Intune compliance: tips from the field
Introduction
This post should serve as a little overview for Intune compliance and related topics and present topics from the field. For a better understanding of compliance in Intune in general, please check my full post: Enforce device compliance (oceanleaf.ch)
Tip 1: Split compliance policy for DHA ✔️
I often see environments that only have one Windows compliance policy with all settings in place and require the actions for noncompliance to mark the device as noncompliant immediately.
Some settings can’t be validated immediately, though . This is making the device noncompliant (especially after enrollment) and is often considered as failing by design. The effective settings that can not be validated immediately are related to Windows Device Health Attestation (DHA) in particular:
- BitLocker
- Secure Boot
- Code integrity
DHA although requires a restart from the device to report back to Intune and satisfy the compliance state. Read more on this official post
Therefore, I recommend to remove those 3 settings from the main Windows compliance policy and create a separate/new one that only includes those settings. The actions for noncompliance should be to allow 1 day before the device is marked as noncompliant. With this, all your devices should appear as compliant from right after the enrollment 😁
Tip 2: Custom compliance repo 🛃
Alex Verboon created a public GitHub repository with useful custom compliance scripts and content.
Custom compliance in Intune allows you to build individual checks for your endpoints that need to be fulfilled to be compliant. What you need for this is:
- Compliance script: PowerShell detection script that detects states on the system
- Json file: a JSON file that identifies the settings and value pairs that you want to use for custom compliance
Tip 3: Compliance action send email to user and additional recipients 📬
Another action for noncompliance is to send the end user and additional recipients a mail to inform that their device is noncompliant. For this you need a compliance policy notification template to specify the look and content. More on this found here
If you want to send the mail notification to additional recipients you need a Microsoft 365 group with a mail address. Add members to that group that should have access to the group and its inbox.
The mail sent contains the information specified in the template and has the additional recipients on CC.
❗ However, by default the additional recipients Microsoft 365 group will not receive mails, since there is a configuration issue. You need to manually configure the settings of it in Outlook with the following settings:
This checkbox is not enabled by default and must be enabled, because the compliance mail sender is an external address: microsoft-noreply@microsoft.com
Afterwards you should also receive the compliance mails in the group mailbox. Delivery of those mails take ~10min-1.5h after a device gets noncompliant.
