Device compliance policy fails - Is active - Not compliant

ArchiMe 0 Reputation points
2023-11-01T12:36:59.9933333+00:00

Hi, I wonder if someone have experienced the same issue or have a clue where to start troubleshooting.

Entra joined computers suddenly stop reporting to Intune, sync fails and computer naturally becomes non-compliant due to policy. The only compliance policy that computers fail - "Is active".

Upon investigation, I can see that on computers scheduled tasks fail that are located at \Microsoft\Windows\EnterpriseMgmt\ and if we can catch the problem in time - forcing sync from Company portal helps. But if more time passes, computers cannot sync anymore and we use scripts to manually push the sync like this: https://walidrahoui.com/en/manually-restart-the-enrollment-of-a-windows-10-machine-in-intune-without-losing-the-configuration-and-the-azure-ad-join/

It seems pretty random as even the script does not help anymore and I have not noticed any logic in what computers are affected. Computers also fall out of Intune if they are not active long enough.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,080 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. ZhoumingDuan-MSFT 13,075 Reputation points Microsoft Vendor
    2023-11-02T02:26:01.15+00:00

    @ArchiMe,Thanks for posting in Q&A.

    From your description, I know that the device failed to sync with Intune and computer became non-compliant due to policy.

    To clarify this issue, please check things below:

    1.Check if there exist Conditional Access blocking non-compliant device sync with Intune.

    2.The non-compliant device may have issue syncing with Intune. Please unassign the compliance policy and try to sync with Intune.

    3.Please provide us computer scheduled failed message.

    4.Please check if exist related message in Event Viewer > Applications and Services log > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin

    5.Go to Intune admin center and check Compliance policy settings.

    User's image

    6.The dmwappushservice service is required on client devices for Intune management. If this service is disabled, the device can't sync with Intune. Check whether the dmwappushservice service Startup type is Automatic.

    https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-management/cannot-sync-windows-10-devices

    Please check above information, if there is any update, feel free to contact me.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. ArchiMe 0 Reputation points
    2023-11-02T07:28:55.3333333+00:00

    Hi,

    Thank you for answer,

    1. I checked and do not see any conditional access policy that could cause this behavior.
    2. We should check that, but not sure if we can turn this off for whole org.
    3. Including a picture, sorry it is not in English, but codes are there.

    image001_01DA0351B7A948D0

    1. It has mostly information and some of these:
      MDM Session: OMA-DM message failed to be sent. Result: (Bad request (400).).
    2. This compliancy setting is turned so computers are not compliant after 30 days and it is on purpose. I should check, but do not think we can allow it. Can it prevent sync?
    3. dmwappushservice we checked already and it is Automatic, we tried to change it and restart, no effect.

    Any ideas where I can dig to determine the root cause?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.