This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 50%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAI%3C/text%3E%3C/svg%3E)
I am enrolling a device using Auto-pilot user driven mode.
In order to make it a shared device I am removing the primary user of the device.
Hence a different number of users are able to login to the system.
But after some days of keeping the machine in switched off mode, the device become non-compliant in Intune.
The reason of non-compliance is Is Active parameter is non-compliant
After becoming non-compliant in Intune, if I try to login to the device it asks for MFA and re-authentication.
I want to avoid the MFA for the users and want to know the reason on why MFA is required once device in non-compliant.
I hit this scenario couple of times and there is MS article documented on the MFA if you have CA policy created. Refer this article https://learn.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-co-management-auto-enrolling#devices-fail-to-sync-after-auto-enrollment if you are match with this.
But can you check why the device is non-compliance and what settings are not compliant on the device?
Thanks,
Eswar
www.eskonr.com
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@AskIntuneQuestion-0572, For “Is active", it verifies if the device is checking with Intune or not. After the MFA is finished, will the "last check in" status of the device be updated? Will the status be changed to compliant?
@Eswar Koneti , as stated the device is non-compliant due to "Is Active" Parameter.
I would like to avoid the re-authentication with the MFA.
Could you please provide the steps on how should I remove or change the policy ?
@Crystal-MSFT , I really want to avoid the MFA part. Is there any way to do it ?
@Ask Intune Question , Maybe you can try to disable the MFA on the user side.
https://learn.microsoft.com/en-us/answers/questions/101179/how-to-disable-the-two-factor-authentication-from.html
Could be related to PRT getting expired. Here is some information in relation to it.concept-primary-refresh-token
As for MFA, do you have a CA policy enforced which uses device state as a condition? I normally look at azure sign-ins for clues.