Compliance Policies¶

Compliance policies define the rules a device must meet to be considered compliant. Non-compliant devices can be blocked from accessing Microsoft 365 resources via Conditional Access.

Intune admin center → Devices → Compliance

Windows Compliance Policy¶

Create a policy for Windows 10 and later:

Intune admin center → Devices → Compliance → Create policy → Windows 10 and later

Device Health¶

Setting	Value
Require BitLocker	Require
Require Secure Boot to be enabled	Require
Require code integrity	Require

Device Properties¶

Setting	Value
Minimum OS version	`10.0.19041` (Windows 10 2004 minimum)
Maximum OS version	Leave blank

System Security¶

Setting	Value
Require a password to unlock mobile devices	Require
Simple passwords	Block
Password type	Alphanumeric
Minimum password length	8
Maximum minutes of inactivity before password is required	5
Firewall	Require
Antivirus	Require
Antispyware	Require
Microsoft Defender Antimalware	Require
Microsoft Defender Antimalware minimum version	`4.18`
Microsoft Defender Antimalware security intelligence up-to-date	Require
Real-time protection	Require

Microsoft Defender for Endpoint (if licenced)¶

Setting	Value
Require the device to be at or under the machine risk score	Medium or Low

Actions for non-compliance¶

Action	Schedule
Mark device non-compliant	Immediately
Send email to end user	1 day
Retire non-compliant device	30 days (optional, adjust per policy)

iOS / iPadOS Compliance Policy¶

Device Health¶

Setting	Value
Jailbroken devices	Block

Device Properties¶

Setting	Value
Minimum OS version	`16.0`

System Security¶

Setting	Value
Require a password to unlock mobile devices	Require
Simple passwords	Block
Minimum password length	6
Maximum minutes after screen lock before password is required	5
Maximum minutes of inactivity until screen locks	2
Password expiration (days)	365
Number of previous passwords to prevent reuse	5
Encryption of data storage on device	Require

Android Enterprise Compliance Policy¶

Device Health¶

Setting	Value
Rooted devices	Block
Require the device to be at or under the device threat level	Medium (if Defender for Endpoint is integrated)

Device Properties¶

Setting	Value
Minimum OS version	`12.0`

System Security¶

Setting	Value
Require a password to unlock mobile devices	Require
Required password type	Numeric complex or Alphanumeric
Minimum password length	6
Maximum minutes of inactivity before password required	5
Encryption of data storage on device	Require
Block apps from unknown sources	Block
Company Portal app integrity	Require
Google Play Protect	Require

macOS Compliance Policy¶

Setting	Value
System Integrity Protection (SIP)	Require
Firewall	Require
FileVault	Require
Minimum OS version	`13.0` (Ventura)
Password required	Require
Minimum password length	8

Compliance Grace Period¶

Configure a grace period to give users time to remediate before being blocked:

Intune admin center → Devices → Compliance → Compliance settings

Setting	Value
Enhanced jailbreak detection	Enabled
Compliance status validity period	30 days (devices must check in within this period)

Monitoring Compliance¶

# Install Microsoft Graph PowerShell if needed
Install-Module Microsoft.Graph -Scope CurrentUser

Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"

# Get all non-compliant devices
Get-MgDeviceManagementManagedDevice -Filter "complianceState eq 'noncompliant'" -All |
    Select-Object DeviceName, UserPrincipalName, OperatingSystem, ComplianceState, LastSyncDateTime |
    Sort-Object LastSyncDateTime -Descending

# Get compliance summary by platform
Get-MgDeviceManagementManagedDevice -All |
    Group-Object OperatingSystem |
    ForEach-Object {
        $os = $_.Name
        $total = $_.Count
        $compliant = ($_.Group | Where-Object { $_.ComplianceState -eq "compliant" }).Count
        [PSCustomObject]@{ OS = $os; Total = $total; Compliant = $compliant; NonCompliant = ($total - $compliant) }
    }