How To Resolve “Default Device Compliance Policy Is Active, Not Compliant” in Intune

When managing devices in Microsoft Intune, encountering "active not compliant" status under the default device compliance policy can disrupt user access to organizational resources and create unnecessary headaches for IT teams. This compliance issue often appears even when no custom policies have been explicitly configured, leaving administrators puzzled about what went wrong and how to fix it.

This guide explains why Intune marks devices as "active but not compliant," walks through systematic troubleshooting steps, and provides strategies for preventing recurrence. Whether you're dealing with a handful of problematic devices or organization-wide compliance drift, these solutions will help you restore proper compliance status and maintain visibility into your endpoint security posture.

Understanding default compliance checks

Every device enrolled in Intune automatically falls under the built-in default compliance policy, regardless of whether you've created custom policies. This default policy serves as a baseline to ensure all managed devices meet minimum requirements for organizational access. Unlike custom compliance policies that check specific security configurations like encryption, password requirements, or OS versions, the default policy focuses on three fundamental checks that determine whether a device maintains its connection and eligibility within your Intune environment.

These checks run continuously in the background and operate independently of your custom compliance policies. A device can pass all your custom policy requirements yet still show as non-compliant if it fails any of the default checks.

1. ‘Has compliance policy assigned’

This check verifies whether at least one compliance policy has been assigned to the device. The behavior of this check depends on a tenant-wide setting that determines how Intune treats devices without assigned policies.By default, Intune marks devices without assigned compliance policies as compliant. This permissive default exists to prevent blocking access during initial deployment or testing phases. However, this setting can be changed to mark unassigned devices as non-compliant, which provides tighter security control but requires careful policy assignment planning to avoid accidentally blocking legitimate devices.

You'll find this setting under Devices > Compliance policies > Compliance policy settings in the Intune admin center, labeled as "Mark devices with no compliance policy assigned as." Most security-conscious organizations eventually change this to "Not compliant" once their compliance policy structure is fully deployed.

2. ‘Is active’

The "active" status indicates that a device has successfully checked in with Intune within the compliance status validity period. This check ensures that Intune maintains current information about the device and can enforce policies effectively.

The compliance status validity period defines the window during which a device must check in to maintain its "active" status. This period defaults to 30 days but can be configured anywhere from 1 to 120 days depending on your organization's security requirements. Devices that fail to check in within this window are automatically marked as not active, even if they were previously compliant.

Check-in timing varies by platform. Established devices typically check in approximately every 8 hours, while newly enrolled devices check in more frequently; every 15 minutes for the first hour, then every 15 minutes for two hours, and finally settling into the standard 8-hour cycle. Users can also manually trigger a check-in through the Company Portal app by navigating to Settings > Sync.

A shorter validity period provides tighter security control by quickly identifying dormant or lost devices, but it may inappropriately flag devices used by employees on extended leave or sabbatical. Conversely, longer validity periods reduce false positives for infrequently used devices but create a wider window during which compromised or lost devices remain compliant.

3. ‘Enrolled user exists’

This check verifies that the user account associated with device enrollment still exists in Azure AD (now Microsoft Entra ID). Historically, deleting the enrolled user from Azure AD would immediately mark the device as non-compliant under this check, even if the device had a different primary user assigned.

Recent backend changes have relaxed this requirement for shared devices and kiosks that don't have a specific user association. However, this check still applies to most user-enrolled devices, which represent the majority of Intune-managed endpoints in typical organizations.

This check frequently causes issues in environments where IT staff enroll devices on behalf of users, or where devices are reassigned between employees. When the original enrollment account is deleted or disabled, the device becomes non-compliant despite having a valid primary user and functioning normally in all other respects.

Common reasons devices show ‘active not compliant’

Several scenarios can trigger the "active not compliant" status. Understanding these causes helps you quickly identify and resolve issues before they impact users or trigger conditional access blocks.

Policy assignment gap

The device isn't targeted by any compliance policy, and your tenant setting requires devices to have an assigned policy to be compliant. This commonly occurs when devices are assigned to groups that aren't included in any compliance policy deployment, or when dynamic group membership rules inadvertently exclude certain devices.

Inactivity timeout

The device hasn't communicated with Intune within the compliance status validity period. This happens with devices that are powered off for extended periods, disconnected from networks, or experiencing synchronization failures that prevent check-ins despite network connectivity.

User directory issues

The user who originally enrolled the device has been deleted, disabled, or removed from Azure AD. This scenario is particularly common in organizations with high employee turnover or where IT staff perform initial device setup using temporary accounts. Some forum discussions report this issue persisting even after changing the primary user through Intune, suggesting the enrollment user and primary user are tracked separately in Intune's backend.

Synchronization problems

The device and Intune service are out of sync, causing Intune to display stale compliance data. This can result from network interruptions during sync operations, authentication token expiration, or backend service issues. Users report this manifesting as a compliance status that randomly changes between compliant and non-compliant without any actual configuration changes on the device.

Step-by-step troubleshooting to resolve non-compliant devices

Follow these systematic steps to identify the root cause of "active not compliant" issues and implement appropriate fixes. Each step targets a specific aspect of the default compliance checks, allowing you to narrow down the problem efficiently.

1. Verify policy assignments

Check whether the device has any compliance policies assigned by navigating to Devices > All devices in the Intune admin center, selecting the problematic device, and reviewing the Policies section. This view shows all assigned policies and their current status.

If no compliance policies appear, verify the device's group memberships. Navigate to the device properties and check which Azure AD groups include this device. Then cross-reference these groups with your compliance policy assignments under Devices > Compliance policies, selecting each policy and reviewing its assignments.

Common assignment gaps occur when:

• Dynamic groups have membership rules that inadvertently exclude the device
• The device was recently enrolled, and group membership hasn't updated yet
• Policy assignments target user groups, but the device's primary user isn't in those groups
• Policy filters exclude the device based on properties like OS version or manufacturer

‍

If you identify a missing assignment, add the device to an appropriate group or create a new compliance policy assignment that includes it. Allow 8-12 hours for the policy assignment to fully propagate and the device to check in and apply the policy before expecting the compliance status to update.

2. Check device activity status

Verify when the device last checked in with Intune by examining the "Last check-in" timestamp in device properties. Navigate to Devices > All devices, select the device, and review the Overview section where Intune displays the last check-in time.

Compare this timestamp against your compliance status validity period, which you can find under Devices > Compliance policies > Compliance policy settings. If the last check-in exceeds the validity period, the device will show as "Is Active: No" in the built-in compliance policy details.

For devices that appear inactive:

• Confirm the device is powered on and connected to a network. Devices must have internet connectivity to reach Intune's cloud services, though they don't necessarily need to be on the corporate network if they can route through the internet.
• Check for authentication issues that might prevent the device from authenticating to Azure AD and completing check-ins. This is particularly relevant for devices where users have changed passwords without updating stored credentials on the device.
• Review Intune enrollment status to ensure the device hasn't become unenrolled. Navigate to the device in the admin center and check the Management State, which should show "Managed." If it shows anything else, the device may require re-enrollment.
• Trigger a manual sync if the device is accessible. On Windows devices, users can sync from Settings > Accounts > Access work or school, selecting their work account, clicking Info, and then Sync. Alternatively, they can open the Company Portal app, navigate to Settings, and click Sync. On iOS/iPadOS devices, users open the Company Portal app, go to Devices, select their device, and tap Check Status.

After triggering a sync, the compliance status typically updates within 30 minutes, though it may take several hours for the Intune admin console to reflect the change.

3. Confirm user and Azure AD sync

Ensure the enrolled user account still exists and remains active in Azure AD. This requires identifying the enrolled user, which may differ from the primary user displayed in device properties.

Navigate to Devices > All devices, select the device, and examine the built-in compliance policy details. Look for the "Enrolled User Exists" check. If this shows "No," you need to identify and verify the enrolled user account.

The enrolled user is typically displayed in the device properties under Enrolled by user name. This account created the initial enrollment connection between the device and Intune, and Intune maintains this association even if you later change the primary user.

To verify the enrolled user's status:

• Navigate to Users in the Azure AD/Entra ID admin center
• Search for the enrolled user
• Confirm the account exists and its account status shows "Enabled"
• Check that the user hasn't been soft-deleted (in the "Deleted users" section)

If the enrolled user has been deleted or disabled, you have several options depending on your environment:

• For single-user devices: Consider re-enrolling the device with the current user's account. This provides the cleanest resolution but requires end-user cooperation and temporarily disrupts access.
• For shared devices: Remove the primary user assignment entirely. Navigate to the device in Intune, select Properties, and clear the primary user field. Some administrators report that removing the primary user for shared devices eliminates compliance issues related to enrolled user verification, as Intune evaluates the device against whichever user last logged in rather than checking for a specific enrolled user.
• For managed environments: If you need to preserve the enrolled user association but the account was deleted, you may need to restore the user from Azure AD's deleted users within 30 days of deletion. After 30 days, permanent deletion occurs and restoration becomes impossible without re-enrollment.

Microsoft's documentation states that compliance policies are always evaluated against the user context, not purely the device. This design decision means that user account status significantly impacts device compliance, even for policies that seem device-focused.

4. Adjust compliance status validity period

Review your compliance status validity period setting to determine if it appropriately balances security requirements against your organization's device usage patterns. Find this setting under Devices > Compliance policies > Compliance policy settings in the Intune admin center.

The validity period represents how long a device can go without checking in before Intune marks it as inactive. Consider these factors when setting this value:

• Organizational security requirements: Highly regulated industries or security-conscious organizations typically use shorter periods (7-14 days) to quickly identify compromised or abandoned devices. Standard corporate environments often use 30 days as a reasonable balance.
• Employee work patterns: Organizations with employees who frequently travel internationally, work in remote locations with limited connectivity, or take extended leave may need longer periods to avoid false positives.
• Device types: Kiosks, dedicated devices, or specialty equipment that operates intermittently may warrant longer periods than standard user workstations.
• Administrative overhead tolerance: Shorter periods generate more compliance issues that require investigation, increasing administrative workload. Ensure your IT team can handle the volume of issues before implementing aggressive validity periods.

After adjusting the validity period, existing compliance statuses don't immediately update. Devices must check in again for Intune to reevaluate their status against the new period. Devices currently marked inactive will automatically become active again once they check in, provided they now fall within the new validity window.

5. Trigger a forced sync

When a device appears to meet all compliance requirements but still shows non-compliant, forcing a sync often resolves the discrepancy by refreshing Intune's backend data about the device.

You can initiate syncs through multiple methods:

• Admin-initiated sync from Intune console:
  
  • Navigate to Devices > All devices
  • Select the problematic device
  • Click Sync from the device actions toolbar
  • Wait for confirmation that the sync request was sent
• User-initiated sync from Windows device:
  
  • Open Settings > Accounts > Access work or school
  • Select the work or school account
  • Click Info
  • Scroll down and click Sync
  • Alternatively, open Company Portal app > Settings > Sync
• User-initiated sync from iOS/iPadOS device:
  
  • Open the Company Portal app
  • Navigate to Devices
  • Select the device
  • Tap Check Status
• User-initiated sync from Android device:
  
  • Open the Company Portal app
  • Tap the three-line menu
  • Tap Settings
  • Tap Sync

The sync operation itself typically completes within 5-10 minutes, but the Intune admin console may take up to 30 minutes to reflect updated compliance status. During peak usage times, this delay may extend further due to backend processing queues.

If a single sync doesn't resolve the issue, consider:

• Rebooting the device before syncing again, as some policy applications require a restart to fully apply.
• Logging in with the enrolled user account if it differs from the current user. Several forum discussions report that logging in as the original enrollment account and syncing from that session can clear persistent compliance issues, though this solution isn't always practical for devices in active use.
• Waiting 24-48 hours for automatic sync cycles to occur before escalating to more disruptive solutions like re-enrollment. Sometimes backend synchronization issues resolve themselves through normal sync intervals.

Monitoring compliance and preventing recurrence

Proactive monitoring helps catch compliance issues early and reduces the need for reactive troubleshooting.

• Compliance reports: Access built-in compliance reports through Reports > Device compliance in the Intune admin center. The "Noncompliant devices report" filtered by built-in compliance policy helps you focus specifically on active/not compliant issues. Schedule regular reviews—weekly for dynamic environments, monthly for stable ones—to identify patterns like specific departments with higher non-compliance rates or devices repeatedly cycling between states.
• Alert configuration: Set up notifications for non-compliant devices using Intune's built-in email alerts or by integrating with your ticketing system. Configure alerts under Devices > Compliance policies by selecting a policy and adding notification actions. Avoid notification fatigue by setting thresholds that trigger only for sustained non-compliance (e.g., devices non-compliant for more than 24 hours) rather than immediate status changes.
• Automation options: Use PowerShell scripts with Microsoft Graph API to automate common remediation tasks, such as triggering syncs for recently inactive devices or creating help desk tickets for persistent issues. Azure Logic Apps can respond to compliance status changes and automatically notify users with specific remediation instructions.
• User communication: Prepare templated communications that explain compliance issues in user-friendly language with platform-specific step-by-step instructions. Users who understand that regular syncs protect organizational data are more likely to proactively manage their device compliance. Include clear escalation paths so users know when to attempt self-service versus contacting IT.

Prevention through proper policy assignment, appropriate validity period configuration, and proactive monitoring reduces the frequency of these issues and catches them before they impact users. Organizations that implement automated remediation for common scenarios free up IT resources for more strategic initiatives while maintaining strong compliance postures.

Understanding that compliance policies in Intune are always evaluated in user context rather than purely device context helps explain why issues related to enrolled users and primary users create compliance problems even when devices appear to function normally. This design decision, while sometimes frustrating, ensures that devices maintain proper security associations with valid user accounts.

When standard troubleshooting doesn't resolve persistent issues, and when you need continuous visibility into your control configurations across not just Intune but your entire security stack, Prelude provides comprehensive monitoring and validation that helps you understand with certainty whether your devices are truly protected.