After you start managing Windows 11 devices using Microsoft Intune, you’ll want to implement conditional access to provide granular access control for your corporate resources. These resources can include data contained in controlled applications, such as Exchange Online. Intune works with Azure AD to actively check the status of enrolled devices against your policies each time a resource such as corporate email is accessed.
With Microsoft Intune, you can stipulate the necessary compliance checks that Azure AD will perform on enrolled devices. Deploying compliance policies allows devices to be allowed or denied access to your corporate resources. In addition, when used with Azure AD Conditional Access policies, you can determine precisely when those resources are accessible. Therefore, you must understand how to plan, implement, and manage them to meet organizational security requirements.
This skill covers how to:
- Specify compliance policies to meet requirements
- Manage notifications for compliance policies
- Implement compliance policies
- Monitor device compliance
- Troubleshoot compliance policies
- Implement Conditional Access policies that require a compliance status
Specify compliance policies to meet requirements
Many organizations are regulated and must comply with laws and regulations, such as those shown in Table 2-5. To remain compliant, administrators must configure and manage devices and any data on them per corporate security and compliance requirements. Modern management enables administrators to control devices and restrict their use when accessing corporate data.
TABLE 2-5 Regulations and compliance
| Regulation | Region | Requirement |
| HIPAA (Health Insurance Portability and Accountability Act of 1996) | USA | User isn’t prompted to MFA. |
| Sarbanes–Oxley Act | USA | The Chief Financial Officer (CFO) and Chief Executive Officer (CEO) have joint responsibility for the financial data. Administrators must keep financial data secure and free from tampering, theft, and deletion. |
| Gramm– Leach–Bliley Act | USA | Responsibility for security lies within the entire board of directors. While not legally bound, IT administrators will be delegated the implementation and management of IT security. |
| GDPR (General Data Protection Regulation) | EU | Regardless of location, all enterprises must adhere to EU privacy laws relating to any person living in the EU. |
Using Microsoft Intune, you can define compliance policies. After you have created compliance policies, you can assign them to enrolled devices and device groups.
Each time a device attempts to access corporate resources, such as a SharePoint Site or corporate email client, its policy is evaluated, and its compliance status is determined. Only compliant devices are granted access to the resources.
Note Requires Azure AD Premium
Organizations must have Azure AD Premium P1 or P2 licenses, and each device requires an Intune license to use compliance policies.
The following device platforms can be managed using compliance policies once they have been enrolled into Intune:
- Android and Android Enterprise
- iOS and iPadOS
- Linux
- macOS
- Windows 10 and later
- Windows 8.1 and later
When considering how your organization will achieve compliance, you might want to review the features available and support for compliance policies. Each compliance policy within Intune is platform-specific, and the actual compliance policy settings available will vary depending on the settings the platform vendor exposes to the MDM framework. For example, BitLocker encryption is only available on Windows devices, and Google Play Protect is available only on Android.
Make sure you understand the different compliance features that can be selected for each operating system.
Some of the more commonly used device compliance settings that you can implement include:
- Require a password to access devices For example, a PIN or password.
- Local data encryption BitLocker encryption or other boot protection such as Secure Boot.
- Is the device jailbroken or rooted? Often, a device that has been jailbroken or rooted will be more vulnerable to malware attacks.
- Minimum operating system version required Prevents outdated software, which may be more vulnerable to malware attacks.
- Maximum operating system version allowed Prevents software that has not been tested or approved for corporate use from being used.
- Protected Against Malware Threats Requires the device to have an antimalware solution enabled, signatures are up to date, or real-time protection is enabled.
