Intune applies compliance policies to machines twice. One for the Signed in AAD user, and another for the 'System Account'. The devices in question become uncompliat due to the system account not getting logged into. When devices are marked not-compliant, and you have a conditional access policy this makes things difficult. Users will no longer be able to access company data when marked 'not-compliant'. Please have the compliance policy only apply to the signed in AAD user. Having to remote into PC's and sign into a root user just so the compliance policy hits is not good! Thanks

Hello,
Please allow Firefox to be used with Conditional Access policy to be able check for Device Compliance.
Many users use Firefox as primary browser, but then they are limited in SharePoint.

Device Compliance reporting for devices only. We user shared devices in our enviroment. Compliance policies are running for all users that sign into a device messing up our reporting. For instance, a compliance policy for minimum OS version runs for all users that sign into a device. One user sets the device non-compliant because it does not meet the requirements. Next user signs in after it updates to minimum requirements and sets the compliance only for that user. The device still shows non-compliant because of the previous user who may never login to that device again to mark it compliant.

When creating rule for "Restricted Apps", the tooltip says

Device compliance can be viewed in the Restricted Apps Compliance report

However, there is no such report available in the Azure portal as confirmed by support. In the classic console, this report is called "Noncompliant Apps Reports".

Without such a report, the rule to specify noncompliant apps is actually useless. Please consider adding the feature to the new Azure portal to complete the migration.

I love to use PowerBI to get data that I want. But I need to make a report which shows which compliance / configuration policy item fails and on which devices. Like report of devices that have one CI in Failed state.

It would be great to have the possibility to force a device compliance check on one or multiple devices or even a group of devices.

It could be an additional remote action.

When you assign a compliance policy to a device registered with a DEM account, you must assign that policy to the device.
Therefore, when assigning a policy, "All devices" is required as an option in addition to "All users".
※I used Google Translate.

I'd like to be able to 'detect' if a device is compliance or not from local processes such as PowerShell scripts. I'm currently using this method to locally detect if a device is compliant or not but this is a bit 'hacky' and doesn't seem future proof.

https://www.lieben.nu/liebensraum/2020/01/ps-oneliner-to-get-local-device-compliance-state/

Please expose compliance state through the registry, a local API call or WMI.

Now we have only a specific set of compliance verification rules. A good solution would be to add ability to verify compliance based on the output of the PowerShell script. This will allow to create any compliance rules. For example, checking that the required software is installed.

It would be useful that we could prevent access to company data if an application is installed. Currently we have an app to control internet access. As there is no policy to prevent an app being uninstalled can we have conditional access or a compliance policy to prevent access if an application is not installed on a device.

Please support WIndows edition with compliance policy. Because there is no way to eliminate the Home Edition now. I would like to have access control by dividing Home, Pro, Enterprise

End User & IT Admin must get the Non-Compliance alert & email notification with (Username, Device ID, Reason of non-compliance) and so on.

In the message option string option should be introduce for customize the notification template and end user will get the required Machine and device details in alert and email notification.

I would like to be able to use the compliance policy feature to send an automated email to users who have a device with a "last check in" past a certain number of days. So if a user's iPad has not "checked in" with Intune for 7 days (for example), an email is sent to that user letting them know it needs to be powered on and connected.

Hello,

we are using InTune on more then 1000 clients and now the need arises, the configuration policies can only be edited by the creator.

At the moment every service administrator is able to edit every configuration policy.