Microsoft Intune Compliance Policy Troubleshooting: Why Devices Show Non-Compliant and How to Fix the 6 Most Common Policy Failures

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Microsoft Intune compliance policy failures create a frustrating loop: the user cannot access corporate resources, the helpdesk cannot reproduce the issue on their own device, and the error message gives no diagnostic detail. The root cause is almost always a specific compliance setting that evaluated to false, but finding which setting requires navigating to the per-device compliance detail in the Intune admin center rather than looking at the summary status. This guide covers the exact navigation path and the six failure patterns that account for most compliance issues.
Reading the Per-Setting Compliance Detail
The summary compliance status (Compliant / Not Compliant / In Grace Period) does not show which setting failed. To find the specific failing setting:
- Navigate to: Intune admin center > Devices > All devices
- Select the affected device by name
- Go to Device compliance (in the left nav under Monitor)
- Select the specific compliance policy assigned to the device
- The per-setting detail shows each evaluated setting with its result: Compliant, Not Compliant, Not Evaluated, or Error
The 'Not Evaluated' state is important to understand: it means Intune could not evaluate the setting, not that it passed. Common causes of Not Evaluated:
- The setting requires a management extension that is not installed or not syncing
- The setting requires a hardware capability the device does not have (TPM required for certain health attestation checks)
- The setting is scoped to a device platform the target device does not match
For each setting showing Not Compliant or Error, the detail view shows the current value versus the required value. This is the most direct path to root cause.
BitLocker Compliance Failure: The Most Common Windows Issue
BitLocker encryption compliance is the leading cause of Windows device non-compliance. The compliance setting checks whether BitLocker is enabled on the OS drive (C:). Three failure patterns:
Pattern 1: BitLocker enabled but Intune does not detect it The device has BitLocker enabled but the compliance check shows Not Compliant. This typically occurs when the BitLocker recovery key has not been escrowed to Entra ID. The Intune compliance policy specifically requires that the key is escrowed and that the protection is confirmed active.
Verify BitLocker state and key escrow:
# Check BitLocker protection status
manage-bde -status C:
# Check if key is backed up to Azure AD
(New-Object -ComObject Shell.Application).Windows() | ForEach-Object {
$_ | Where-Object {$_.Name -eq "BitLocker Drive Encryption"}
}
# Force BitLocker key escrow to Entra ID
Get-BitLockerVolume -MountPoint C: | Select-Object -ExpandProperty KeyProtector |
Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" } | ForEach-Object {
BackupToAAD-BitLockerKeyProtector -MountPoint C: -KeyProtectorId $_.KeyProtectorId
}
Pattern 2: BitLocker suspended during Windows Update
BitLocker protection suspends automatically during some Windows feature updates. After the update completes, protection should resume, but occasionally remains suspended. Check: manage-bde -status C: and look for Protection Status: Protection Off. Resume with: manage-bde -resume C:
Pattern 3: Device is in FIPS mode Devices with FIPS compliance mode enabled require a specific BitLocker configuration. Standard BitLocker implementations may not satisfy the FIPS compliance requirement even if encryption is active.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
OS Version and Windows Update Compliance Failures
Compliance policies can require a minimum OS build version. Devices that have not installed recent Windows Updates will fail this check.
Diagnosing the version mismatch: In the per-setting detail, the OS version setting shows the required minimum version and the device's current version. Cross-reference the device's reported version against the Windows Update history:
# Get current OS build
[System.Environment]::OSVersion.Version
# Check Windows Update history for the last 10 updates
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10
# Check Windows Update for pending updates
(New-Object -ComObject Microsoft.Update.Session).CreateUpdateSearcher().Search("IsInstalled=0").Updates |
Select-Object Title, @{N='KB';E={$_.KBArticleIDs}}
Common causes of update non-compliance:
- Windows Update blocked by GPO (WSUS configured but not delivering the required updates)
- Update stuck in pending restart state
- Update incompatible with a driver or application that triggered a rollback
- Device offline during the update window and has not checked in since
Forcing Intune to re-evaluate after update: After the update installs and the device restarts, Intune compliance does not immediately re-evaluate. Force a sync from the device:
- Settings > Accounts > Access work or school > [account] > Info > Sync
Or via the Intune admin center: Devices > [device] > Sync
Allow 15-30 minutes after sync for the compliance state to update in the portal.
Antivirus, Firewall, and Microsoft Defender Compliance Failures
Intune uses the Windows Security Center API to evaluate antivirus, antispyware, and firewall state. Third-party security products that register with Windows Security Center will satisfy these compliance checks if they are active and up to date. Failures occur when:
Third-party AV not registered with Windows Security Center: Some enterprise AV products do not register with Windows Security Center in certain configurations. Check in Windows Security > Open Windows Security > Virus and threat protection -- if it shows the third-party product, it is registered. If it shows Windows Defender (when a third-party AV is deployed), the third-party product is not registered.
Firewall profile evaluation scope: The Intune compliance setting checks the Windows Firewall state for all three profiles (Domain, Private, Public). A device where the Public firewall profile is disabled (common in environments where the Public profile was deliberately disabled) will fail the firewall compliance check even if Domain and Private profiles are active.
# Check all three firewall profiles
Get-NetFirewallProfile | Select-Object Name, Enabled
If any profile shows Enabled: False and the compliance policy requires the firewall to be enabled for all profiles, enable the profile or modify the compliance policy to exempt the specific profile.
Microsoft Defender signature age: The compliance policy may require Defender signatures to be updated within a specific number of days. On devices that are offline for extended periods, signatures may become stale:
# Force Defender signature update
Update-MpSignature -UpdateSource MicrosoftUpdateServer
Tamper protection conflict: If Tamper Protection is enabled in Defender and a GPO is attempting to configure Defender settings, the GPO settings will not apply and the compliance state may be inconsistent. Disable Tamper Protection via Intune endpoint security policy rather than GPO in Intune-managed environments.
Management Extension Sync Issues and Stale Compliance States
The Intune Management Extension (IME) is responsible for custom compliance scripts, Win32 app detection, and PowerShell script execution. When IME is not syncing correctly, compliance evaluations that depend on it show as Not Evaluated or Error.
Check IME health on the device:
# Check IME service status
Get-Service -Name "Microsoft Intune Management Extension"
# Check IME logs (last 50 lines)
Get-Content "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log" |
Select-Object -Last 50
Common IME log errors and resolutions:
Error: Failed to retrieve policies from Intune: Network connectivity issue to Intune service. Check proxy bypass rules for *.manage.microsoft.comError: Device not AAD joined or enrolled: The device's Entra ID join state is inconsistent. Re-rundsregcmd /debug /joinor re-enroll the deviceError: Certificate for enrollment not found: The MDM enrollment certificate expired. Re-enroll the device via Settings > Accounts > Access work or school > Disconnect and re-connect
For custom compliance scripts that show Not Evaluated:
- Navigate to Intune > Devices > [device] > Device diagnostics (collect logs)
- Download the diagnostic package and examine the
CustomCompliancesubfolder - Check the script output and return value -- custom compliance scripts must output a JSON object with specific format:
{"SettingName": "value"}
For devices with persistently stale compliance states despite syncing:
- Unenroll the device from Intune (Retire, not Wipe -- Retire removes management without wiping data)
- Re-enroll via Settings > Accounts > Access work or school > Add work or school account
- Allow 30-60 minutes for the compliance policies to fully evaluate on the fresh enrollment
The bottom line
Intune compliance troubleshooting starts at the per-setting detail view, not the summary status. Navigate to Devices > [device] > Device compliance > [policy] to see which specific setting failed and what value Intune observed versus what the policy requires. For BitLocker failures, verify key escrow. For OS version failures, check Windows Update delivery. For antivirus and firewall failures, check Windows Security Center registration and firewall profile state. For IME-dependent settings, check the IME service logs for connectivity or enrollment certificate errors.
Frequently asked questions
How long does it take for a device to show Compliant after I fix the failing setting?
After fixing the setting on the device, trigger a manual sync from Settings > Accounts > Access work or school > Info > Sync. Intune typically re-evaluates compliance within 5-15 minutes of a sync. The compliance state then needs to propagate from Intune to Entra ID, which takes an additional 5-15 minutes. Total expected wait from fix to Conditional Access recognizing compliance: 15-30 minutes. For BitLocker key escrow specifically, allow up to 30 minutes after the escrow command completes.
Can I exclude specific devices from a compliance policy without removing them from Intune management?
Yes. Compliance policies are assigned to Entra ID groups. To exclude a specific device, add it to an exclusion group referenced in the policy assignment. In the Intune admin center, under Devices > Compliance policies > [policy] > Properties > Assignments, add the device (via a device group) to the Excluded groups. This removes the compliance requirement for that device while keeping it enrolled and managed. Document every exclusion with a ticket reference and review date.
What does the grace period setting do in Intune compliance policies?
The grace period delays when a non-compliant device is marked as non-compliant for Conditional Access purposes. During the grace period, the device shows as In Grace Period rather than Non-compliant, and Conditional Access policies that require compliant devices will still allow access. This gives users time to remediate compliance issues without immediately losing access. After the grace period expires, the device transitions to Non-compliant and Conditional Access blocks apply. Set grace periods of 1-7 days for most compliance settings to avoid helpdesk overload during policy rollouts.
How do I verify that Intune compliance is actually blocking a user versus some other Conditional Access condition?
Check the user's sign-in log in Entra ID > Identity > Monitoring > Sign-in logs. Find the blocked sign-in and click through to the Conditional Access tab. Look for the policy that shows Failure and expand it to see the specific grant control that was not satisfied. If the failure reason is deviceNotCompliant, then Intune compliance is the blocker. If the failure is requiredAuthenticationContextClassReferenceNotSatisfied, MFA is the blocker. This distinction determines whether you need to fix the device compliance state or the user's MFA registration.
What Intune compliance policy settings have the highest security impact for Windows devices?
The five highest-impact compliance settings for Windows: (1) Require BitLocker -- prevents offline data theft if a device is lost or stolen; (2) Require Secure Boot -- detects firmware-level tampering and boot kit infections; (3) Require code integrity -- validates that only signed drivers and system files load at boot; (4) Require Microsoft Defender Antimalware to be enabled -- ensures real-time protection is active; (5) Require the device threat level to be at most Medium -- integrates Defender for Endpoint risk scoring so a compromised device is automatically marked non-compliant and blocked from corporate resources. Together these settings provide a strong device health signal that Conditional Access can enforce.
How do I handle Intune compliance grace periods without creating a security gap?
Grace periods allow devices that fall out of compliance to continue accessing resources for a defined window before being blocked. They are useful for devices that temporarily fail compliance for benign reasons (missing an update during travel, BitLocker suspension for a firmware update). Configure grace periods at no more than 8 hours for BYOD devices and no more than 24 hours for corporate devices. For corporate devices, pair the grace period with a Conditional Access policy that blocks access to high-sensitivity applications immediately on non-compliance while allowing access to the Intune Company Portal for self-remediation during the grace window. Never set grace periods longer than your maximum acceptable risk window for a compromised device accessing corporate data.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
