Before configuring and assigning your compliance policies, you must define your organization’s initial compliance policy settings. These define how compliance is determined on devices without a compliance policy. Configurable settings, displayed in Figure 2-23, are:
• Mark devices with no compliance policy assigned as If set to Compliant, this setting effectively turns off compliance in your organization.
Note Caution
It’s important to remember that if you mark devices as noncompliant by default before you start creating and assigning compliance policies, and a conditional access policy exists that requires compliance, you have effectively denied access to all devices in your organization to resources being protected by the conditional access policy. Be careful. Depending on the conditional access policy settings, you can lock yourself out of the Intune admin center.
• Enhanced jailbreak detection Rooted devices pose a serious potential security risk. Selecting this option helps mitigate those risks.
• Compliance status validity period Devices that fail to report their compliance policy status within the defined period are treated as noncompliant.
FIGURE 2-23 Configuring the initial compliance policy settings
Configuring scripts
You can use discovery scripts to help define custom compliance settings. Both Linux and Windows operating systems are supported. You deploy the script to devices in order to determine custom compliance settings, and then you can define those settings in a compliance policy for those platforms.
The first step is to add the scripts. You do this through the Scripts tab in Compliance Policies, as shown in Figure 2-24. For Windows scripts, you can determine whether the script:
• Runs in the context of the currently signed-in user
• Requires a signature check
• Runs in the 64-bit PowerShell host
After you’ve added your discovery scripts, you can leverage them when you create a compliance policy (see Figure 2-24).
FIGURE 2-24 Adding a compliance script for Windows devices
Need More Review? Compliance Scripts
For more information about using scripts for custom compliance settings, refer to the Microsoft Learn website at https://learn.microsoft.com/mem/intune/protect/compliance-custom-script.
Manage notifications for compliance policies
An important part of the compliance process is informing users that their devices are non-compliant. This requires that you create templates and configure notification settings. Use the following procedure:
- In Intune, open Compliance policies and then select Notifications.
- In the details pane, click Create notification.
- In the Create notification wizard, enter a name on the Basics tab, as shown in Figure 2-25. Then configure the following, and click Next:
• Email header – Include company logo
• Email footer – Include company name
• Email footer – Include contact information
• Company Portal Website Link
FIGURE 2-25 Configuring a compliance notification
- On the Notification message templates tab, displayed in Figure 2-26, configure the following settings:
• Select a locale This determines the language used in the notification.
• Enter a subject This determines the email subject displayed in the user’s mailbox.
• Enter a message This is the text displayed in the notification email body text.
• Is default Select this template as the default if desired.
FIGURE 2-26 Configuring message template settings
- If desired, add additional templates. When you have all the required templates, click Next.
- On the Review + create, verify your settings and then click Create.
After creating the template, you can test the notification by selecting the template and clicking Send preview email.
