|

Microsoft Intune Compliance Policies: Complete Study Guide for IT Admins

ByTechieGeek

Intune Compliance Policies โ€” Study Guide

What Are Compliance Policies?

Compliance policies let you define a set of rules that enrolled devices must meet to be considered “compliant.” When combined with Conditional Access, non-compliant devices get blocked from corporate data. Think of it as two layers: Intune checks the device, and Entra ID enforces the gate.admindroid+1

Before You Create Any Policy

Two tenant-wide settings to configure first under Devices โ†’ Compliance โ†’ Compliance settings:[blog.admindroid]โ€‹

Setting Recommended Value Why
Devices with no policy assigned Not Compliant Unmanaged devices are a risk by default
Compliance status validity period 30 days If a device hasn’t checked in, assume it’s missing updates

Actions for Non-Compliance

These apply to every policy you create. Configure them under Actions for noncompliance:[ninjaone]โ€‹

  • Mark device non-compliant โ€” set a grace period; avoid Immediately if using Device Health settings (requires a reboot first)
  • Send email to end user โ€” uses a notification template; you can stack multiple warnings before blocking
  • Add device to retire list โ€” device won’t be retired until an admin manually triggers it
  • Send push notification โ€” Android and iOS only; not customizable
  • Remotely lock device โ€” iOS and Android only

Notification Templates

Templates are cross-platform and reusable. Create them first before building any policy.[learn.microsoft]โ€‹

Steps: Devices โ†’ Compliance โ†’ Notifications โ†’ +Create notification

Key points:

  • Set corporate branding (pulls from Tenant details)
  • One template must be set as default
  • For multi-national orgs, add one notification per language โ€” each is a separate POST request, not a nested array

To automate via Graph API:

textPOST https://graph.microsoft.com/beta/deviceManagement/notificationMessageTemplates

Two-step process: create the template first, then POST the localized message using the returned template ID.

Windows Compliance Policy Settings

Device Health โš ๏ธ Requires reboot to report

Setting What It Checks
BitLocker Drives are encrypted
Secure Boot UEFI Secure Boot is enabled
Code Integrity Drivers/firmware are not corrupted

Set grace period to at least 0.5 days for these โ€” fresh enrollments won’t have rebooted yet.[learn.microsoft]โ€‹

Device Properties

  • Minimum OS version โ€” format is major.minor.build.revision (e.g., 10.0.26200.7705 for Win 11 25H2 Jan 2026)
  • Maximum OS version โ€” useful for blocking preview builds
  • Valid OS builds โ€” lets you support both Windows 10 and 11 with separate min/max ranges

System Security

  • Password settings (type, length, expiry, reuse history) โ€” these check compliance, they don’t enforce settings
  • Alphanumeric is the recommended password type for extra complexity

Encryption

  • Require encryption of data storage โ€” simpler than BitLocker check, and does not require a reboot

Device Security

Setting Notes
Firewall Windows Firewall must be on and monitoring
TPM Only relevant for Windows 10 (Win 11 requires it anyway)
Antivirus Windows Defender or any Security Center-registered third party
Antispyware Same as above, for anti-spyware

Defender

  • Antimalware โ€” service must be running
  • Minimum version โ€” check current version at microsoft.com/wdsi/defenderupdates
  • Security intelligence up-to-date โ€” signatures must be current
  • Real-time protection โ€” must be enabled and running

Microsoft Defender for Endpoint

Requires separate licensing. Risk score levels: Clear โ†’ Low โ†’ Medium โ†’ High.[learn.microsoft]โ€‹

Deploying the Policy (GUI Steps)

  1. Devices โ†’ Compliance โ†’ Create policy
  2. Select Windows 10 and Later โ†’ Windows 10/11 compliance policy
  3. Add name and description
  4. Configure settings
  5. Set non-compliance actions
  6. Skip Scope tags (unless needed)
  7. Assign to a user group โ€” not a device group for user-based machines[ninjaone]โ€‹
  8. Review and Create

Automating via PowerShell + Graph API

All platforms use the same POST URL โ€” the @odata.type field differentiates them:[oneuptime]โ€‹

textPOST https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies
Platform @odata.type
Windows #microsoft.graph.windows10CompliancePolicy
Android #microsoft.graph.androidCompliancePolicy
iOS #microsoft.graph.iosCompliancePolicy
macOS #microsoft.graph.macOSCompliancePolicy

Non-compliance actions go inside scheduledActionsForRule as a nested array in the JSON body.

Compliance + Conditional Access Flow

Here’s how the two services work together at sign-in:[oneuptime]โ€‹

textUser signs in โ†’ Entra ID evaluates CA policy
             โ†’ Queries Intune for compliance status
             โ†’ Compliant? โœ… Grant access
             โ†’ Non-compliant? โŒ Block + show remediation

Best practices for Conditional Access:[linkedin]โ€‹

  • Always exclude break-glass accounts from CA policies
  • Start new CA policies in report-only mode before enforcing
  • Use tiered compliance โ€” stricter rules for privileged/admin users

โšก Quick-Reference: Common Mistakes

Mistake Fix
Assigning policy to device groups for user machines Assign to user groups instead
Setting Device Health rules with immediate non-compliance Use a grace period โ€” device needs to reboot first
No policy = compliant (default) Set tenant default to Not Compliant
Retiring devices via the retire list automatically The retire list is reporting only โ€” manual admin action required
Testing Conditional Access in enforcement mode immediately Always use report-only first [oneuptime]โ€‹

ย 

LinkedInCopyPinterestRedditTelegramChatGPTSMS

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *