Device compliance Conditional Access for AD joined servers

Mahi 0 Reputation points

Hello There,

We are implementing device compliance based conditional access in our organization. Its working fine for Windows 10/11 endpoints. However we are facing an issue with set of AD joined Windows 2019/2022 servers where corporate services are accessed by end users. Services are blocked as device compliance for these devices can not be evaluated.

I have taken the following approach to solve this issue.

  1. Get the servers synced to Azure - Done (OUs these are servers present are selected to sync to Azure AD in AD Connect.)
  2. Enable the registration - Done (Group policy for automatic device registration is linked)
  3. Create and apply Device compliance policy in SCCM and apply these servers - Done

However MDM field is still blank, so the device compliance is N/A. How do I get this solved and make these severs compliance status updated in AAD to be evaluated from conditional access?

User's image

Thanks in advance!!


Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,738 questions
Microsoft Configuration Manager
{count} votes

1 answer

Sort by: Most helpful
  1. Konstantinos Passadis 5,261 Reputation points

    Hello @Mahesh Veerappa !

    Welcome to Microsoft QnA!

    You just have to wait , i have seen one hour at times! Also :

    • Verify that the servers are properly synced to Azure AD using AD Connect. To do this, check the Azure AD Connect Health Dashboard for any synchronization errors.
    • Ensure that the group policy for automatic device registration is applied to the servers. To do this, open the Group Policy Editor on the server and navigate to Computer Configuration\Administrative Templates\Windows Components\Device Registration. Check that the policy "Register domain joined computers as devices" is enabled and that the "Configure domain-joined computers to automatically enroll in device management" policy is set to "Enabled".
    • Check if the Intune MDM enrollment information is present on the servers. To do this, open the Registry Editor on the server and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments. If the server is enrolled, you should see a subkey with a name that starts with "AADMDMEnrollment" and contains enrollment information.
    • If the Intune MDM enrollment information is missing, you can manually enroll the server using the Device Management portal in the Azure portal. Navigate to Devices -> All devices, select the server, and click on "Enroll" to start the enrollment process.
    • Once the server is enrolled, wait for the device compliance policy to be applied and evaluated. This may take some time depending on your policy settings and the server configuration.
    • Check the compliance status of the server in the Azure portal. If the compliance status is still N/A, try refreshing the compliance data or wait for the next compliance evaluation cycle.

    Assisting Source: ChatGPT Subscription

    Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !