Automate email and add actions for noncompliant devices - Intune

There is an Actions for noncompliance feature that configures a time-ordered sequence of actions. These actions apply to devices that don't meet your compliance policy.

Overview

By default, when Intune detects a device that isn't compliant, Intune immediately marks the device as noncompliant. Azure Active Directory (AD) conditional access then blocks the device. When a device is not compliant, actions for noncompliance also gives you flexibility to decide what to do. For example, don't block the device immediately, and give the user a grace period to be compliant.

There are several types of actions:

  • Send email to end user: Customize an email notification before sending it to the end user. You can customize the recipients, subject, and message body, including company logo, and contact information.

    Additionally, Intune includes details about the noncompliant device in the email notification.

  • Remotely lock the noncompliant device: For devices that are noncompliant, you can issue a remote lock. The user is then prompted for a PIN or password to unlock the device. More on the Remote Lock feature.

  • Mark device non-compliant: Create a schedule (in number of days) after the device is marked not compliant. You can configure the action to take effect immediately, or give the user a grace period to be compliant.

This article shows you how to:

  • Create a message notification template
  • Create an action for noncompliance, such as send an email or remotely lock a device

Before you begin

Create a notification message template

To send email to your users, create a notification message template. When a device is noncompliant, the details you enter in the template is shown in the email sent to your users.

  1. In the Azure portal, select All services, filter on Intune, and select Microsoft Intune.

  2. Select Device compliance > Notifications.

  3. Select Create notification. Enter the following information:

    • Name
    • Subject
    • Message
    • Email header – Include company logo
    • Email footer – Include company name
    • Email footer – Include contact information

    Example of a compliant notification message in Intune

  4. Once you're done adding the information, choose Create. The Notification message template is ready to use. Note that the logo you upload as part of the Company Portal branding will be used for email templates. For more information about Company Portal branding, see Company identity branding customization.

Note

You can also edit a Notification template previously created.

Add actions for noncompliance

When you create a device compliance policy, Intune automatically creates an action for noncompliance. When a device isn't meeting your compliance policy, this action marks the device as not compliant. You can customize how long the device is marked as not compliant. This action can't be removed.

You can also add another action when you create a compliance policy, or update an existing policy.

  1. In the Azure portal, open Microsoft Intune > Device compliance.

  2. Select Policies, choose one of your policies, and then select Properties.

    Don't have a policy yet? Create an Android, iOS, Windows, or other platform policy.

    Note

    JAMF devices and devices targeted with device groups cannot receive compliance actions at this time.

  3. Select Actions for noncompliance > Add.

  4. Select your Action:

    • Send email to end users: When the device is noncompliant, choose to email the user. Also:

      • Choose the Message template you previously created
      • Enter any Additional recipients by selecting groups
    • Remotely lock the noncompliant device: When the device is noncompliant, lock the device. This forces the user to enter a PIN or passcode to unlock the device.

    • Schedule: Enter the number of days (0 to 365) after noncompliance to trigger the action on users' devices. After this grace period, you can enforce a conditional access policy. If you enter 0 number of days, then conditional access takes effect immediately. For example, you can block access to corporate resources immediately if a device is noncompliant.

  5. When finished, select Add > OK to save your changes.

Next steps

Monitor the device compliance activity.