Sign In
In this module

AD3.7 Handling Non-Compliant Devices

5-6 hours · Module 3 · Free
Operational Objective
After enforcement, devices that fail compliance checks are blocked from M365 access. The user sees an error page and calls the helpdesk. Your team needs a clear remediation workflow for each type of compliance failure — not a generic "contact IT" response, but specific step-by-step guidance for BitLocker enablement, OS updates, firewall re-enablement, and antivirus remediation. This subsection builds the remediation procedures your helpdesk uses to resolve every common compliance failure within 30 minutes — getting the user back to work quickly while maintaining the security standard.
Deliverable: A helpdesk remediation guide with step-by-step procedures for each compliance failure type, typical resolution times, and escalation criteria for failures that can't be resolved remotely.
Estimated completion: 25 minutes
NON-COMPLIANT DEVICE REMEDIATION — BY FAILURE TYPE BITLOCKER OFF Push BitLocker via Intune profile User: restart required Resolution: 1-2 hours Escalate: if no TPM chip Most common failure OLD OS VERSION Run Windows Update manually Or force via Intune update ring Resolution: 30-90 min + restart Escalate: hardware too old for Win 11 Second most common FIREWALL DISABLED Re-enable via Settings or PowerShell: Set-NetFirewallProfile Resolution: 2 minutes Investigate: why was it disabled? Quick fix · Ask why AV DISABLED/STALE Enable real-time protection Update signatures manually Check for 3rd party AV conflict Resolution: 5-15 min May indicate tampering

Figure AD3.7 — Remediation procedures by compliance failure type. BitLocker requires an Intune profile push and device restart (1-2 hours). OS updates require Windows Update and restart (30-90 minutes). Firewall re-enablement is a 2-minute fix but warrants investigation. Antivirus issues may indicate third-party AV conflict or deliberate tampering.

The helpdesk remediation script

When a user calls because they're blocked from M365 access, the helpdesk follows this script:

Step 1 — Identify the device. Ask the user for their device name or username. Navigate to intune.microsoft.com → Devices → All devices → search by name or user. Open the device page.

Step 2 — Check compliance status. Click "Device compliance." This shows each compliance check with pass/fail status. Identify which check(s) are failing.

Step 3 — Follow the specific remediation for the failing check:

For BitLocker not enabled: Verify the BitLocker configuration profile (AD3.6) is assigned to this device. If assigned, trigger a device sync from Intune (Device page → Sync). The device should start encrypting on next check-in. If the profile isn't assigned, add the device to the assignment group. Tell the user: "Your laptop needs to encrypt its hard drive. This happens automatically — you'll see a notification. It may take 1-2 hours. Your laptop will continue working during encryption. You'll need to restart once."

For OS version too old: Check the current OS version in the device properties. If one version behind, the user can update via Settings → Windows Update → Check for updates. If multiple versions behind, the update may take longer — schedule it during lunch or end of day. Tell the user: "Your laptop needs a Windows update. Please go to Settings → Windows Update → Check for updates. The update will require a restart. Expect 30-60 minutes."

For Firewall disabled: This is unusual — most users don't know how to disable the firewall. Remote-assist the user to re-enable it: Settings → Privacy & Security → Windows Security → Firewall & network protection → enable for all profiles. Or use PowerShell remotely via Intune:

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

Investigate why it was disabled. If the user disabled it "because the VPN didn't work," the VPN configuration needs fixing — the firewall shouldn't be the workaround.

For Antivirus not active or signatures stale: Check if a third-party AV is installed (it may have disabled Defender). If no third-party AV: open Windows Security → Virus & threat protection → Turn on real-time protection. Run "Update" to refresh signatures. If third-party AV exists: verify it's reporting to Windows Security Center. Some third-party AV products require a configuration change to integrate with Intune compliance checks.

Step 4 — Trigger compliance re-evaluation. After remediation, the device needs to check in with Intune for the compliance state to update. From the device page in Intune, click "Sync." The compliance state typically updates within 15-30 minutes. Tell the user: "Please try accessing email again in 15-30 minutes. The security check needs to verify your device is now compliant."

Step 5 — Verify access restored. After the compliance state updates to "Compliant," the user should be able to access M365 normally. If they're still blocked after the device shows compliant, the compliance state may not have propagated to Entra ID yet — this can take up to 2 hours. In most cases, a sign-out and sign-back-in forces a fresh conditional access evaluation.

Remote remediation for off-site users

Users who are traveling or working remotely can't bring their laptop to the helpdesk. Remote remediation requires different tools.

Intune remote actions. Navigate to intune.microsoft.com → Devices → select the device. The device page offers several remote actions: Sync (forces immediate policy check-in), Restart (triggers pending updates), and Collect diagnostics (retrieves device health data). Use Sync first to trigger a compliance re-evaluation after the user has remediated on their end.

PowerShell remoting. If the device is connected to the network and you have admin access, use PowerShell remoting to check and fix compliance issues:

# Check BitLocker status remotely
Invoke-Command -ComputerName "DESKTOP-NGE042" -ScriptBlock {
    Get-BitLockerVolume -MountPoint "C:" |
        Select-Object MountPoint, VolumeStatus, EncryptionPercentage, ProtectionStatus
}

# Check Defender status remotely
Invoke-Command -ComputerName "DESKTOP-NGE042" -ScriptBlock {
    Get-MpComputerStatus |
        Select-Object RealTimeProtectionEnabled, AntivirusSignatureAge,
            AntivirusSignatureLastUpdated, AMServiceEnabled
}

# Force Defender signature update remotely
Invoke-Command -ComputerName "DESKTOP-NGE042" -ScriptBlock {
    Update-MpSignature
}

# Check and enable firewall remotely
Invoke-Command -ComputerName "DESKTOP-NGE042" -ScriptBlock {
    Get-NetFirewallProfile | Select-Object Name, Enabled
    Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
}

Company Portal self-service. The Company Portal app (installed on managed devices) shows users their compliance status with actionable guidance. Navigate the user to Company Portal → Device compliance. Each failing check shows a description and a "Resolve" button that takes the user to the relevant system setting. For common issues (Windows Update needed, firewall disabled), the Company Portal provides enough guidance for users to self-remediate without calling the helpdesk.

Communicate the Company Portal self-service option during your enforcement announcement: "If your device is non-compliant, open the Company Portal app on your laptop and check the Device Compliance section. It shows exactly what needs fixing and links directly to the setting. For most issues, you can resolve it in 5 minutes without calling the helpdesk."

Tracking remediation metrics

After the first month of enforcement, track two metrics: average time from non-compliant to remediated (target: under 24 hours), and helpdesk tickets related to compliance (target: decreasing each month as users learn to self-remediate). These metrics tell you whether your remediation process is working and whether the helpdesk load is sustainable.

Using Intune Remediation Scripts for automated fixes

For recurring compliance failures that have simple, scriptable fixes, deploy Intune Proactive Remediations (now called Remediation scripts). These scripts run on a schedule, detect the problem, and fix it automatically — without helpdesk involvement.

Navigate to intune.microsoft.com → Devices → Remediation → Create script package.

Example: Auto-re-enable Windows Firewall

Detection script (checks if firewall is disabled):

# Detection: Check if any firewall profile is disabled
$profiles = Get-NetFirewallProfile
$disabled = $profiles | Where-Object { $_.Enabled -eq $false }
if ($disabled) {
    Write-Output "Firewall disabled on profile: $($disabled.Name -join ', ')"
    exit 1  # Non-compliant — trigger remediation
} else {
    Write-Output "All firewall profiles enabled"
    exit 0  # Compliant — no action needed
}

Remediation script (re-enables firewall):

# Remediation: Re-enable all firewall profiles
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
Write-Output "All firewall profiles re-enabled"
exit 0

Set the script to run every 8 hours. If a user or application disables the firewall, the remediation script detects it within 8 hours and re-enables it automatically. The device returns to compliance without any human intervention.

You can build similar remediation scripts for other compliance issues: re-enabling Defender real-time protection, forcing signature updates when signatures are more than 3 days old, and triggering Windows Update checks when the OS version falls behind. Each script reduces helpdesk ticket volume and keeps devices compliant automatically.

When remediation requires physical access

Some compliance failures can't be fixed remotely. A device with no TPM chip can't enable BitLocker without hardware modification. A device with a failed hard drive needs physical repair. A device running Windows 10 on hardware that doesn't meet Windows 11 requirements needs replacement.

For these cases, escalate to the hardware procurement process. Document in the exception register (AD3.8) with a hardware replacement date. In the meantime, apply the strongest alternative control available — typically network-restricted access via CA named locations. The device continues to function from the office network while the replacement is ordered and deployed.

Compliance Myth: "Users should be able to self-remediate without calling the helpdesk"
Ideally, yes. The compliance notification email includes a link to the Company Portal app where the user can see which checks are failing and attempt remediation. But in practice, most users see "device not compliant" and immediately call the helpdesk because they don't understand what BitLocker is, don't know how to run Windows Update, or don't realize they need to restart their laptop. The helpdesk remediation script is the reality — it's faster for the helpdesk to walk the user through the fix (2-5 minutes for firewall/AV, 15-30 minutes for BitLocker/OS) than for the user to try self-service and fail. Over time, as users encounter compliance checks repeatedly, some will learn to self-remediate. But plan for helpdesk support at enforcement launch.
Decision point

A user's device fails the BitLocker compliance check. The Intune device page shows "Encryption status: Not encrypted." You push the BitLocker configuration profile, trigger a sync, and wait. After 2 hours, the device still shows "Not encrypted." Intune shows the BitLocker profile as "Error" with the message: "TPM not found." The device is a 7-year-old laptop with no TPM chip. What do you do?

Option A: Exempt the device from the BitLocker compliance check.

Option B: Replace the laptop with one that has a TPM chip.

Option C: Enable BitLocker with a USB startup key instead of TPM — this is supported but requires the user to plug in the USB key at every boot.

The correct answer depends on context. Option B is ideal — a 7-year-old laptop is likely due for replacement anyway, and the replacement will have TPM 2.0, Secure Boot, and current hardware. Option C is a temporary workaround if the replacement can't happen immediately — USB startup keys work but create friction (lost USB key = locked device requiring recovery key). Option A is the wrong answer — exempting a device from encryption means every file on that unencrypted laptop is exposed if it's lost or stolen. Replace the hardware. In the interim, use the USB key approach and document the exception with a replacement date.

Try it: Test the remediation workflow

Deliberately disable the Windows Firewall on your test device (Settings → Privacy & Security → Windows Security → Firewall & network protection → turn off all profiles). Wait for the next Intune check-in (or trigger a sync from Intune). Verify the device shows as non-compliant with the firewall check failing.

Now re-enable the firewall. Trigger another sync. Verify the compliance state returns to compliant. Time the process — from disabling to re-compliance. This gives you the baseline for helpdesk call duration when a real user has a firewall compliance failure.

Don't test by disabling BitLocker — BitLocker decryption takes hours and re-encryption takes hours. Test with the low-impact checks (firewall, AV) to validate the remediation workflow without creating real downtime.

A user calls the helpdesk saying they can't access email. The helpdesk checks Intune and finds the device is "Non-compliant — Defender Antivirus real-time protection is off." The user says: "I turned it off because it was slowing down my computer." What's the correct response?
Allow the user to keep real-time protection off and exempt them from the AV compliance check — No. Disabled real-time protection means malware can execute unchecked. The "slowdown" is a minor performance impact that's vastly outweighed by the security protection.
Re-enable real-time protection and tell the user not to disable it again — Partially correct but incomplete. Re-enabling is necessary, but the user will just disable it again if the performance issue isn't addressed.
Re-enable real-time protection, investigate the performance concern (check for scan scheduling conflicts, exclude known-safe LOB application directories from scanning if appropriate), and deploy a configuration profile that prevents users from disabling real-time protection — Correct. Address the root cause (performance), fix the immediate issue (re-enable), and prevent recurrence (deploy a tamper protection profile via Intune that blocks users from disabling Defender). The user's performance complaint may be valid — scheduled scans during working hours can cause noticeable slowdowns. Reschedule scans to off-hours or add performance-safe exclusions for directories with large data files.
Escalate to the security team for investigation — disabling antivirus may indicate the device is compromised — Possible but unlikely in this scenario. The user explicitly said they disabled it themselves. Check the Defender event log to confirm the disable was user-initiated, not malware-initiated. If the disable corresponds to a user action at a reasonable time, it's a user behavior issue, not a compromise indicator.
Operational Artifact — Helpdesk Compliance Remediation Guide
Print this guide for your helpdesk team. Four failure types with step-by-step remediation: BitLocker (push profile + sync + restart, 1-2 hours), OS update (Windows Update + restart, 30-90 minutes), Firewall (re-enable via Settings or PowerShell, 2 minutes), Antivirus (enable real-time protection + update signatures, 5-15 minutes). After any remediation: trigger Intune sync, wait 15-30 minutes, verify compliance state updated, confirm user can access M365. Escalation criteria: hardware too old for BitLocker (no TPM), hardware too old for Windows 11, persistent compliance failures after remediation (possible deeper issue).
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →