Hi everyone! Many organizations want to be sure corporate devices to meet requirements to protect access to corporate network or company data only for compliant devices. By using the Intune Compliance Policies, you can create and assign access on corporate devices or personal devices, then you can alert your users, or you can block access to corporate resources with Azure AD Conditional Access.
There are two parts of Intune compliance policies:
- Policies which define criteria and rules we can configure and deploy on devices;
- Settings which define actions for noncompliant devices and determine how compliance policies will interact with user devices.
You can configure compliance policies from Devices – Compliance policies or from Endpoint security – Device compliance. First, let’s configure compliance settings:
Here you can configure tenant-wide options:
- Mark devices with no compliance policy assigned as will mark all of the devices as noncompliant until compliance policies assigned;
- Enhanced jailbreak detection applies to iOS devices only;
- Compliance status validity period (days) specifies a period in which device must sent a compliance status report. If device can’t send a report to Intune for some reasons device will be marked as noncompliant. By default, period is 30 days. In my lab environment I reconfigured it to 1.
In Notifications you can create a message template will be sent to users if device is threated as noncompliant. Click Create notification, provide a name for a template:
Then click Next and provide a notification message:
Then click Next and Create.
Go to Policies to create a first compliance policy. Click Create, then choose a planform – Windows 10 and later and click Create. Provide a name of the policy and click Next. On Compliance settings page you can configure Custom Compliance:
First, you need to upload PowerShell script in Scripts and prepare JSON file. JSON file identifies custom compliance settings you want to check and PowerShell script will discover settings you defined in JSON file.
Windows Health Attestation Service with a series of checks can validate boot state.
In this section I configure a minimum OS version, device with OS build below will be marked as noncompliant.
Configuration Manager Compliance:
I don’t use integration with Microsoft Endpoint Configuration Manager, we will check compliance status from Intune only.
System Security consists of a couple of sub-sections, first is Password:
I don’t require password in my example. Next is Encryption:
I don’t configure this setting as well.
I want to check if firewall, antispyware and antivirus (built-in antivirus or any 3rd party antivirus that can be registered with Windows Security Center) are enabled.
In this section we configure Microsoft Defender antimalware and real-time protection checking as part of our compliance policy.
Windows Defender for Endpoint:
I keep default settings.
When you configured all the settings you want to check click Next. On the Actions for noncompliance tab, you configure sequence of actions for noncompliant devices. At least one action must be configured:
In my example, I want to inform user twice his device is noncompliant (remember, we have a message template?). If user doesn’t run remediation steps we mark this device as noncompliant and after 30 days devices will be marked as retired. Then this device can be manually removed from Retire noncompliant devices section.
Click Next. On Assignments tab I add two dynamic Azure AD groups with personal and unknown devices:
And then click Create.
Right after the enrollment Windows 10 devices checks policies and settings every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours. Already enrolled device checks Intune settings every 8 hours. Also, end user can trigger policy check from Company Portal or from Access work or school:
In this example we don’t block access to corporate date (it will be covered in next blog), we just check a compliance status. To do that go to Devices – Compliance status:
On this dashboard you can find high-level overview of compliance status and policies.
To get more detailed information go to Devices – Monitor – Compliance:
Setting compliance report shows an information about all of the compliance settings:
Click on a setting to see additional details:
Click on device name, then on Device compliance:
By default, Built-In Device Compliance Policy is assigned on all of the devices. This policy contains three settings:
Click on setting you created to see a compliance status:
You can also check compliance status from Devices – Compliance policies – <click on policy name>:
You can also learn more about Microsoft EndPoint Patch Management Strategies by clicking here: