Automate actions for noncompliance

The actions for non-compliance allow you to configure a time-ordered sequence of actions that are applied to devices that don't meet the compliance policy criteria. By default, when a device is detected to not meet the compliance policy criteria, Intune immediately marks it as non-compliant, then Azure AD Conditional Access blocks the device. The actions for non-compliance give you more flexibility to decide what to do when a device is not compliant. For example, you can decide to not block the device immediately, then give the user a grace period to be compliant.

There are two types of actions:

  • Notify end-users via e-mail: You can customize your email notification before sending it to the end user. Intune provides customization of the subject, message body, including company logo, and contact information.

  • Mark device non-compliant: You can determine a schedule in number of days after the device should be marked not compliant. This can be immediately, but you can also give the user a grace period to be compliant with your device compliance policies.

Before you begin

You need to have at least one device compliance policy created to set up actions for non-compliance.

You need to have Azure AD conditional access set up ready when planning to use device compliance policies to block devices from using corporate resources.

Additionally, you need to have a notification message template created. The notification message template is used later in the process of creating actions for non-compliance to send e-mail to your users.

To create a notification message template

  1. Go to the Intune on Azure portal, and sign in with your Intune credentials.

  2. Choose More services from the left menu, then type Intune in the text box filter.

  3. Choose Intune

  4. Choose Device compliance, then choose Notifications under the Manage section.

  5. Choose Create notification, then enter the following:

    a. Name

    b. Subject

    c. Message

    d. E-mail header – Include company logo

    e. E-mail footer – Include company name

    f. E-mail footer – Include contact information

notification message template example

Once you're done adding the information, choose Create. The Notification message template is available for use.

Note

You can also edit a Notification template previously created.

To create actions for non-compliance

Tip

By default, Intune provides one action pre-defined in the actions for noncompliance section. This is the action to mark the device as not compliant after is detected to not meet your device compliance policy criteria. You can customize how long after the detection the device gets marked not compliant. This action cannot be removed.

You can add an action by the time you’re creating a new device compliance policy or by editing an existing device compliance policy.

  1. In the Intune workload, from the Device compliance policies blade, choose Policies under the Manage section.

  2. Choose a device compliance policy by clicking on it, then choose Properties under the Manage section.

  3. The device compliance policy properties blade opens, choose Actions for noncompliance.

  4. The Actions for noncompliance blade opens, choose Add to specify action parameters. You can choose the message template previously created, additional recipients, and the grace period schedule. You can specify the number of days (0 to 365) on the schedule, then you can enforce the conditional access policies. If you specify 0 number of days, this means conditional access must immediately block access to corporate resources once the devices are non-compliant with device compliance policies.

  5. Once you're done adding your information, choose Add, then OK.

Next steps

You can monitor the device compliance activity by running the reports available in the device compliance blade. Learn more how to monitor device compliance with Intune