Intune - Device marked compliant shortly after non-compliant state
Intune Compliance Bypass
Query
let lookback = 6h;
let flips =
IntuneDeviceComplianceOrg
| where TimeGenerated > ago(lookback)
| where isnotempty(ComplianceState)
| project TimeGenerated, DeviceId=tostring(DeviceId), DeviceName=tostring(DeviceName),
UserPrincipalName=tostring(column_ifexists("UPN", column_ifexists("UserPrincipalName", ""))),
OSDescription=tostring(OSDescription),
ComplianceState=tostring(ComplianceState)
| order by DeviceId, TimeGenerated asc
| extend prevState = prev(ComplianceState), prevTime = prev(TimeGenerated), prevDevice = prev(DeviceId)
| where DeviceId == prevDevice
| where prevState in ("NonCompliant","Error","Unknown","InGracePeriod","ConfigManager")
| where ComplianceState == "Compliant"
| where datetime_diff('minute', TimeGenerated, prevTime) between (0 .. 30)
| project TimeGenerated, DeviceId, DeviceName, UserPrincipalName, OSDescription, prevState, ComplianceState;
let remediations =
IntuneAuditLogs
| where TimeGenerated > ago(lookback)
| where OperationName has_any ("remediate","Sync","wipe","retire")
| project RemTime=TimeGenerated, DeviceId=tostring(parse_json(tostring(Properties)).TargetObjectId);
flips
| join kind=leftanti remediations on DeviceId
| extend AccountCustomEntity = UserPrincipalName, HostCustomEntity = DeviceNameExplanation
This query is designed to detect suspicious behavior in devices managed by Microsoft Intune. It specifically looks for devices that quickly change from a non-compliant state to a compliant state without any recorded remediation actions, which might indicate attempts to bypass compliance checks. Here's a simplified breakdown:
-
Purpose: The query identifies devices that transition from a non-compliant state (or error/unknown) to a compliant state within 30 minutes, without any corresponding remediation actions like syncing or wiping.
-
Data Sources: It uses data from Intune logs, specifically
IntuneDeviceComplianceOrgfor compliance states andIntuneAuditLogsfor remediation actions. -
Time Frame: The query checks for these transitions within the last 6 hours and runs every hour.
-
Detection Logic:
- It first identifies devices that changed from non-compliant to compliant within 30 minutes.
- It then checks if there are any remediation actions recorded for these devices.
- If no remediation actions are found, it flags these devices as potentially suspicious.
-
Severity and Tactics: The severity of this detection is marked as high, and it relates to tactics like Defense Evasion and Persistence, which are techniques used to avoid detection and maintain access.
-
Output: The query outputs details about the device and user, which can be used for further investigation.
This query helps in identifying potential compliance-bypass techniques, which could be a security risk if left unchecked.
Details

David Alonso
Released: April 22, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 6h