In this post, you will learn how to manage Intune Compliance Policy Settings. The compliance policies protect organizational data by requiring users and devices to meet some requirements.
Intune Compliance Policyfor device help to protect company data; the organization needs to ensure that the devices used to access company apps and data comply with certain rules. By default, when Intune detects a device that isn’t compliant, Intune immediately marks the device as non-compliant.
When a device isn’t compliant, Intune allows you to add actions for noncompliance, which gives you the flexibility to decide what to do. One action to take when a device doesn’t meet compliance is to send an email to the user of the device, here’s how you can Send Notifications For Noncompliant Devices In Intune.
Compliance policy settingsare tenant-wide settings that determine how Intune’s compliance service interacts with your devices. These settings are distinct from those you configure in a device compliance policy.
You can start creating compliance policies from the Intune admin center. TheDevicesNode and fromtheEndpoint Securitynode. The following steps willCreate Intune Compliance Policy for Windows.
- Create Intune Compliance Policy For Windows 365 Cloud PC And AVD
- Easiest Method to Enable MFA for Admins using Azure AD Conditional Access
Manage Intune Compliance Policy Settings
To manage the compliance policy settings, The following steps provide you with details on how to configure compliance policy settings in Intune.
- Sign in to theMicrosoft Intune admin centerhttps://endpoint.microsoft.com/.
- Navigate toEndpoint security>Device compliance.
Compliance policy settings include the following settings, These settings configure how the compliance service treats devices. Each device evaluates these as a “Built-in Device Compliance Policy”, which is reflected in device monitoring.
- Mark devices with no compliance policy assigned as This setting determines how Intune treats devices that haven’t been assigned a device compliance policy.
- Enhanced jailbreak detection(applies only to iOS/iPadOS) This setting works only with devices that you target with a device compliance policy that blocks jailbroken devices.
- Compliance status validity period (days) Specify a period in which devices must successfully report on all their received compliance policies.
It is important to understand how it works and the available options to configure before you proceed to set it up. Here’s a detailed overview of the available compliance settings:
- Mark devices with no compliance policy assigned as This setting has two values:
- Compliant(default): This security feature is off. Devices that aren’t sent a device compliance policy are consideredcompliant.
- Not compliant: This security feature is on. Devices that haven’t received a device compliance policy are considered non-compliant.
- Enhanced jailbreak detectionThis setting has two values:
- Disabled(default): This security feature is off. This setting has no effect on your devices that receive device compliance policy that blocks jailbroken devices.
- Enabled: This security feature is on. Devices that receive device compliance policy to block jailbroken devices use the Enhanced jailbreak detection. When enabled on an applicable iOS/iPadOS device, the device: Enables location services at the OS level.
- Compliance status validity period (days) Specify when devices must successfully report on all their received compliance policies. If a device fails to report its compliance status for a policy before the validity period expires, it is treated as noncompliant. By default, the period is set to 30 days. You can configure a period from 1 to 120 days.
Monitor Device Compliance Policies Setting
In Intune portal, You can view details about devices compliance with the validity period setting. By Navigating to theDevices>Monitor>Setting compliance. This setting has a name ofIs activein theSettingcolumn.
|Has a compliance policy assigned||Default policy. Devices must have at least one compliance policy assigned to be compliant.|
|Is active||Default policy. Device must regularly contact Intune to be considered compliant.|
|Enrolled user exists||Default policy. The user must exist and have a valid Intune license.|
|Antivirus||Require any Antivirus solution registered with Windows Security Center to be on and monitoring (e.g DigiCert, Microsoft Defender)|
|Microsoft Defender Antimalware||Require the Microsoft Defender service to be enabled.|
|Minimum OS version||Select the oldest OS version a device can have. The operating system version is defined as major.minor.build.revision.|
|Require Secure Boot to be enabled on the device||Require Secure Boot to be enabled on the device|
|Trusted Platform Module (TPM)||Require Trusted Platform Module (TPM) to be present|
About Author–Jitesh,Microsoft MVP,has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.
Leave a Comment
This site uses Akismet to reduce spam. Learn how your comment data is processed.
- Sign in to the Microsoft Intune admin center.
- Select Devices > Compliance policies > Policies > Create Policy.
- Select a Platform for this policy from the following options: ...
- On the Basics tab, specify a Name that helps you identify them later.
Before you can add custom settings to a policy, you'll need to prepare a JSON file, and a detection script for use with each supported platform. Both the script and JSON become part of the compliance policy.How do I check my Intune compliance? ›
- Sign in to the Microsoft Intune admin center.
- Select Devices > Monitor, and then from below Compliance select the report you want to view. The available compliance reports include: Noncompliant devices. Setting compliance. Policy compliance. Noncompliant policies (preview)
It allows organizations to maintain granular control over device settings and to push those desktop settings from a cloud-managed, Mobile Device Management service or service called Intune. This is completely different than “Compliance policy” where it simply to checks to see if the users are within compliance.How do I access Microsoft compliance Manager? ›
- Go to the Microsoft Purview compliance portal and sign in with your Microsoft 365 global administrator account.
- Select Compliance Manager on the left navigation pane. You'll arrive at your Compliance Manager dashboard.
At any time, users can open the Company Portal app, Devices > Check Status or Settings > Sync to immediately check for policy or profile updates. For related information about the Intune Management Extension agent or Win32 apps, see Win32 app management in Microsoft Intune.