Most problems with compliance policies relate to devices being marked as noncompliant when you were expecting otherwise. This is often an issue that relates to the incorrect configuration of:
- The compliance policy
- The device configuration profiles that are being applied might be expected to bring the devices into compliance
If you experience such problems, review the compliance policies and device configuration profiles. (We’ll be talking about configuration profiles in the next chapter).
It’s also important to understand how Intune applies and refreshes compliance policies. A compliance status will be determined whenever a device has a compliance policy assigned, as shown in Table 2-7.
TABLE 2-7 Compliance policy status
| Status | Severity |
| Unknown | 1 |
| NotApplicable | 2 |
| Compliant | 3 |
| InGracePeriod | 4 |
| NonCompliant | 5 |
| Error | 6 |
Notice that the severity increases when the device is in an error state or is noncompliant. The severity is reported to Microsoft Intune and used to determine access to organizational data.
When a device has multiple policies assigned, the device may have different compliance statuses. In these situations, Intune assigns a single resulting compliance status based on the highest severity level of all the policies assigned to that device.
Note When Policies Conflict
If a device has two policies applied—one compliant, and the other noncompliant—the resulting device status will be noncompliant.
Devices connect to Intune periodically, and the compliance status is checked. The refresh cycle is the same as configuration profiles and can be found in Table 2-8. If a device has been recently enrolled, the compliance check-in runs more frequently during this initial period.
TABLE 2-8 Compliance policy refresh cycle
| Platform | Initial check-in frequency | Ongoing refresh cycle |
| iOS/iPadOS | Every 15 minutes for 1 hour, and then every 8 hours | 8 hours |
| macOS | Every 15 minutes for 1 hour, and then every 8 hours | 8 hours |
| Android | Every 3 minutes for 15 minutes, followed by every 15 minutes for 2 hours, and then every 8 hours | 8 hours |
| Windows 11 (enrolled as a device) | Every 3 minutes for 15 minutes, followed by every 15 minutes for 2 hours, and then every 8 hours | 8 hours |
| Windows 8.1 | Every 5 minutes for 15 minutes, followed by every 15 minutes for 2 hours, and then every 8 hours | 8 hours |
If users open the Company Portal app on their devices, they can immediately sync the device to check for new or updated policies. The Company Portal app also shows the compliance status of the managed device. For scenarios that include urgent compliance actions, such as Wipe, Lock, Passcode Reset, New App Deployment, New Profile Deployment, or New Policy Deployment, Intune immediately notifies the devices to perform a sync.
