Automate email and add actions for noncompliant devices - Intune

There is an Actions for noncompliance feature that configures a time-ordered sequence of actions. These actions apply to devices that don't meet your compliance policy.

Overview

By default, when Intune detects a device that isn't compliant, Intune immediately marks the device as noncompliant. Azure Active Directory (AD) conditional access then blocks the device. When a device is not compliant, actions for noncompliance also gives you flexibility to decide what to do. For example, don't block the device immediately, and give the user a grace period to be compliant.

There are two types of actions:

  • Notify end users via email: Customize an email notification before sending it to the end user. You can customize the recipients, subject, and message body, including company logo, and contact information.

    Additionally, Intune includes details about the noncompliant device in the email notification.

  • Mark device non-compliant: Create a schedule (in number of days) after the device is marked not compliant. You can configure the action to take effect immediately, or give the user a grace period to be compliant.

Before you begin

  • To set up actions for non-compliance, you need at least one device compliance policy. To create a device compliance policy, see the following platforms:

  • When using device compliance policies to block devices from corporate resources, Azure AD conditional access must be set up. See Conditional access in Azure Active Directory for guidance.

  • A notification message template must be created. To send email to your users, this template is used to create actions for non-compliance.

Create a notification message template

  1. Sign in to the Azure portal with your Intune credentials.

  2. Select All services, filter on Intune, and select Microsoft Intune.

  3. Select Device compliance, then select Notifications.

  4. Select Create notification, and then enter the following information:

    • Name
    • Subject
    • Message
    • Email header – Include company logo
    • Email footer – Include company name
    • Email footer – Include contact information

    Example of a compliant notification message in Intune

Once you're done adding the information, choose Create. The Notification message template is ready to use.

Note

You can also edit a Notification template previously created.

Add actions for noncompliance

By default, Intune automatically creates an action for noncompliance. When a device isn't meeting your compliance policy, this action marks the device as not compliant. You can customize how long the device is marked as not compliant. This action can't be removed.

You can add an action when you create a new compliance policy, or update an existing compliance policy.

  1. In the Azure portal, open Microsoft Intune, and select Device compliance.
  2. Select Policies, choose one of your policies, and then select Properties.

Don't have a policy yet? Create an Android, iOS, Windows, or other platform policy.

Note

JAMF devices and devices targeted with device groups cannot receive compliance actions at this time.

  1. Select Actions for noncompliance, and then select Add to enter the action parameters. You can choose the message template previously created, add additional recipients, and update the grace period schedule. You can enter the number of days (0 to 365) on the schedule, then you can enforce the conditional access policies. If you enter 0 number of days, then conditional access immediately blocks access to corporate resources.

  2. When finished, select Add > OK to save your changes.

Next steps

Monitor the device compliance activity by running the reports. How to monitor device compliance with Intune provides some guidance.