Device compliance Conditional Access for AD joined servers

Mahi 0 Reputation points
2023-05-06T11:18:46.2233333+00:00

Hello There,

We are implementing device compliance based conditional access in our organization. Its working fine for Windows 10/11 endpoints. However we are facing an issue with set of AD joined Windows 2019/2022 servers where corporate services are accessed by end users. Services are blocked as device compliance for these devices can not be evaluated.

I have taken the following approach to solve this issue.

  1. Get the servers synced to Azure - Done (OUs these are servers present are selected to sync to Azure AD in AD Connect.)
  2. Enable the registration - Done (Group policy for automatic device registration is linked)
  3. Create and apply Device compliance policy in SCCM and apply these servers - Done

However MDM field is still blank, so the device compliance is N/A. How do I get this solved and make these severs compliance status updated in AAD to be evaluated from conditional access?

User's image

Thanks in advance!!

Mahi

Microsoft Configuration Manager
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,462 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Konstantinos Passadis 17,286 Reputation points
    2023-05-06T11:29:24.6433333+00:00

    Hello @Mahesh Veerappa !

    Welcome to Microsoft QnA!

    You just have to wait , i have seen one hour at times! Also :

    • Verify that the servers are properly synced to Azure AD using AD Connect. To do this, check the Azure AD Connect Health Dashboard for any synchronization errors.

    • Ensure that the group policy for automatic device registration is applied to the servers. To do this, open the Group Policy Editor on the server and navigate to Computer Configuration\Administrative Templates\Windows Components\Device Registration. Check that the policy "Register domain joined computers as devices" is enabled and that the "Configure domain-joined computers to automatically enroll in device management" policy is set to "Enabled".

    • Check if the Intune MDM enrollment information is present on the servers. To do this, open the Registry Editor on the server and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments. If the server is enrolled, you should see a subkey with a name that starts with "AADMDMEnrollment" and contains enrollment information.

    • If the Intune MDM enrollment information is missing, you can manually enroll the server using the Device Management portal in the Azure portal. Navigate to Devices -> All devices, select the server, and click on "Enroll" to start the enrollment process.

    • Once the server is enrolled, wait for the device compliance policy to be applied and evaluated. This may take some time depending on your policy settings and the server configuration.

    • Check the compliance status of the server in the Azure portal. If the compliance status is still N/A, try refreshing the compliance data or wait for the next compliance evaluation cycle.

    Assisting Source: ChatGPT Subscription

    Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

    Regards

  2. Konstantinos Passadis 17,286 Reputation points
    2023-08-20T09:25:29.93+00:00

    Hello @Mahesh Veerappa !

    Researching your issue i have found out that there is no reference supporting Server OS for Intune Compliace

    Please have a look here :

    https://learn.microsoft.com/en-us/mem/intune/fundamentals/supported-devices-browsers

    So , i think it is useless to try , but you can work with SCCM to bring your servers under compliance and Co Management as well to have Intune and SCCM together

    https://learn.microsoft.com/en-us/mem/configmgr/comanage/overview

    Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

    Regards

    0 comments