BlogFirst lesson
Sign Up

Understanding compliance policies

Compliance policies are a great way to verify a device is configured and secure as you expect. You don't need a compliance policy for every setting in a configuration profile but you will want one to verify certain settings like passwords and encryption or verify the machine risk level. Let's jump in and take a look.

Creating a Windows compliance policy

1. Go to Microsoft Endpoint Manager admin center > Devices > Windows > Compliance policies. Click Create Policy. Set Platform to Windows 10 and later. Click Create.

Create a compliance policy

2. Set the name to Windows 10 Compliance Policy. Click Next.

3. Set Device Health > Require Bitlocker to Require. Click Next.

Windows 10 Compliance Policy Setting Encryption

4. Set the Schedule (days after noncompliance) to 5. Click Next.

Mark device noncompliant

5. Set the included assignments to a group or All users. Click Next. Click Create.

Understanding assignments

The compliance policy assignments work the same way they do for configuration profiles. You can review the assignments in that lesson under the section "Understanding assignments in Intune". Remember, exclusions take precedence over inclusions. Don't mix device and user groups on the same policy. Lastly, a compliance policy created for Windows 10 won't affect Google or Apple devices. It will only affect Windows 10.

Let's take a quick example to make sure you're familiar with assignments.

You have one Windows 10 Device named Device1. It is a member of 2 groups GroupA and GroupB. You have the 4 compliance policies in the chart below:

Compliance Policy Chart

Which policies will apply to Device1? Policy1 and Policy2. Policy1 because it has a platform of Windows 10 and includes all devices. Policy2 because it has a platform of Windows 10 and includes GroupA. Not Policy3 because it has an exclusion of GroupB. So even though it applies to Windows 10 and GroupA the exclusion takes precedence. Not Policy4 because it applies to Android devices.

Understanding actions for noncompliance

Actions for noncompliance

Compliance policies have a section that configuration profiles don't, that's the actions for noncompliance. In short, this section says "what happens when a device is not compliant?"

You can delay how long before a device is flagged as non-compliant as we did in the compliance policy above. That's important because you can create a conditional access policy to block noncompliant devices. Let's take an example.

Let's say you create a compliance policy called Policy1 and set the Mark device noncompliant 10 days after noncompliance The policy requires an Android device to be encrypted. Then a user enrolls a device on June 1st, 2022 but the device isn't encrypted. Will the device be compliant on June 5th? What about June 11th? The device will be marked compliant on June 5th because the compliance policy will flag the device as noncompliant for 10 days. On June 11th the device will be marked as noncompliant.

Mark devices with no compliance policy as

So, what happens to a device with no compliance policy? Is it flagged as compliant or noncompliant? The question depends on how you configure your tenant. It can be either-or. Let's jump in and take a look.

1. Go to Microsoft Endpoint Manager admin center > Devices > Compliance policies > Compliance policy settings.

2. Set Mark devices with no compliance policy assigned as Not compliant. Click Save.

Mark devices with no compliance policy assigned

How to block noncompliant devices

By now in the lessons, you should have the devices enrolled in Intune. And a compliance policy setting the devices as compliant or noncompliant. So how do we block noncompliant devices? By using a conditional access policy!

1. Open Azure Active Directory admin center > All services > Azure AD Conditional Access. Click New Policy > Create new policy.

2. Set the name to Block noncompliant devices. Click 0 users or workload identities selected > All Users.

Add all user to conditional access policy

3. Click Exclude > Users and groups > search for your break-glass account and click on it. Click Select.

Exclude break glass account from conditional access policy

4. Click No cloud apps, actions, or authentication contents selected > Select apps > Office 365 > Select.

Set cloud apps

5. Click 0 controls selected located under Grant > Check Require device to be marked as compliant. Click Select. Under Enable policy click On. Click Create.

Require device to be marked as compliant

Quarantine devices that don't have Intune

Now that we have devices in Intune and conditional access policies verifying the devices are compliant what about our non-managed devices? In short, what about our break glass accounts? For those, we will want to quarantine any phones that attempt to connect to Exchange Online. Let's jump in and configure quarantining for any device that isn't covered by our conditional access policy.

1. Go to Exchange admin center > Classic Exchange admin center > Mobile > Edit.

2. Set Connection Settings to Quarantine then click Save.

Configure Microsoft 365 to quarantine mobile devices

How to allow a quarantined device

Now when someone that's not covered by the conditional access policy attempts to log on to their email using a mobile device their device will be quarantined. In short, they won't receive email until an admin goes in and approves the device. They'll receive a message that says the following:

"Your device is temporarily blocked from accessing content via Exchange ActiveSync because the device has been quarantined. You don't need to take any action. Content will automatically be downloaded as soon as access is granted by your administrator."
Your device is temporarily blocked from accessing content via Exchange ActiveSync because the device has been quarantined

An admin will then need to allow the device to connect. To allow a quarantined device to connect perform the following:

1. Go to Exchange admin center > Classic Exchange admin center > mobile.

2. Click the quarantined device and click Allow.

Allow device through quarantine