Protect your Business with Microsoft 365 & Intune.

How to Monitor Intune Device Compliance in Intune

Compliance reports help you review device compliance and troubleshoot compliance-related issues in your organization. Using these reports, you can view information on:

  • The overall compliance states of devices
  • The compliance status for an individual setting
  • The compliance status for an individual policy
  • Drill down into individual devices to view specific settings and policies that affect the device

When the dashboard opens, you get an overview with all the compliance reports. In these reports, you can see and check for:

  • Overall device compliance
  • Per-policy device compliance
  • Per-setting device compliance
  • Threat agent status
  • Device protection status

As you dig in to this reporting, you can also see any specific compliance policies and settings that apply to a specific device, including the compliance state for each setting.

The Device compliance status chart shows the compliance states for all Intune enrolled devices. The device compliance states are kept in two different databases: Intune and Azure Active Directory.

Note: Intune follows the device check-in schedule for all compliance evaluations on the device. By default this schedule is every 8 hours.

However; If devices recently enroll, then the compliance, non-compliance, and configuration check-in runs more frequently. The check-ins are around every 3 to 15 minutes up to 1 hour, then devices will start checking in every 8 hours.

[button size=”medium” style=”primary” text=”For a detailed list of schedules and device type check-in times and schedules” link=”https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned” target=””]

Descriptions of the different device compliance policy states:

  • Compliant: The device successfully applied one or more device compliance policy settings.
  • In-grace period: The device is targeted with one or more device compliance policy settings. But, the user hasn’t applied the policies yet. This status means the device is not-compliant, but it’s in the grace-period defined by the admin.
  • Not evaluated: An initial state for newly enrolled devices. Other possible reasons for this state include:
    • Devices that aren’t assigned a compliance policy and don’t have a trigger to check for compliance
    • Devices that haven’t checked in since the compliance policy was last updated
    • Devices not associated to a specific user, such as:
      • iOS/iPadOS devices purchased through Apple’s Device Enrollment Program (DEP) that don’t have user affinity
      • Android kiosk or Android Enterprise dedicated devices
    • Devices enrolled with a device enrollment manager (DEM) account
  • Not-compliant: The device failed to apply one or more device compliance policy settings. Or, the user hasn’t complied with the policies.
  • Device not synced: The device failed to report its device compliance policy status because one of the following reasons:
    • Unknown: The device is offline or failed to communicate with Intune or Azure AD for other reasons.
    • Error: The device failed to communicate with Intune and Azure AD, and received an error message with the reason.

Note: Devices that are enrolled into Intune, but not targeted by any device compliance policies are included in this report under the Compliant bucket.

In the Device compliance status chart, select a status. For example, select the Not compliant status:

Choose the not compliant status

Selecting the Not compliant action opens the Device compliance window and displays devices in a Device status chart. The chart shows you more details on the devices in that state, including operating system platform, last check-in date, and more.

Dashboard image shows more details on the device in that specific state

If you want to see all the devices owned by a specific user, you can also filter the chart report by typing the user’s e-mail.

 

Take Notice Of This!

If no user is signed in to the device, the device with the targeted device compliance policy will send a compliance report back to Intune showing System Account as the user principal name. This happens because a device compliance policy was targeted to either a group of users or devices, and no user was signed into the device at the time the compliance policy was evaluated.

Additionally, if there are multiple users signed into the same device, and coincidentally the device is targeted with a compliance policy that is scoped to cover all users that are currently signed in the device, the compliance report might show the same device multiple times as every user signed into the device has to evaluate the device compliance policy and report it back to Intune.

[button size=”medium” style=”primary” text=”Read Full Article” link=”https://docs.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor” target=””]

Shopping Cart