Microsoft Endpoint Manager – Intune Compliance Policies

Hi everyone! Many organizations want to be sure corporate devices to meet requirements to protect access to corporate network or company data only for compliant devices. By using the Intune Compliance Policies, you can create and assign access on corporate devices or personal devices, then you can alert your users, or you can block access to corporate resources with Azure AD Conditional Access.

There are two parts of Intune compliance policies:

  • Policies which define criteria and rules we can configure and deploy on devices;
  • Settings which define actions for noncompliant devices and determine how compliance policies will interact with user devices.

You can configure compliance policies from Devices – Compliance policies or from Endpoint security – Device compliance. First, let’s configure compliance settings:

Here you can configure tenant-wide options:

  • Mark devices with no compliance policy assigned as will mark all of the devices as noncompliant until compliance policies assigned;
  • Enhanced jailbreak detection applies to iOS devices only;
  • Compliance status validity period (days) specifies a period in which device must sent a compliance status report. If device can’t send a report to Intune for some reasons device will be marked as noncompliant. By default, period is 30 days. In my lab environment I reconfigured it to 1.

In Notifications you can create a message template will be sent to users if device is threated as noncompliant. Click Create notification, provide a name for a template:

Then click Next and provide a notification message:

Then click Next and Create.

Go to Policies to create a first compliance policy. Click Create, then choose a planform – Windows 10 and later and click Create. Provide a name of the policy and click Next. On Compliance settings page you can configure Custom Compliance:

First, you need to upload PowerShell script in Scripts and prepare JSON file. JSON file identifies custom compliance settings you want to check and PowerShell script will discover settings you defined in JSON file.

Device Health:

Windows Health Attestation Service with a series of checks can validate boot state.

Device Properties:

In this section I configure a minimum OS version, device with OS build below will be marked as noncompliant.

Configuration Manager Compliance:

I don’t use integration with Microsoft Endpoint Configuration Manager, we will check compliance status from Intune only.

System Security consists of a couple of sub-sections, first is Password:

I don’t require password in my example. Next is Encryption:

I don’t configure this setting as well.

Device Security:

I want to check if firewall, antispyware and antivirus (built-in antivirus or any 3rd party antivirus that can be registered with Windows Security Center) are enabled.

Defender:

In this section we configure Microsoft Defender antimalware and real-time protection checking as part of our compliance policy.

Windows Defender for Endpoint:

I keep default settings.

When you configured all the settings you want to check click Next. On the Actions for noncompliance tab, you configure sequence of actions for noncompliant devices. At least one action must be configured:

In my example, I want to inform user twice his device is noncompliant (remember, we have a message template?). If user doesn’t run remediation steps we mark this device as noncompliant and after 30 days devices will be marked as retired. Then this device can be manually removed from Retire noncompliant devices section.

Click Next. On Assignments tab I add two dynamic Azure AD groups with personal and unknown devices:

And then click Create.

Right after the enrollment Windows 10 devices checks policies and settings every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours. Already enrolled device checks Intune settings every 8 hours. Also, end user can trigger policy check from Company Portal or from Access work or school:

In this example we don’t block access to corporate date (it will be covered in next blog), we just check a compliance status. To do that go to Devices – Compliance status:

On this dashboard you can find high-level overview of compliance status and policies.

To get more detailed information go to Devices – Monitor – Compliance:

Setting compliance report shows an information about all of the compliance settings:

Click on a setting to see additional details:

Click on device name, then on Device compliance:

By default, Built-In Device Compliance Policy is assigned on all of the devices. This policy contains three settings:

Click on setting you created to see a compliance status:

You can also check compliance status from Devices – Compliance policies – <click on policy name>:

Happy deployment!

You can also learn more about Microsoft EndPoint Patch Management Strategies by clicking here:

Share:

Facebook
Twitter
LinkedIn

Contact Us

=
On Key

More Posts

WME Cybersecurity Briefings No. 014
Cyber Security

WME Security Briefing 14 June 2024

LightSpy Spyware’s macOS Variant Detected with Advanced Surveillance Capabilities Overview Findings reveal a previously undocumented macOS variant of the LightSpy spyware. It was initially thought to target only iOS users. This spyware utilizes a plugin-based system

Read More »
WME Cybersecurity Briefings No. 013
Cyber Security

WME Security Briefing 10 June 2024

CISA Urges Patching of Actively Exploited Linux Kernel Vulnerability Overview CISA just issued an urgent advisory concerning a newly discovered security flaw in the Linux kernel. The flaw is being actively exploited to affect the netfilter component of

Read More »
3 Things to Consider Before You Enable Copilot for Microsoft 365
Microsoft Copilot

3 Things to Consider Before You Enable Copilot for Microsoft 365

In today’s digital landscape, any productivity tool that streamlines workflow and boosts performance is a pleasant addition. With its AI-powered productivity-enhancing capabilities, Microsoft Copilot has emerged as a game-changer for employees, particularly for organizations using Microsoft

Read More »
WME Cybersecurity Briefings No. 012
Cyber Security

WME Security Briefing 03 June 2024

Moroccan Cybercrime Group Exploits Gift Card Systems for Major Financial Gains Overview: Storm-0539, also called Atlas Lion, is a Moroccan cybercrime group that executes advanced email and SMS phishing attacks. They are committing fraud by utilizing

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=