Now booking Q1 Intune migrations — talk to an engineer.

CyberSystem
← Back to Blog

Intune Compliance Policies: Complete Configuration Guide

Learn how to create, configure, and deploy Intune device compliance policies to ensure devices meet your organization's security requirements and integrate with Conditional Access for enhanced protection.

By Ali Alame
intunecompliance-policiesdevice-complianceconditional-accesssecuritydevice-managementmicrosoft-365

Device compliance policies in Microsoft Intune are sets of rules and conditions that evaluate whether your managed devices meet your organization's security and configuration requirements. These policies help secure organizational data and resources by ensuring only compliant devices can access corporate resources when integrated with Microsoft Entra Conditional Access.

Understanding Intune Compliance Policies

Intune compliance policies are divided into two main areas:

  1. Compliance policy settings - Tenant-wide configurations that act like a built-in compliance policy for every device
  2. Device compliance policies - Platform-specific rules and settings deployed to groups of users or devices

Key Benefits

  • Security Enforcement: Ensure devices meet minimum security requirements
  • Conditional Access Integration: Block noncompliant devices from accessing resources
  • Automated Actions: Configure actions for noncompliant devices (notifications, lock, retire)
  • Compliance Reporting: Monitor device compliance status across your organization
  • Platform Support: Support for Windows, iOS/iPadOS, Android, macOS, and Linux

Compliance Policy Settings

Compliance policy settings are tenant-wide configurations that establish how the Intune compliance service functions for your tenant. These settings are configured in the Microsoft Intune admin center under Endpoint security > Device compliance > Compliance policy settings.

Key Settings

  1. Mark devices with no compliance policy assigned as

    • Compliant (default): Devices without a compliance policy are considered compliant
    • Not compliant: Devices without a compliance policy are considered noncompliant

    Recommendation: Set to Not compliant when using Conditional Access to ensure only devices with explicit compliance policies can access resources.

  2. Compliance status validity period (days)

    • Default: 30 days
    • Range: 1 to 120 days
    • Specifies how long devices must successfully report compliance before being marked noncompliant

For detailed information, see Compliance policy settings.

Creating Device Compliance Policies

Step 1: Access Compliance Policies

  1. Sign in to the Microsoft Intune admin center
  2. Navigate to Devices > Compliance > Policies
  3. Select Create policy

Step 2: Select Platform

Choose the platform for your compliance policy:

  • Android device administrator
  • Android Enterprise
  • Android Open Source Project (AOSP)
  • iOS/iPadOS
  • Linux
  • macOS
  • Windows 10 and later
  • Windows 8.1 and later

Important: Each platform requires a separate compliance policy.

Step 3: Configure Compliance Settings

Configure platform-specific compliance rules. Common settings include:

Windows Compliance Settings

  • Device Health:
    • Require BitLocker
    • Require Secure Boot
    • Require Code Integrity
  • System Security:
    • Firewall
    • Antivirus
    • Antispyware
    • Password requirements
  • Defender:
    • Microsoft Defender Antimalware
    • Security intelligence up-to-date
    • Real-time protection

For Windows-specific guidance, see Windows compliance policy settings.

Step 4: Configure Actions for Noncompliance

Actions for noncompliance are time-ordered actions applied to devices that fail to meet compliance requirements:

  1. Mark device noncompliant (default, immediate)
  2. Send email to end user - Notify users about noncompliance
  3. Remotely lock the noncompliant device - After specified days
  4. Retire the noncompliant device - After specified days

Best Practice: Configure grace periods to prevent immediate access loss. For example, set email notifications immediately, then mark as noncompliant after 1 day.

For more information, see Actions for noncompliance.

Step 5: Assign the Policy

  1. Select Assignments
  2. Choose + Select groups to include
  3. Select user or device groups
  4. Optionally exclude specific groups
  5. Select Next

Note: When assigned to a user group, all the user's devices are checked for compliance. Device groups help with compliance reporting.

Step 6: Review and Create

  1. Review all settings
  2. Select Create to save the policy

For step-by-step guidance, see Create a compliance policy in Microsoft Intune.

Integrating with Conditional Access

Conditional Access provides an additional layer of security by using device compliance status to control access to organizational resources.

How It Works

  1. Intune evaluates device compliance based on your compliance policies
  2. Compliance status is reported to Microsoft Entra ID
  3. Conditional Access policies use this status to allow or block access
  4. Noncompliant devices are blocked from accessing protected resources

Configuration Steps

  1. Create Compliance Policies in Intune (as described above)
  2. Create Conditional Access Policy in Microsoft Entra ID:
    • Sign in to Microsoft Entra admin center
    • Navigate to Entra ID > Conditional Access > Policies
    • Create new policy with Require device to be marked as compliant control

For detailed guidance, see Require device compliance with Conditional Access.

Important Considerations

  • Grace Periods: Configure grace periods in compliance policies to prevent immediate lockout
  • User Groups: Ensure user groups match between compliance policies and Conditional Access policies
  • Testing: Use report-only mode in Conditional Access before enforcing policies
  • Emergency Access: Exclude emergency access accounts from Conditional Access policies

For more information, see Integrate with Conditional Access.

Monitoring Compliance

Device Compliance Dashboard

Access the compliance dashboard:

  1. Go to Devices > Compliance
  2. Select the Monitor tab
  3. Review compliance status reports

Compliance Status Categories

  • Compliant: Device successfully applied all compliance policy settings
  • In-grace period: Device is noncompliant but within the grace period
  • Not evaluated: Initial state or device hasn't checked in
  • Not compliant: Device failed to meet one or more compliance requirements

Policy-Based Reports

Each compliance policy provides detailed reporting:

  • Device status: Summary of compliance states
  • View report: Detailed device compliance information
  • Per-setting status: Compliance status for individual settings

For comprehensive monitoring guidance, see Monitor results of your Intune Device compliance policies.

Best Practices

1. Start with Minimal Compliance

Begin with essential compliance settings:

  • Require device encryption
  • Require password/PIN
  • Require minimum OS version
  • Require threat protection

2. Use Grace Periods

Configure grace periods to:

  • Allow users time to remediate issues
  • Prevent immediate access loss
  • Improve user experience

3. Test Before Broad Deployment

  • Deploy to pilot groups first
  • Monitor compliance status
  • Adjust settings based on results
  • Expand to broader groups gradually

4. Coordinate with Conditional Access

  • Ensure user groups match
  • Test Conditional Access in report-only mode
  • Exclude emergency access accounts
  • Document policy relationships

5. Monitor Regularly

  • Review compliance reports weekly
  • Address noncompliant devices promptly
  • Update policies as requirements change
  • Document compliance trends

For planning guidance, see Step 3 – Plan for compliance policies.

Advanced Configurations

Mobile Threat Defense Integration

Integrate Mobile Threat Defense (MTD) partners to enhance compliance:

  • Add MTD data to compliance policies
  • Use threat levels in compliance rules
  • Integrate with Conditional Access

For more information, see Mobile threat defense integration with Intune.

Custom Compliance Settings

For Windows and Linux devices, you can define custom compliance settings:

  • Create JSON files defining compliance values
  • Use discovery scripts to evaluate settings
  • Deploy custom compliance policies

For details, see Use custom compliance policies and settings for Linux and Windows devices with Microsoft Intune.

Troubleshooting

Common Issues

  1. Devices Not Reporting Compliance

    • Verify device enrollment
    • Check device check-in status
    • Review network connectivity
    • Ensure policies are assigned

  2. Compliance Conflicts

    • Review all assigned policies
    • Check for overlapping settings
    • Understand conflict resolution rules
    • Use scope tags to organize policies

  3. Conditional Access Not Working

    • Verify compliance policies are created
    • Check user group assignments
    • Review Conditional Access policy configuration
    • Test with report-only mode first

For troubleshooting guidance, see Troubleshooting policies and profiles in Microsoft Intune.

Additional Resources

Conclusion

Intune compliance policies are essential for ensuring devices meet your organization's security requirements. By following these best practices:

✅ Configure tenant-wide compliance policy settings
✅ Create platform-specific compliance policies
✅ Integrate with Conditional Access
✅ Monitor compliance regularly
✅ Use grace periods for better user experience

You can establish a robust compliance framework that protects your organizational resources while maintaining user productivity.

Remember: Compliance policies work best when integrated with Conditional Access. Always test policies in report-only mode before enforcing them, and regularly review compliance reports to identify and address issues promptly.