Create a compliance policy in Microsoft Intune
Device compliance policies are a key feature when using Intune to protect your organization's resources. In Intune, you can create rules and settings that devices must meet to be considered compliant, such as a minimum OS version. If the device isn't compliant, you can then block access to data and resources using conditional access.
You can also take actions for non-compliance, such as sending a notification email to the user. For an overview of what compliance policies do, and how they're used, see get started with device compliance.
- Lists the prerequisites and steps to create a compliancy policy.
- Shows you how to assign the policy to your user and device groups.
- Describes additional features, including scope tags to "filter" your policies, and steps you can take on devices that aren't compliant.
- Lists the check-in refresh cycle times when devices receive policy updates.
Before you begin
To use device compliance policies, be sure you:
Use the following subscriptions:
- If you use conditional access, then you need Azure Active Directory (AD) Premium edition. Azure Active Directory pricing lists what you get with the different editions. Intune compliance doesn't require Azure AD.
Use a supported platform:
- Android Enterprise
- macOS (preview)
- Windows 10
- Windows 8.1
- Windows Phone 8.1
Enroll devices in Intune (required to see the compliance status)
Enroll devices to one user, or enroll without a primary user. Devices enrolled to multiple users aren't supported.
Create the policy
In the Azure portal, select All services > filter on Intune > select Intune.
Select Device compliance. You have the following options:
- Overview: Shows a summary and number of devices that are compliant, not evaluated, and so on. It also lists the policies and individual settings in your policies. Monitor Intune device compliance policies provides some good information.
- Manage: Create device policies, send notifications to non-compliant devices, and enable network fencing.
- Monitor: Check the compliance status of your devices, and at the setting and policy level. Monitor Intune device compliance policies is a good resource. Also view logs and check the threat agent status of your devices.
- Setup: Use the built-in compliance policies, enable Windows Defender advanced threat protection (ATP), add a mobile threat defense connector, and use Jamf.
Select Policies > Create Policy. Enter the following properties:
Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is Mark iOS jailbroken devices as not compliant.
Description: Enter a description for the policy. This setting is optional, but recommended.
Platform: Choose the platform of your devices. Your options:
- Android enterprise
- Windows Phone 8.1
- Windows 8.1 and later
- Windows 10 and later
Settings: The following articles list and describe the settings for each platform:
When finished, select OK > Create to save your changes. The policy is created, and shown in the list. Next, assign the policy to your groups.
Assign user groups
Once a policy is created, the next step is to assign the policy to your groups:
- Choose a policy you created. Existing policies are in Device compliance > Policies.
- Select the policy > Assignments. You can include or exclude Azure Active Directory (AD) security groups.
- Choose Selected groups to see your Azure AD security groups. Select the user groups you want this policy to apply > Choose Save to deploy the policy to users.
You applied the policy to users. The devices used by the users targeted by the policy are evaluated for compliance.
Evaluate how many users are targeted
When you assign the policy, you can also Evaluate how many users are affected. This feature calculates users; it doesn't calculate devices.
- In Intune, select Device compliance > Policies.
- Select a policy > Assignments > Evaluate. A message shows you how many users are targeted by this policy.
If the Evaluate button is grayed out, make sure the policy is assigned to one or more groups.
Actions for noncompliance
For devices that don't meet your compliance policies, you can add a sequence of actions to apply automatically. You can change the schedule when the device is marked non-compliant, such as after one day. You can also configure a second action that sends an email to the user when the device isn't compliant.
Add actions for noncompliant devices provides more information, including creating a notification email to your users.
For example, you're using the Locations feature, and add a location in a compliance policy. The default action for noncompliance applies when you select at least one location. If the device isn't connected to the selected locations, it's immediately considered not compliant. You can give your users a grace period, such as one day.
Scope tags are a great way to assign and filter policies to specific groups, such as Sales, HR, All US-NC employees, and so on. After you add the settings, you can also add a scope tag to your compliance policies. Use scope tags to filter policies is a good resource.
Refresh cycle times
When checking for compliance, Intune uses the same refresh cycle as configuration profiles. In general, the times are:
|iOS||Every 6 hours|
|macOS||Every 6 hours|
|Android||Every 8 hours|
|Windows 10 PCs enrolled as devices||Every 8 hours|
|Windows Phone||Every 8 hours|
|Windows 8.1||Every 8 hours|
If the device recently enrolled, the compliance check-in runs more frequently:
|iOS||Every 15 minutes for 6 hours, and then every 6 hours|
|macOS||Every 15 minutes for 6 hours, and then every 6 hours|
|Android||Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours|
|Windows 10 PCs enrolled as devices||Every 3 minutes for 30 minutes, and then every 8 hours|
|Windows Phone||Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours|
|Windows 8.1||Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours|
At any time, users can open the Company Portal app, and sync the device to immediately check for a policy.
Assign an InGracePeriod status
The InGracePeriod status for a compliance policy is a value. This value is determined by the combination of a device’s grace period, and a device’s actual status for that compliance policy.
Specifically, if a device has a NonCompliant status for an assigned compliance policy, and:
- the device has no grace period assigned to it, then the assigned value for the compliance policy is NonCompliant
- the device has a grace period that is expired, then the assigned value for the compliance policy is NonCompliant
- the device has a grace period that is in the future, then the assigned value for the compliance policy is InGracePeriod
The following table summarizes these points:
|Actual compliance status||Value of assigned grace period||Effective compliance status|
|NonCompliant||No grace period assigned||NonCompliant|
For more information about monitoring device compliance policies, see Monitor Intune Device compliance policies.
Assign a resulting compliance policy status
If a device has multiple compliance policies, and the device has different compliance statuses for two or more of the assigned compliance policies, then a single resulting compliance status is assigned. This assignment is based on a conceptual severity level assigned to each compliance status. Each compliance status has the following severity level:
When a device has multiple compliance policies, then the highest severity level of all the policies is assigned to that device.
For example, a device has three compliance policies assigned to it: one Unknown status (severity = 1), one Compliant status (severity = 3), and one InGracePeriod status (severity = 4). The InGracePeriod status has the highest severity level. So, all three policies have the InGracePeriod compliance status.
Send feedback about: