How to Setup Intune Compliance Policy for Windows 10 Devices | Microsoft Endpoint Manager | MEM Powered? In this post, we will see how to set up Intune Compliance Policy for Windows 10. Managing Windows 10 devices are very critical in modern device management.
Intune compliance policies are the first step of the protection before providing access to corporate applications.
Intune Compliance Policy for Windows 10 is to help to protect company data; the organization needs to make sure that the devices used to access company apps and data comply with certain rules. These rules might include using a password/PIN to access devices and encrypting data stored on devices.
This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.
Video
Check out the video tutorial to setup Intune compliance policies for Windows 10 – here
- Intune Compliance policy setup for Android Devices here
- Intune Compliance policy setup for iOS Devices here
How to set up Intune Compliance Policy for Windows 10 in the Microsoft endpoint Manager portal?
1. Sign in to the MEM portal with an account that has Intune admin access.
2. Select More services, enter Intune in the text box, and then select Enter.
3. Select Intune – Device Compliance – Compliance – Policies – and Click on the +Create policy button to create a new compliance policy and select the platform as “Windows 10”.
4. Settings configurations are really important for compliance policy. There are some improvements in Azure portal Windows 10 compliance policies.
There are 3 categories in Windows 10 compliance policies, and those are Device Health, Device Properties, and System Security.
5. Device Health is the setting where the compliance engine will check whether Windows 10 devices are reported as healthy by the Windows device Health Attestation Service (HAS). The device health attestation service has loads of checks included like TPM 2.0 (for the latest build of Windows 10 the requirement is TPM 1.0), BitLocker encryption, etc..
6. Device Properties is the setting where Intune Admins define the minimum and the maximum versions of operating system details for the corporate application access. Operating System Version
Minimum OS version
Maximum OS version
Minimum OS version for mobile devices
Maximum OS version for mobile devices
7. System Security is the setting where Intune Admins define password policies for Windows devices. There are 2 sections in these settings- Password and Encryption. Password Policy – We don’t need to set the Windows password policy here if you are already using “Windows Hello for Business.”
- Require a password to unlock mobile devices Simple passwords
- Password type
- Device default device defaultAlphanumericNumeric
- Minimum password length
- Maximum minutes of inactivity before the password is required
- Password expiration (days)
- Number of previous passwords to prevent reuse
- Require a password when the device returns from an idle state (mobile only) Encryption – If you have enabled HAS in the above policy you don’t need to enable this encryption policy.
Encryption of data storage on a device.
8. Deploy Windows 10 compliance to All Windows devices dynamic device group
(Update Device Groups are not supported for Compliance policies – hence use user groups for Intune compliance policies)
Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups to deploy compliance policies rather than AAD user groups.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…