How to Manage Intune Compliance Policy Settings

In this post, you will learn how to manage Intune Compliance Policy Settings. The compliance policies protect organizational data by requiring users and devices to meet some requirements.

Intune Compliance Policy for device help to protect company data; the organization needs to ensure that the devices used to access company apps and data comply with certain rules. By default, when Intune detects a device that isn’t compliant, Intune immediately marks the device as non-compliant.

When a device isn’t compliant, Intune allows you to add actions for noncompliance, which gives you the flexibility to decide what to do. One action to take when a device doesn’t meet compliance is to send an email to the user of the device, here’s how you can Send Notifications For Noncompliant Devices In Intune.

Compliance policy settings are tenant-wide settings that determine how Intune’s compliance service interacts with your devices. These settings are distinct from those you configure in a device compliance policy.

Patch My PC

You can start creating compliance policies from the Intune admin center. The Devices Node and from the Endpoint Security node. The following steps will Create Intune Compliance Policy for Windows.

Manage Intune Compliance Policy Settings

To manage the compliance policy settings, The following steps provide you with details on how to configure compliance policy settings in Intune.

Adaptiva
Manage Intune Compliance Policy Settings Fig.1
Manage Intune Compliance Policy Settings Fig.1

Compliance policy settings include the following settings, These settings configure how the compliance service treats devices. Each device evaluates these as a “Built-in Device Compliance Policy”, which is reflected in device monitoring.

  • Mark devices with no compliance policy assigned as This setting determines how Intune treats devices that haven’t been assigned a device compliance policy.
  • Enhanced jailbreak detection (applies only to iOS/iPadOS) This setting works only with devices that you target with a device compliance policy that blocks jailbroken devices.
  • Compliance status validity period (days) Specify a period in which devices must successfully report on all their received compliance policies.
Manage Intune Compliance Policy Settings Fig.2
Manage Intune Compliance Policy Settings Fig.2

It is important to understand how it works and the available options to configure before you proceed to set it up. Here’s a detailed overview of the available compliance settings:

  • Mark devices with no compliance policy assigned as This setting has two values:
    • Compliant (default): This security feature is off. Devices that aren’t sent a device compliance policy are considered compliant.
    • Not compliant: This security feature is on. Devices that haven’t received a device compliance policy are considered non-compliant.
  • Enhanced jailbreak detection This setting has two values:
    • Disabled (default): This security feature is off. This setting has no effect on your devices that receive device compliance policy that blocks jailbroken devices.
    • Enabled: This security feature is on. Devices that receive device compliance policy to block jailbroken devices use the Enhanced jailbreak detection. When enabled on an applicable iOS/iPadOS device, the device: Enables location services at the OS level.
  • Compliance status validity period (days) Specify when devices must successfully report on all their received compliance policies. If a device fails to report its compliance status for a policy before the validity period expires, it is treated as noncompliant. By default, the period is set to 30 days. You can configure a period from 1 to 120 days.

Monitor Device Compliance Policies Setting

In Intune portal, You can view details about devices compliance with the validity period setting. By Navigating to the Devices > Monitor > Setting compliance. This setting has a name of Is active in the Setting column.

Manage Intune Compliance Policy Settings Fig.3
Manage Intune Compliance Policy Settings Fig.3
SettingDescription
Has a compliance policy assignedDefault policy. Devices must have at least one compliance policy assigned to be compliant.
Is activeDefault policy. Device must regularly contact Intune to be considered compliant.
Enrolled user existsDefault policy. The user must exist and have a valid Intune license.
AntivirusRequire any Antivirus solution registered with Windows Security Center to be on and monitoring (e.g DigiCert, Microsoft Defender)
Microsoft Defender AntimalwareRequire the Microsoft Defender service to be enabled.
Minimum OS versionSelect the oldest OS version a device can have. The operating system version is defined as major.minor.build.revision. 
Require Secure Boot to be enabled on the deviceRequire Secure Boot to be enabled on the device
Trusted Platform Module (TPM)Require Trusted Platform Module (TPM) to be present
Table 1 – Manage Intune Compliance Policy Settings

Author

About Author – JiteshMicrosoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

2 thoughts on “How to Manage Intune Compliance Policy Settings”

  1. Sadly, because Microsoft can’t leave anything alone for five minutes, your instructions are already out of date.

    I have many Entra-hybrid joined computers that refuse to go into Intune and I cannot figure out why.

    Windows Automatic enrollment is set up. MDM User Scope is ALL and MAM is None. Of about 140 PCs, only 97 are showing in Intune.

    Any ideas?

    Reply
  2. Hi Cathy,

    This article isn’t regarding Hybrid joining endpoints though.

    If devices fail to enroll into Intune after hybrid joining, it’s usually due to stale enrollments or user credential issues.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.