Part 4 – Compliance policies

Part 4 – Compliance policies

1. Create a dynamic group targetting all MDM managed Windows 10 devices

Navigate to the Microsoft Endpoint Manager dashboard. Click on ‘Groups’ – ‘All groups’. Click on ‘New Group’.

Create a New Security Group, Group name: SG_All_MDMDevices_W10, set group description, and choose Dynamic Device.

Then click on ‘Add dynamic query’.

Use the following query to target all Windows 10 devices managed by Intune:

(device.DeviceOSType -startsWith “Windows”) -and (device.managementType -eq “MDM”)

Click “Edit Query’ & click ‘OK’ & then click ‘Save’. At last click on ‘Create’.

Follow up your Membership processing status

It can take up to 30 mins till your dynamic group gets populated. Take notice of this.

2. Create a notification for Device Compliance policies

While waiting for our group to be populated, go to the Microsoft Endpoint Manager dashboard – Devices – Compliance policies – Notifications

Click on ‘Create Notification’

Name: Non-Compliant Device, Subject: Non-Compliant Device detected

Message: Non-Compliant Device detected, please login to Intune and review

Click on ‘Next’ and then on ‘Create’

What we are actually doing now is creating an action for when our compliance policy kicks in and targets a device as non-compliant. We want that when a device gets marked as non-compliant, an email gets send to the end-user automatically to inform them about their non-compliant device and make sure they contact helpdesk asap.

Later on we can link this action with our compliance policy.

3. Create Baseline Device Compliance Policy & assign it

Now we are gonna create our first Compliance Policy

We want:

  • Min OS version to be 1903
  • Firewall to be on
  • Antivirus to be on

Go to the Microsoft Enpoint Manager dashboard – Devices – Compliance policies – Policies – Create policy

Name: Windows 10 – Baseline Policy, fill in a description, platform select Windows 10 and later

Configure Device Properties, Min OS Version = 10.0.18362 (1903), click ‘OK’

Configure System Security: Firewall require, Antivirus require, click ‘OK’

Click on ‘OK’, then click on Actions for noncompliance:

Click on ‘Mark device noncompliant’: here you can give a user x days to make sure his device is back compliant, for demo purposes we’ll leave it on Immediately for now.

Click on ‘Add Action’ to add an extra action, select Action: Send email to end user, Message template: the one we made

Click on ‘Select’

This will send an email to the end user to take actions to make his device compliant again, also to the Global Administrator who made the policy. You can also add for example your security mail group or it department if you want to keep them up to date also

Click on ‘OK’

Click on ‘Create’

Now we need to assign our Baseline Policy to our All Windows 10 devices group, click ‘Assignments’ and add the newly made group.

Click on ‘Evaluate’, this shows you how many devices will be affected by this policy (should be one for now).

At last click on ‘Save’.

4. Test your Device Compliance Policy

Now login on your W10 virtual machine in Hyper-V

Click on Start icon – Click on the People icon – Click on Change account settings – Choose Access work or school – Click on your Azure AD Tenant, and then click on Info

Click on Sync

This can also be done in the Microsoft Endpoint Manager admin center or Azure AD blade:

Navigate to the MEM admin center – Devices – All Devices – select your device – Click on Sync to trigger a Sync to the device

Now go to the MEM admin center – Devices – All devices – and check if your device is compliant:

Click on your Device, and then on Device Compliance to see more stats

If you want you can for example disable your firewall on your Windows 10 VM, sync again, and check the status in Microsoft Endpoint Manager admin center again. You’ll see that your device will get marked as Non-Compliant.

Don’t forget to turn your firewall back on after testing.

Happy testing!