Documentation > Articles > Intune Device Compliance

Intune Device Compliance

Understanding Device Compliance in Microsoft Intune

Device compliance is a cornerstone of modern endpoint management, enabling organizations to enforce security policies and protect sensitive data by ensuring devices meet defined health and security requirements before accessing corporate resources.

Microsoft Intune provides a robust framework for defining, assessing, and enforcing device compliance. This allows IT administrators to gain visibility into device health and posture, and to take automated actions against non-compliant devices.

Key Concepts

  • Compliance Policies: These are the rules and settings that define what constitutes a compliant device. They cover aspects like OS version, encryption, password complexity, and more.
  • Device Health: Intune assesses the device's current state against the defined compliance policies.
  • Conditional Access: This Azure AD feature leverages device compliance status to grant or deny access to corporate applications and data.
  • Remediation: Actions taken to bring a non-compliant device back into compliance.

Creating and Assigning Compliance Policies

Follow these steps to create and assign compliance policies within the Microsoft Intune portal:

  1. Navigate to the Microsoft Endpoint Manager admin center.
  2. Go to Devices > Compliance policies.
  3. Click Create policy.
  4. Select the Platform (e.g., Android, iOS/iPadOS, macOS, Windows 10 and later).
  5. Click Create.
  6. On the Basics tab, provide a Name and an optional Description for your policy.
  7. On the Compliance settings tab, configure the various settings for your policy. These settings are categorized by platform.
  8. On the Actions for noncompliance tab, define the actions Intune should take for devices that do not meet the policy requirements. This can include marking devices as noncompliant, restricting device access, or requiring device restart.
  9. On the Assignments tab, select the Azure AD groups to which you want to assign this policy.
  10. Review your policy settings and click Create to save and deploy the policy.
Note: Ensure that your users are members of the groups you assign policies to. For Windows devices, you can configure settings like require device to be at or beyond the Windows 10 version, require all installed mobile apps to be approved.

Actions for Noncompliance

When a device fails to meet the defined compliance policies, Intune can be configured to take specific actions to address the situation. These actions help enforce security and minimize risk.

Common Actions Include:

  • Mark device as noncompliant: The default action, clearly indicating the device's status.
  • Remote isolate device: Temporarily restrict the device's network access.
  • Require device to be updated to the latest OS: Prompt the user to update their operating system.
  • Disable the device: Prevent the device from being used until compliance is restored.
  • Delete the device: Remove the device from Intune management (use with caution).

You can also define a grace period during which users can remediate their devices before they are marked as noncompliant or restricted by Conditional Access.

Tip: Configure multiple actions with increasing severity over time or based on specific compliance failures to encourage user remediation.

Integrating with Conditional Access

Device compliance is most powerful when integrated with Azure Active Directory (Azure AD) Conditional Access policies. Conditional Access uses signals, including device compliance status, to make access decisions.

How it works:

  1. Define compliance policies in Intune.
  2. Intune assesses devices and reports their compliance status to Azure AD.
  3. Create an Azure AD Conditional Access policy that targets specific cloud apps or actions.
  4. In the Conditional Access policy, grant access only if the device is marked as 'Require device to be marked as compliant'.

This ensures that only healthy and secure devices can access sensitive corporate resources like Microsoft 365 applications.

Important: Without a Conditional Access policy, marking a device as compliant or noncompliant in Intune has no effect on resource access.

Monitoring Device Compliance

Regularly monitoring device compliance is crucial for maintaining a secure endpoint environment.

Key areas to monitor in Intune:

  • Device compliance overview: A dashboard providing a high-level summary of device compliance status.
  • Device status: Detailed information on the compliance status of individual devices.
  • Policy status: Reports on how devices are conforming to specific compliance policies.
  • User status: Insights into compliance across different user groups.

Utilize Intune's reporting capabilities to identify trends, pinpoint problematic devices, and proactively address compliance issues.

© 2023 Microsoft. All rights reserved.