Quickstart: Send notifications to noncompliant devices

In this quickstart, you'll use Microsoft Intune to send an email notification to the members of your workforce that have noncompliant devices.

By default, when Intune detects a device that isn't compliant, Intune immediately marks the device as noncompliant. Azure Active Directory (Azure AD) Conditional Access then blocks the device. When a device isn't compliant, Intune allows you to add actions for noncompliance, which gives you flexibility to decide what to do. For example, you can give users a grace period to be compliant before blocking noncompliant devices.

One action to take when a device doesn't meet compliance is to send email to the devices user. You can also customize an email notification before sending it. Specifically, you can customize the recipients, subject, and message body, including company logo, and contact information. Intune also includes details about the noncompliant device in the email notification.

If you don't have an Intune subscription, sign up for a free trial account.

Prerequisites

When using device compliance policies to block devices from corporate resources, Azure AD Conditional Access must be set up. If you've completed the Create a device compliance policy quickstart, you're using Azure Active Directory. For more information about Azure AD, see Conditional Access in Azure Active Directory and common ways to use Conditional Access with Intune.

Sign in to Intune

Sign in to the Microsoft Endpoint Manager admin center as a Global administrator or an Intune Service administrator. If you've created an Intune Trial subscription, the account you created the subscription with is the Global administrator.

Create a notification message template

To send email to your users, create a notification message template. When a device is noncompliant, the details you enter in the template is shown in the email sent to your users.

  1. In Intune, select Devices > Compliance policies > Notifications > Create notification.

  2. Enter the following information for the Basics step:

    • Name: Contoso Admin
    • Email header – Include company logo: Set to Enabled to show your organization's logo.
    • Email footer – Include company name: Set to Enabled to show your organization's name.
    • Email footer – Include contact information: Set to Enabled to show your organization's contact information.
    • Company Portal Website Link: Set to Disabled.
  3. Click Next.

  4. Enter the following information for the Notification message templates step:

    • Subject: Device compliance
    • Message: Your device is currently not meeting our organization's compliance requirements.
  5. Click Next and review your notification.

  6. Click Create. The notification message template is ready to use.

    Note

    You can also edit a Notification template that was previously created.

For details about setting your company name, company contact information, and company logo, see the following articles:

Add a noncompliance policy

When you create a device compliance policy, Intune automatically creates an action for noncompliance. Intune then marks devices as noncompliant when they fail to meet your compliance policy. You can customize how long the device is marked as noncompliant. You can also add another action when you create a compliance policy, or update an existing compliance policy.

The following steps will create a compliance policy for Windows 10 devices:

  1. In Microsoft Endpoint Manager, select Devices > Compliance Policies > Create Policy.

  2. Under Platform, click Windows 10 and later.

  3. Click Create.

  4. Enter the following information in the Basics step followed by Next:

    • Name: Windows 10 compliance
    • Description: Windows 10 compliance policy
  5. Select System Security to display the device security-related settings.

  6. Configure the following options:

    • Set Require a password to unlock mobile devices to Require. This setting specifies whether to require users to enter a password before access is granted to information on their mobile devices.
    • Set Minimum password length to 6. This setting specifies the minimum number of digits or characters in the password.
  7. Select Next for each of the remaining steps until you reach the Review + create step. Click Create to create your compliance policy.

Add an action for noncompliance

After you have created a noncompliance policy, you can set an action to take place with the device is out of compliance.

The following steps will create an action for noncompliance for Windows 10 devices:

  1. In Microsoft Endpoint Manager, select Devices > Windows > Compliance policies.
  2. Select your Windows 10 compliance policy from the list.
  3. In the Windows 10 compliance policy overview pane, select Properties.
  4. Next to the Action for noncompliance section, click Edit.
  5. In the Action drop-down box, select Send email to end users.
  6. In the Schedule (days after noncompliance drop-down box, select 0. 7 Under Message template, click None selected to display the Notification message templates pane.
  7. Click the template you created earlier in this topic, and then click Select to select the message template.
  8. Click Review + save < Save to save your compliance policy.

Assign the policy

You can assign the compliance policy to a specific group of users or to all users. When Intune recognizes that a device is noncompliant, the user is notified that they must update their device to meet the compliance policy. Use the following steps to assign the policy.

  1. In Intune go to Devices > Compliance policies and select the Windows 10 compliance policy that you created earlier.

  2. Select Properties.

  3. Next to Assignments, click Edit.

  4. In the Assign to drop-down box, select All Users. This will select all users. Any user that has a Windows 10 and later device that doesn't meet this compliance policy will be notified.

    Note

    You can include and exclude groups when assign compliancy policies.

  5. Click Review + save > Save.

When you've successfully created and saved the policy, it will appear in the list of Compliance policies - Policies. Notice in the list that Assigned is set to Yes.

Next steps

In this quickstart, you used Intune to create and assign a compliance policy for your workforce's Windows 10 devices to require a password of at least six characters in length. For more information about creating compliance policies for Windows devices, see Add a device compliance policy for Windows devices in Intune.

To follow this series of Intune quickstarts, continue to the next quickstart.