For 2 - is this for System account showing as non-compliant? If so, see https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor#drill-down-for-more-details
"If no user is signed in to the device, the device with the targeted device compliance policy will send a compliance report back to Intune showing System Account as the user principal name. This happens because a device compliance policy was targeted to either a group of users or devices, and no user was signed into the device at the time the compliance policy was evaluated."