last person joined: 3 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Intune Extension updating Endpoint database attribute

This thread has been viewed 24 times
  • 1.  Intune Extension updating Endpoint database attribute

    Posted Sep 21, 2021 07:46 AM

    We are experiencing some issues with the Intune Extension where it seems that some endpoints that connect get the compliance status "noncompliant" even after we are verifying that it is listed as "ingrace period" from Intune.
    I wonder if the issue is that the endpoint compliance state field is not being updated with new information from Intune.
    Anyone know what that could be? Is there a setting I have missed?  I checked the documentation and I assumed that the "Device sync" would update the endpoint. I also reduced the default timer of 30 minutes to 5 minutes for updates.

    Rikard Berg

  • 2.  RE: Intune Extension updating Endpoint database attribute

    Posted Sep 21, 2021 01:47 PM
    Compliance state would be managed by the policy on intune so a device can be in grace period with either compliant or non-compliant state.

    "In-grace period: The device is targeted with one or more device compliance policy settings. But, the user hasn't applied the policies yet. This status means the device is not-compliant, but it's in the grace-period defined by the admin."

    Now, if the state on the Intune shows as Compliant and is still not getting updated on the Sync cycle then will have to confirm the actual compliance state being returned by Intune.

    You could make use of Graph Explorer to see the response body: 

    Global Escalation Center, ACCP

  • 3.  RE: Intune Extension updating Endpoint database attribute

    Posted Sep 23, 2021 08:14 AM
    Hi Sandeep,

    Thank you for your answer.

    I understand the use of the compliance policy and I will try to elaborate further.

    So in short we have a rule saying that (note that this is just an explanation and not the ruleset created):
    * Intune compliance state - compliant = client VLAN
    * Intune compliance state - ingraceperiod = client VLAN
    * Intune compliance state - non-compliant = guest VLAN

    This works well, but sometimes when a PC goes throug the wipe process for enrolling new clients ClearPass picks up the new device as "intune non-compliant" and gives the guest VLAN. When the client try to log in to the PC the domain is unavailable. 
    When team responsible for Intune checks the client it is listed as compliant, but in ClearPass the Endpoint clearly has the status non-compliant.

    Most machines never gets this issue, but we experienced a few times this happening. So that is the basis of my question.

    When Intune display the client as Compliant on all their policies, why is the Endpoint not updated in ClearPass?

    The extension settings is this:
    I have reduced the time of sync schedule from 30 min to 5 min.

    My understanding would be that the client should be updated to be Compliant in the endpoint attributes after the next sync of 5 minutes that would retrigger the autentication and the device should be listed as Compliant and be given the correct VLAN.

    Rikard Berg