What happens when a device becomes non-compliant in Intune?

When a device becomes non-compliant, Intune can take several actions based on your configuration. Actions include marking the device as non-compliant (immediately or after a grace period), sending email notifications to users, remotely locking or retiring the device, and blocking access to corporate resources through Conditional Access policies. You can configure multiple actions with different time delays to give users opportunity to remediate.

How often does Intune check device compliance status?

Intune evaluates device compliance at several points - during device enrollment, when a user opens the Company Portal app, when a compliance policy is updated, and during periodic refresh cycles. Windows devices check in approximately every 8 hours, while iOS and Android devices check in approximately every 8 hours as well. Users can manually sync their device through Company Portal for immediate compliance evaluation.

Can I create different compliance policies for different device platforms?

Yes, compliance policies in Intune are platform-specific. You must create separate policies for Windows, macOS, iOS/iPadOS, Android Enterprise, and Android device administrator. This allows you to configure platform-appropriate security requirements, such as BitLocker for Windows or FileVault for macOS, while maintaining consistent security standards across your device fleet.

What is the difference between compliance policies and configuration profiles?

Compliance policies evaluate whether a device meets security requirements and report compliant/non-compliant status, which can trigger Conditional Access. Configuration profiles actively configure device settings such as Wi-Fi, VPN, or restrictions. Think of compliance policies as the auditor that checks settings and configuration profiles as the implementer that applies settings. Use both together for comprehensive device management.

How to Configure Compliance Policies in Microsoft Intune

Device compliance policies are the foundation of a Zero Trust security model in Microsoft Intune. By defining and enforcing security requirements across your device fleet, you ensure that only trusted devices can access your organization's resources. This guide covers creating, configuring, and deploying compliance policies for all major platforms.

Overview

Compliance policies work alongside Conditional Access to protect your organization:

Compliance policies define what makes a device "compliant" (encryption, OS version, password complexity, etc.)
Intune evaluates enrolled devices against these policies
Conditional Access can block non-compliant devices from accessing corporate resources
Users receive notifications to remediate compliance issues

Platform	Key Compliance Settings
Windows	BitLocker, Secure Boot, TPM, Defender, password
macOS	FileVault, password, system integrity, Gatekeeper
iOS/iPadOS	Passcode, jailbreak detection, OS version
Android	Encryption, rooting detection, Google Play Protect

Prerequisites

Before configuring compliance policies, ensure you have:

Licensing Requirements:

Microsoft Intune license
Azure AD Premium P1 (for Conditional Access integration)
Microsoft Defender for Endpoint (for threat-level compliance, optional)

Administrative Access:

Global Administrator, Intune Administrator, or Policy and Profile Manager role
Access to Microsoft Intune admin center (intune.microsoft.com)

Technical Requirements:

Devices enrolled in Intune
Configuration profiles deployed (if checking for specific configurations)
Email notification configured (for compliance notifications)

Step 1: Configure Compliance Policy Settings

Before creating individual policies, configure organization-wide compliance settings.

Configure Device Compliance Settings

Sign in to the Microsoft Intune admin center: https://intune.microsoft.com
Navigate to Devices > Compliance > Compliance policy settings
Configure the following settings:

Mark devices with no compliance policy assigned:

Not compliant: Devices without policies are marked non-compliant (recommended)
Compliant: Devices without policies are marked compliant (less secure)

Enhanced jailbreak detection (iOS only):

Enabled: Provides better detection of jailbroken iOS devices
Uses additional checks beyond standard jailbreak detection

Compliance status validity period (days):

Default: 30 days
Devices must check in within this period or become non-compliant
Recommended: 14-30 days depending on security requirements

Click Save

Configure Notification Templates

Create email templates for compliance notifications:

Navigate to Devices > Compliance > Notifications
Click Create notification
Configure the template:
- Name: "Device Non-Compliance Warning"
- Subject: "Action Required: Your device is not compliant"
- Email header: Include company logo (optional)
- Message body: Explain the compliance issue and remediation steps
- Email footer: Include support contact information
Example message body:

Your device does not meet the security requirements for accessing company resources.

Please take action to resolve the following compliance issues within [number] days:
##NonComplianceReasons##

To check and resolve these issues:
1. Open the Company Portal app on your device
2. Navigate to Devices and select this device
3. Follow the instructions to resolve compliance issues

If you need assistance, contact IT Support at [email protected].

Your access to company email and applications may be restricted until your device is compliant.

Click Create

Step 2: Create Windows Compliance Policy

Windows compliance policies can evaluate security features like BitLocker, Defender, and secure boot.

Create the Policy

Navigate to Devices > Compliance > Policies
Click Create policy
Select:
- Platform: Windows 10 and later
- Profile type: Windows 10/11 compliance policy
Click Create
Enter Name: "Windows Security Compliance Policy"
Enter Description: "Enforces security requirements for Windows devices"

Configure Compliance Settings

Click Next and configure each category:

Device Health:

Setting	Recommended Value	Description
Require BitLocker	Require	Device must have drive encryption
Require Secure Boot	Require	Validates boot integrity
Require code integrity	Require	Validates driver/system file integrity

Device Properties:

Setting	Recommended Value	Description
Minimum OS version	10.0.19045.0	Windows 10 22H2 or later
Maximum OS version	Not configured	Allow newer versions
Minimum OS build	Not configured	Or specify build number

Configuration Manager Compliance:

Skip unless using co-management with Configuration Manager

System Security:

Setting	Recommended Value	Description
Require a password	Require	Device must have password
Password type	Alphanumeric	Letters and numbers required
Minimum password length	8	Minimum characters
Maximum minutes of inactivity before password required	5	Lock screen timeout
Password expiration (days)	Not configured	Or set rotation period
Number of previous passwords to prevent reuse	5	Password history
Require encryption of data storage	Require	Enforce storage encryption
Firewall	Require	Windows Firewall must be enabled
Antivirus	Require	Antivirus solution required
Antispyware	Require	Antispyware solution required
Microsoft Defender Antimalware	Require	Defender specifically required
Microsoft Defender Antimalware minimum version	Not configured	Or specify version
Microsoft Defender Antimalware signature up to date	Require	Signatures must be current
Real-time protection	Require	Real-time scanning enabled

Microsoft Defender for Endpoint:

Setting	Recommended Value	Description
Require the device to be at or under the machine risk score	Medium	Maximum acceptable risk level

Options: Clear, Low, Medium, High

Configure Actions for Noncompliance

Click Next to reach Actions for noncompliance
The default action "Mark device noncompliant" is always present
Click Add to configure additional actions:

Action	Schedule (Days)	Description
Mark device noncompliant	0	Immediate or add grace period
Send email to end user	1	Send notification after 1 day
Send push notification to end user	1	Mobile notification
Remotely lock the noncompliant device	7	Lock device after 7 days
Retire the noncompliant device	30	Remove management after 30 days

For Send email to end user:
- Select your notification template
- Configure additional recipients (user's manager, IT admins)

Assign the Policy

Click Next to reach Assignments
Under Included groups, click Add groups
Select target groups:
- "All Windows Devices" (dynamic group)
- Or specific device groups
Under Excluded groups, add any exceptions:
- Test devices
- Kiosk devices with different requirements
Click Next, review settings, and click Create

Step 3: Create macOS Compliance Policy

macOS compliance policies evaluate Apple-specific security features.

Create the Policy

Navigate to Devices > Compliance > Policies
Click Create policy
Select:
- Platform: macOS
- Profile type: macOS compliance policy
Click Create
Enter Name: "macOS Security Compliance Policy"

Configure Compliance Settings

Device Health:

Setting	Recommended Value	Description
Require system integrity protection	Require	SIP must be enabled
Require a device password	Require	Device must have password

Device Properties:

Setting	Recommended Value	Description
Minimum OS version	14.0	macOS Sonoma or later
Maximum OS version	Not configured	Allow newer versions
Minimum OS build version	Not configured	Or specify build

System Security - Password:

Setting	Recommended Value	Description
Password type	Alphanumeric	Letters and numbers
Minimum password length	8	Minimum characters
Maximum minutes of inactivity until password is required	5	Screen lock timeout
Password expiration (days)	Not configured	Or set rotation
Number of previous passwords to prevent reuse	5	Password history

Encryption:

Setting	Recommended Value	Description
Encryption of data storage on device	Require	FileVault must be enabled

Device Security:

Setting	Recommended Value	Description
Firewall	Require	macOS firewall enabled
Incoming connections	Block	Block unsolicited connections
Gatekeeper	Require	Only allow identified developers

Microsoft Defender for Endpoint:

Setting	Recommended Value	Description
Require the device to be at or under the machine risk score	Medium	Maximum acceptable risk

Configure Actions and Assign

Follow the same process as Windows:

Configure actions for noncompliance with appropriate schedules
Assign to macOS device groups
Exclude test or special-purpose devices

Step 4: Create iOS/iPadOS Compliance Policy

iOS compliance policies focus on passcode, jailbreak detection, and device health.

Create the Policy

Navigate to Devices > Compliance > Policies
Click Create policy
Select:
- Platform: iOS/iPadOS
- Profile type: iOS/iPadOS compliance policy
Click Create
Enter Name: "iOS Security Compliance Policy"

Configure Compliance Settings

Device Health:

Setting	Recommended Value	Description
Jailbroken devices	Block	Block compromised devices
Require the device to be at or under the Device Threat Level	Medium	If using MTD solution

Device Properties:

Setting	Recommended Value	Description
Minimum OS version	17.0	iOS 17 or later
Maximum OS version	Not configured	Allow newer versions
Minimum OS build version	Not configured	Or specify build

System Security:

Setting	Recommended Value	Description
Require a password	Require	Device must have passcode
Simple passwords	Block	Prevent simple passcodes like 1234
Minimum password length	6	Minimum digits/characters
Required password type	Numeric	Or Alphanumeric for higher security
Maximum minutes of inactivity until screen locks	5	Auto-lock timeout
Password expiration (days)	Not configured	Or set rotation
Number of previous passwords to prevent reuse	5	Password history
Restrict app data transfer between Outlook and other apps	Require	Managed apps only

Microsoft Defender for Endpoint:

Setting	Recommended Value	Description
Require the device to be at or under the machine risk score	Medium	Maximum acceptable risk

Configure Actions and Assign

Configure actions for noncompliance
Assign to iOS device groups
Consider separate policies for supervised vs unsupervised devices

Step 5: Create Android Compliance Policy

Android compliance varies based on enrollment type. This covers Android Enterprise.

Create the Policy

Navigate to Devices > Compliance > Policies
Click Create policy
Select:
- Platform: Android Enterprise
- Profile type: Select based on enrollment type:
  - Fully managed, dedicated, and corporate-owned work profile (corporate devices)
  - Personally-owned work profile (BYOD)
Click Create
Enter Name: "Android Enterprise Compliance Policy"

Configure Compliance Settings (Corporate-Owned)

Device Health:

Setting	Recommended Value	Description
Rooted devices	Block	Block compromised devices
Require device to be at or under Device Threat Level	Medium	If using MTD
Google Play Services is configured	Require	Required for management
Up-to-date security provider	Require	Security patch required
SafetyNet device attestation	Check basic integrity	Verify device integrity

Device Properties:

Setting	Recommended Value	Description
Minimum OS version	13.0	Android 13 or later
Minimum security patch level	Set date	Require recent patches

System Security:

Setting	Recommended Value	Description
Require a password	Require	Device must have password
Required password type	Numeric complex	At minimum
Minimum password length	6	Minimum characters
Maximum minutes of inactivity before password required	5	Lock screen timeout
Password expiration (days)	Not configured	Or set rotation
Number of previous passwords to prevent reuse	5	Password history
Encryption	Require	Storage encryption required

Work Profile Compliance (BYOD)

For personally-owned work profiles, additional settings include:

Setting	Recommended Value	Description
Require a password to unlock work profile	Require	Separate work profile password
Work profile password type	Numeric complex	Work profile complexity
Minimum work profile password length	6	Work profile minimum

Step 6: Configure Conditional Access Integration

Compliance policies gain their full power when integrated with Conditional Access.

Create Compliance-Based Conditional Access Policy

Navigate to Endpoint security > Conditional Access or use the Azure portal
Click Create new policy
Configure the policy:

Name: "Require Compliant Device for Office 365"

Assignments:

Users: All users (exclude emergency access accounts)
Cloud apps: Office 365

Conditions:

Device platforms: All platforms or specific platforms
Client apps: Browser, Mobile apps and desktop clients

Access controls - Grant:

Select Grant access
Check Require device to be marked as compliant
Check Require multifactor authentication (optional but recommended)
For multiple controls: Require all the selected controls

Session:

Configure sign-in frequency if needed

Enable policy: Start with Report-only, then enable
Click Create

Verify Conditional Access Enforcement

Test with a non-compliant device:
- Access should be blocked
- User sees error message with remediation steps
Test with a compliant device:
- Access should be granted
Monitor in Conditional Access insights and sign-in logs

Best Practices

Policy Design

Start with baseline policies: Deploy minimum security requirements first
Use grace periods: Give users time to remediate before blocking access
Test thoroughly: Use Report-only mode for Conditional Access
Document requirements: Communicate compliance requirements to users
Regular reviews: Audit policies quarterly for relevance

Platform-Specific Recommendations

Windows:

Always require BitLocker and Secure Boot
Use Defender for Endpoint integration for threat detection
Consider TPM requirements for high-security environments

macOS:

FileVault encryption is essential
System Integrity Protection should never be disabled
Gatekeeper prevents unauthorized software installation

iOS/iPadOS:

Jailbreak detection is critical
Consider separate policies for supervised devices
Balance security with user experience for passcode requirements

Android:

Require SafetyNet attestation
Security patch requirements help maintain device security
Consider work profile password separate from device password

Notification Strategy

Warn before blocking: Send emails before restricting access
Clear instructions: Include specific remediation steps
Support information: Provide IT contact details
Escalation path: Include manager notifications for extended non-compliance

Troubleshooting

Device Showing Non-Compliant

Symptoms: Device appears non-compliant in Intune.

Diagnosis:

In Intune, go to Devices > All devices
Select the device > Device compliance
Review which settings are non-compliant
Check Per-setting status for specific issues

Common Causes and Solutions:

Issue	Cause	Solution
BitLocker not detected	BitLocker disabled or suspended	Enable BitLocker on device
Password doesn't meet requirements	User password too simple	User must change password
OS version too old	Device needs updates	Install Windows/macOS updates
Firewall disabled	User or app disabled firewall	Re-enable Windows Firewall
Defender signatures outdated	Updates not applied	Run Windows Update

Compliance Status Not Updating

Symptoms: Device compliance status appears stale.

Solutions:

On the device, open Company Portal and sync manually
For Windows, run: Invoke-IntuneSyncCycle in PowerShell
Wait for next scheduled check-in (up to 8 hours)
Restart the Intune Management Extension service (Windows)

Conditional Access Blocking Compliant Devices

Symptoms: Compliant devices are still blocked by Conditional Access.

Solutions:

Verify device appears as compliant in Intune
Check Azure AD device record matches Intune
Use Conditional Access What If tool to diagnose
Review sign-in logs for specific error codes
Verify device is Azure AD registered/joined

Policy Not Applying to Devices

Symptoms: Compliance policy not evaluating devices.

Solutions:

Verify policy is assigned to correct groups
Check device is in an assigned group
Review Assignment status in policy details
Verify no conflicting exclusions
Force device sync and wait 15-30 minutes

Monitoring and Reporting

Built-in Reports

Access compliance reports in Intune:

Navigate to Devices > Monitor
Review available reports:
- Noncompliant devices: Devices failing compliance
- Devices without compliance policy: Unassigned devices
- Setting compliance: Per-setting compliance rates

Custom Reporting

Navigate to Reports > Device compliance
Generate reports:
- Policy compliance: Per-policy compliance rates
- Setting compliance: Specific setting compliance
- Device compliance trend: Historical compliance data
Export reports for further analysis or executive reporting

Compliance Dashboard

Navigate to Devices > Overview
Review compliance widgets:
- Device compliance status: Pie chart of compliance
- Device compliance trend: Line graph over time
- OS distribution: Breakdown by platform

Next Steps

After configuring compliance policies:

Enable Conditional Access: Enforce compliance requirements for resource access
Configure remediation: Deploy configuration profiles to auto-remediate settings
Set up alerts: Create notifications for compliance policy failures
User communication: Send guides on maintaining device compliance
Regular audits: Review compliance rates and adjust policies

Additional Resources

Need help with your Intune compliance strategy? InventiveHQ offers comprehensive Microsoft Endpoint Manager consulting, including compliance policy design and Zero Trust implementation. Contact us for a free consultation.

How to Configure Compliance Policies in Microsoft Intune

Overview

Prerequisites

Step 1: Configure Compliance Policy Settings

Configure Device Compliance Settings

Configure Notification Templates

Step 2: Create Windows Compliance Policy

Create the Policy

Configure Compliance Settings

Configure Actions for Noncompliance

Assign the Policy

Step 3: Create macOS Compliance Policy

Create the Policy

Configure Compliance Settings

Configure Actions and Assign

Step 4: Create iOS/iPadOS Compliance Policy

Create the Policy

Configure Compliance Settings

Configure Actions and Assign

Step 5: Create Android Compliance Policy

Create the Policy

Configure Compliance Settings (Corporate-Owned)

Work Profile Compliance (BYOD)

Step 6: Configure Conditional Access Integration

Create Compliance-Based Conditional Access Policy

Verify Conditional Access Enforcement

Best Practices

Policy Design

Platform-Specific Recommendations

Notification Strategy

Troubleshooting

Device Showing Non-Compliant

Compliance Status Not Updating

Conditional Access Blocking Compliant Devices

Policy Not Applying to Devices

Monitoring and Reporting

Built-in Reports

Custom Reporting

Compliance Dashboard

Next Steps

Additional Resources

Frequently Asked Questions

Need Professional IT & Security Help?

Related Articles

How to Deploy Applications via Microsoft Intune

How to Enroll macOS Devices in Microsoft Intune

How to Enroll Windows Devices in Microsoft Intune