Now booking Q1 Intune migrations — talk to an engineer.

CyberSystem
← Back to Blog

Intune Compliance Policies Explained

Understand how Intune Compliance Policies work, how to configure them, and how they integrate with Conditional Access to secure your environment.

By Ali Alame
intunecompliancesecurityconditional-accessentra-id

In a Zero Trust architecture, you should never trust a device just because it's on your network or has a valid username and password. You need to verify that the device itself is healthy and secure. This is where Intune Compliance Policies come in.

What is a Compliance Policy?

A Compliance Policy is a set of rules and settings that a device must meet to be considered "compliant." These rules evaluate the health and configuration of the device.

Examples of Compliance Rules:

  • Is the device encrypted (BitLocker/FileVault)?
  • Is the OS version up to date?
  • Is a complex password/PIN required?
  • Is the firewall enabled?
  • Is the device jailbroken or rooted?

Compliance vs. Configuration

It's important to distinguish between Compliance Policies and Configuration Profiles:

  • Configuration Profiles: Configure settings on the device (e.g., "Turn on BitLocker").
  • Compliance Policies: Check if the setting is configured (e.g., "Is BitLocker on?").

While they often work together, Compliance Policies are primarily used for reporting and Conditional Access.

Integrating with Conditional Access

The real power of Compliance Policies is unlocked when combined with Entra ID Conditional Access.

You can create a Conditional Access policy that says:

"Block access to Office 365 UNLESS the device is marked as Compliant."

This ensures that even if a hacker steals a user's credentials, they cannot access corporate data from an unmanaged or insecure device.

Actions for Non-Compliance

What happens when a device fails a check? You can configure Actions for Non-Compliance:

  1. Mark device non-compliant: Immediate or after a grace period (e.g., 1 day).
  2. Send email to end user: Notify the user why their device is non-compliant and how to fix it.
  3. Retire the non-compliant device: Remove corporate data (extreme measure).
  4. Push notification: Send a notification to the Company Portal app.

Creating a Compliance Policy (Windows Example)

  1. Navigate: Intune Admin Center > Devices > Compliance.
  2. Create Policy: Platform: Windows 10 and later.
  3. Settings:
    • Device Health: Require BitLocker, Require Secure Boot.
    • System Security: Require a password, Minimum password length (e.g., 6), Block simple passwords.
    • Microsoft Defender for Endpoint: Require the device to be at or under the machine risk score (e.g., "Medium").
  4. Actions: Set "Mark device non-compliant" to Immediately. Add an email action to notify the user.
  5. Assignment: Assign to "All Users" or specific groups.

Best Practices

  • Start with a Baseline: Create a basic policy for each platform (Windows, iOS, Android, macOS).
  • Use Grace Periods: Give users 1-3 days to fix minor issues (like an OS update) before blocking access.
  • Monitor Reports: Regularly check the "Device compliance" dashboard to identify trends or widespread issues.
  • Don't Forget the "Default" Setting: In Compliance settings, ensure "Mark devices with no compliance policy assigned as" is set to Non-compliant. This is a crucial security setting.

Conclusion

Compliance Policies are the gatekeepers of your corporate data. By defining what a "healthy" device looks like and enforcing it via Conditional Access, you significantly reduce the risk of data breaches from compromised or insecure endpoints.