configuration policy.

It would be useful to control access to Office 365 resources based on whether the device is WorkPlace Joined and registered. This is an option in ADFS.

Notification of email is still allowed although opening the Outlook app, the emails are blocked saying "App Access Blocked". The later part is by design because the device is non-compliant but the former part of still getting notified after an email is setup isn't intuitive or making sense.

Be able to get the non-compliant app report by email. Now we have to login every time we want to see the status.