Security

 View Only

  • 1.  CPPM Intune Compliance Grace Period

    Posted Mar 04, 2026 10:40 AM
    Edited by hornp Mar 04, 2026 11:18 AM

    Hey all - 

    We're working on some compliance policy and in ClearPass we're going to push devices that are not compliant in Intune to a remediation zone so they can't get to company resources until they have regained compliance. 

    I've run into what I would consider to be an issue with how ClearPass displays/considers compliance. When we see our device sync from Intune, we are seeing the attributes coming in mostly correct, but the compliance state isn't right. 

    I believe it's when there is no compliance grace period coming in from Intune, then the grace period is being set as 9999-12-31. That wouldn't be an issue if we could also see the raw compliance data from Intune as a value, but it seems that we only see the calculated compliance state.

    It comes in like this for a particular device:

    3. Intune Compliance Grace Period Expiration Date Time = 9999-12-31T23:59:59Z Copy Reset/Delete
    4. Intune Compliance State = compliant
    22. Intune Last Sync Date Time = 2025-12-11T14:26:27Z Copy Reset/Delete
    23. Intune Last Update = 2025-12-11 08:30:05

    This device in Intune is Noncompliant and last checked in 1/20/2026. My Role Mapping Policy is looking at Intune Compliance State and certificate issuer to decide IntuneCompliant or IntuneNotCompliant, but this is failing because the grace period is.. forever. 
    Seems like this would be better to have both the intune sync'd value of nonCompliant and another value for WithinGracePeriod or something.
    I don't want to have to go to set a grace period in Intune (it could happen, but that'd be some work). 

    Why This Is a Problem

    The 9999-12-31 value appears on both compliant and noncompliant devices
    Therefore, enforcement rules based on either 
    Grace period value or Intune Compliance State

    cannot reliably enforce compliance without impacting compliant devices.

    Is there any supported way in ClearPass to access or enforce against the raw Intune compliance state (Graph complianceState) before grace‑period logic is applied? What am I missing? How can I get the Intune data to give me the actual status? Thanks!!


    -------------------------------------------



  • 2.  RE: CPPM Intune Compliance Grace Period

    Posted Mar 04, 2026 05:55 PM

    If the grace period date isn't being populated correctly for any device, why would you ever consider using that for anything?  ClearPass isn't going to automagically do anything with the attributes, you have to write the policy to assess the attributes and handle the session accordingly.

    Look at the last sync date/time, if that isn't within your required time period then send the device to remediation regardless of current compliance status.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: CPPM Intune Compliance Grace Period

    Posted Mar 04, 2026 06:46 PM
    That's.. I guess you missed the question. 
    Why is clearpass not getting the correct grace period date status? Our policy in Intune has 0 grace period, yet clearpass has the majority of our endpoints with a grace period of 9999.  There are several endpoints with correct dates, but the majority are 9999. This seems like a fallback date or something. 
    How can I make sure this date is correct, or ignore that date for compliant status?




    Original Message


  • 4.  RE: CPPM Intune Compliance Grace Period

    Posted Mar 04, 2026 06:57 PM

    I didn't miss the question, that's the first thing I responded to.

    No idea where or how the grace period is getting generated from Intune, so don't know exactly why you are getting the attributes that you are.  But that looks like the field in ClearPass is getting saved as a timestamp, if Intune is responding to the query with something like 0 or null or infinite (basically 9999-12-31) then ClearPass would need to translate whatever is received and attempt to save as a date.  That translation (or maybe some default timestamp in Intune) is probably why that value is set that way.

    Look in the logs (you might have to enable) of the extension to see what is being sent from Intune and you might be able to figure out where to go from there.

    As for a fix...if the grace period timestamp can't be relied on, then you need to write your policy ClearPass in such a way that the grace period value isn't being relied on.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 5.  RE: CPPM Intune Compliance Grace Period

    Posted Mar 04, 2026 08:42 PM
    Right. Ok. So when I use the Microsoft graph api (aka.ms/ge) to check the attributes provided, it's giving me correct timestamps. One of the reasons I posted here is to see if there's a bug or a caveat for those stamps. Because the value isn't getting to the endpoint database and a generic infinity date is being inserted, the value of compliant / noncompliant is not correct. This would not be a problem if the status compliant / noncompliant were pulled from intune and used as it comes in. 
    I could probably do some api work and pull the compliance value in to another attribute, but I was hoping to see someone here check to see if there's a bug or a missing component that would help get the correct values. 

    I can use some data from defender atp, but that's not exactly what we're looking for - we want inconvenient access to local resources when intune compliance goes awry; Defender is more of. A response to an active issue. 





    Original Message


  • 6.  RE: CPPM Intune Compliance Grace Period

    Posted Mar 05, 2026 09:25 AM

    Thank you for the additional and clarifying information on your ask.

    If you believe you're in an issue where the ClearPass Intune Extension isn't operating properly, then I would recommend you open a case with TAC to begin resolution of the issue.

    What instructions did you follow to setup the integration?  What version of ClearPass and the extension are you using?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 7.  RE: CPPM Intune Compliance Grace Period

    Posted Mar 05, 2026 10:37 AM
    Used the integration guide that is posted in the clearpass docs - Aruba networking. HPE.com / techdocs/clearpass/integrations/ unified-endpoint-management/intune 
    We are using clearpass 6.11.10, extension 6.4.1 (just upgraded from 6.4.0 - that's been running for several months)

    I did create a TAC case to see what might be needed. 
    A lot of the entries are actually compliant, and most of the non compliant ones show up non compliant (but I haven't diff'd the full  list yet).  However of the long list of compliant with grace dates, there are wntries that are wrong/not updated. 
    We will see what we can find. Thanks for your help so far!




    Original Message


  • 8.  RE: CPPM Intune Compliance Grace Period

    Posted Mar 06, 2026 09:52 AM

    How are you checking compliance status? I'd think if you check [Endpoint Repository]:Intune Compliance State EQUALS compliant ; I'd think it will take literally what is set in that field and ignore the grace field.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 9.  RE: CPPM Intune Compliance Grace Period

    Posted Mar 07, 2026 11:13 AM
    Hermon,

    I thought that, too. What I've observed in this instance is that any device that has a correctly sync'd grace period (which would be either today or before today) seem to have the correct compliance value. However, when the grace period is in the future the value  goes to "compliant".
    I am not sure how/why clearpass derives the 9999 date for devices; all of ours have grace periods set with either 14 days or 0 days, so there shouldn't be any sync with a non-date. It's either now, or two weeks from now at a maximum.
    I have raised a TAC and sent what I have so hopefully we can get to the bottom of it soon.
    I also checked another Intune/CP install that I have set up in the same way, and I haven't found the same issue there, yet. But it is a little difficult to do the cross check of hostnames and sync status and compliance - I only just happened to stumble on it in the first place because for the most part, it's all working. 

     

     

    Thanks,

    Phillip

     

    -

     

    Phillip Horn

    Network and Systems Consultant

    Union Commonwealth University (formerly Union College)

    606-546-1650

     




    Original Message


  • 10.  RE: CPPM Intune Compliance Grace Period

    Posted Mar 09, 2026 07:30 AM

    Please update us here once you get an explanation or solution from TAC. This may be something that changed recently or for whatever reason went unnoticed.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


Related Content