Device Compliance & Configuration Policies in Microsoft Intune
π― Objective of Day-9
By the end of Day-9, you will be able to:
- Explain compliance vs configuration clearly
- Create and assign compliance policies
- Troubleshoot non-compliant devices
- Understand how Conditional Access uses compliance
1οΈβ£ Compliance vs Configuration (MOST IMPORTANT)
| Feature | Compliance Policy | Configuration Profile |
|---|---|---|
| Purpose | Decide device trust | Apply settings |
| Result | Compliant / Non-Compliant | Settings enforced |
| Used by CA | β Yes | β No |
| Blocks access | β Yes | β No |
π Golden rule:
Compliance = decision
Configuration = enforcement
2οΈβ£ What is a Device Compliance Policy?
A compliance policy checks whether a device:
- Has a password
- Is encrypted
- Is up-to-date
- Is not jailbroken/rooted
If conditions fail β device becomes Non-Compliant
3οΈβ£ Where to Create Compliance Policies
Steps:
- Intune Admin Center β Devices
- Device compliance
- Policies
- Create policy
- Choose platform (Windows / iOS / Android)
4οΈβ£ Common Compliance Settings (Windows Example)
Typical checks:
- Require BitLocker
- Require password
- Minimum OS version
- Maximum OS version
- Firewall enabled
π These settings do not configure BitLocker β they only check status.
5οΈβ£ Assigning Compliance Policies
Steps:
- Select compliance policy
- Assignments
- Select user or device group
- Save
β Best practice:
Use user groups, not devices.
6οΈβ£ What Happens When Device Is Non-Compliant?
- Device status = Non-Compliant
- User still signs in (initially)
- Conditional Access evaluates status
- Access may be blocked
π Intune itself does not block access β Conditional Access does.
7οΈβ£ Grace Period (Very Important)
Admins can define a grace period.
Example:
- Device becomes non-compliant
- User gets time (e.g. 3 days) to fix it
- After grace β access blocked
π Prevents sudden user outages.
8οΈβ£ What is a Configuration Profile?
A configuration profile:
- Enforces settings
- Changes device behavior
Examples:
- Enforce BitLocker
- Password complexity
- Disable USB storage
- Wi-Fi profiles
9οΈβ£ Create Configuration Profile (Windows)
Steps:
- Intune β Devices
- Configuration profiles
- Create profile
- Platform: Windows 10 and later
- Profile type: Settings catalog
π Compliance Without Configuration (Common Mistake)
Scenario:
- Compliance policy requires BitLocker
- No configuration profile to enable BitLocker
Result:
β Device becomes non-compliant
β User blocked
β Admin escalation
π Always pair configuration first, then compliance.
1οΈβ£1οΈβ£ Monitoring Compliance Status
Steps:
- Intune β Devices
- All devices
- Select device
- Device compliance
You can see:
- Compliance state
- Failed rules
- Last check-in time
1οΈβ£2οΈβ£ Troubleshooting Non-Compliant Devices
Checklist:
- License assigned?
- Correct policy assigned?
- OS supported?
- Device synced recently?
- Grace period expired?
π 90% issues = assignment or licensing.
1οΈβ£3οΈβ£ Real-World Admin Insight
Never deploy:
β Compliance + Conditional Access together on Day-1
Always:
β Configure β Monitor β Enforce β Block
β End of Day-9 Outcome
You can now:
β Design compliance policies safely
β Explain Intune trust logic
β Avoid user lockouts
β Prepare for Conditional Access
π Day-10 Preview
Day-10: Conditional Access + Intune
- How CA evaluates identity & device
- βRequire compliant deviceβ explained
- Common CA mistakes
- Real incident scenarios