Microsoft Intune Policies – Windows Compliance
In this next post focusing on Intune, we will talk about Compliance polices. These policies are fairly basic, and mainly focus on device security. I will present a best practices setup, but you should always define these in accordance with your company’s policy. Pay attention to the support OS when looking at these policies. Some things, especially for Windows x86 and x64, cannot be configured here.
To create a compliance policy, go to the Policies section of the Intune management webpage and click on “Compliance Policies”. Click New to create a new policy. You can give your policy a name and description.
All of the options for System Security revolve around passwords and encryption. The applicable operating systems will be shown once you enable the policy.
The first two settings should be left as the default. The only one you might consider changing is the minimum password length by making it more than four. Remember though that your users will have to type this in every time they unlock the device, and they likely will not have a keyboard. I prefer to have six, because I also allow the passwords to never expire (more on this in a minute). The simple password option here prevents users from using a password like 1234 or 1111. You cannot define the definition of simple password.
Next is some advanced password settings. Again, these are my preference. I prefer not to have the password expire, and to only require numeric passwords. This is why I set my minimum length to six characters. I allow them to never expire because we’re talking about physical access to the device. I can lock and wipe the device if needed, so I’m not concerned about password expiration. I do require six characters so that it’s more difficult to brute-force the device.
Next is encryption. You’ll notice that this is supported on everything but iOS, because iOS devices are encrypted by default. If you open the information tab, it says something to this affect. Basically, you just need a password to encrypt an iOS device. Also note that this setting will only apply if the device itself supports encryption.
Finally, we have a setting that will not allow Intune to function on a jailbroken or rooted device, for obvious security reasons.
After you have configured your compliance policy, you can deploy it to your devices.
Compliance Policy Settings
There’s a button at the top of the Compliance Policies view that we need to talk about:
When you click the “Compliance policy settings” button, you get this:
This configures a global policy that says if a device does report a status in x days, the device is treated as noncompliant. The default is 30 days, which is probably a good number considering an Intune-managed device can communicate with only an Internet connection. You should configure this as it fits with your company.