Configure your compliance policy within Intune

Published: June 15, 2023 | Author: René Laas

The purpose of this blog post is to inform you what configuration options are available within Intune and how to configure this.

In my previous blog post, I explained how to design your compliance policy. Why do you even need a compliance policy, which stakeholder do you need, configuration options, etc? In my other blog post, I explained how to roll out your compliance policy and a strategy that you can use. This blog post will be a little bit more technical and a manual to configure all the configuration options within Intune.

Requirements:

  • Microsoft Intune

Configuration options

Compliance policy settings (Global settings)

Global Compliance policy settings are tenant-wide settings that determine how Intune’s compliance service interacts with your devices. These settings are distinct from the settings you configure in a device compliance policy.

The following (global) Compliance policy settings are available:
  • Mark devices with no compliance policy assigned as
  • Compliance status validity period (days)

Compliance policies

Device compliance policies are a key feature when using Intune to protect your organization’s resources. In Intune, you can create rules and settings that devices must meet to be considered compliant. If the device isn’t compliant, you can block access to data and resources using Conditional Access.

The following Compliance policy settings are available:
  • Custom compliance PowerShell script
  • Device health
    • Require BitLocker
    • Require Secure Boot
    • Require Code Integrity
  • Device Properties
    • Minimum/Maximum OS version
    • A valid operating system builds
  • Configuration Manager Compliance integration
    • Require device compliance from Configuration Manager
  • System Security
    • Password settings
      • Minimum password length
      • Password expiration (days)
      • Etc.
    • Encryption settings
    • Device Security
      • The firewall must be turned on
      • TPM-chip available
      • Antivirus is turned on
      • Antispyware is turned on
    • Microsoft Defender
      • Defender antimalware is turned on
      • Minimum version of antimalware
      • Microsoft Defender Antimalware security intelligence up to date
      • Real-time protection
    • Microsoft Defender for Endpoint Integration
      • The machine Risk score must be under

Noncompliance action

Intune compliance noncompliance actions are actions that will be kicked off when devices do not follow the created and configured compliance policies.

You can set the following noncompliance actions:
  • Mark device noncompliant
  • Send an email to the end-user
  • Send push notification to end user (iOS & Android device only)
  • Remotely lock the noncompliance device (iOS & Android device only)
  • Add device to retire list

Notification

Intune compliance notification is a mechanism to send an alert or message to the user, service desk, or administrators when a device fails to meet the specified compliance policies or standards.

Intune will only send a compliance notification email when the email address is defined in the user profile. For the subject, you can use a maximum of 78 characters, and for the message you can use 2000 characters.

You can set the following option for Compliance Notifications:
  • Email header – Include company logo
  • Email footer – Include company name
  • Email footer – Include contact information
  • Company Portal Website Link
  • Locale
  • Subject
  • Message
  • Is Default

When you specify locale messages, and devices that become non-compliant, the end users will receive the localized message based on their preferred language in Microsoft 365 profile.

Note.

In the commercial cloud, notification emails are sent from: [email protected].

In government clouds, notification emails are sent from: [email protected]

How to configure the configuration options in Intune

Compliance policy settings (Global settings)

  • Open Microsoft Intune
  • In the menu select Devices
  • In the sub-menu on the left side, scroll down to Policy
  • Click on Compliance policies
  • The submenu will be replaced by a new submenu
  • Click on Compliance policy settings
  • Change the setting Mark devices with no compliance policy assigned and the setting Compliance status validity period (days) if needed.
  • Click on Save

Notification

  • Open Microsoft Intune
  • In the menu select Devices
  • In the sub-menu on the left side, scroll down to Policy
  • Click on Compliance policies
  • The submenu will be replaced by a new submenu
  • Click on Notifications
  • Click on + Create notification
  • Enter a name for your compliance notification
  • Set if you want to use your logo or company name. Contact information and website link
  • Click on next
  • Decide if you want to use localized notifications or a default language for your compliance notifications.
  • Configure one subject and message or for each localized notification a subject and message
  • Select your default notification message
  • Click on Next
  • Review your notification and click on Create

Create compliance policies and actions for noncompliance

  • Open Microsoft Intune
  • In the menu select Devices
  • In the sub-menu on the left side, scroll down to Policy
  • Click on Compliance policies
  • The submenu will be replaced by a new submenu
  • Click on Policies
  • Click on + Create Policy
  • Select your platform e.g., Windows 10 and later
  • Click on Create
  • Enter the name of your new compliance policy
  • Set a description if needed and click on Next
  • Set your compliance settings and click on next
  • On the Actions for Noncompliance tab, you can set your actions. By default, the option Mark device nonpliant is already set.
  • If you want to set a Compliance notification email, select in the dropdown box Send email to the end-user
  • Set a schedule (days after the device become not compliant), select your already created Compliance Notification message
  • If you want to send the notification also to an additional recipient, like your service desk. Click on None selected and select the additional recipient and click on Next
  • You can set multiple actions if needed, if all your action have been set. Click on Next
  • Assign the compliance policy to all users, devices or a specific group and click on Next
  • Review your configuration at the Review + create tab and click on Create
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.