Configure compliance policies with actions for noncompliance in Microsoft Intune (2023)

  • Article
  • 12 minutes to read

As part of a compliance policy that protects your organizations resources from devices that don't meet your security requirements, compliance policies also include Actions for noncompliance. Actions for noncompliance are one or more time-ordered actions that are taken by a policy to help protect devices and your organization. As an example, an action for noncompliance can remotely lock a device to ensure it's protected, or send a notification to devices or users to help them understand and resolve the noncompliant status.

Overview

By default, each compliance policy includes the action for noncompliance of Mark device noncompliant with a schedule of zero days (0). The result of this default is when Intune detects a device isn't compliant, Intune immediately marks the device as noncompliant. After a device is marked as noncompliance, Azure Active Directory (AD) Conditional Access can block the device.

By configuring Actions for noncompliance you gain flexibility to decide what to do about noncompliant devices, and when to do it. For example, you might choose to not block the device immediately, and give the user a grace period to become compliant.

For each action you set, you can configure a schedule that determines when that action takes effect. The schedule is a number of days after the device is marked as noncompliant. You can also configure multiple instances of an action. When you set multiple instances of an action in a policy, the action runs again at that later scheduled time if the device remains non-compliant.

Not all actions are available for all platforms.

Note

The Microsoft Endpoint Manager admin center displays the schedule (days after noncompliance) in days. However it is possible to specify a more granular interval (hours), using decimal fractions such as 0.25 (6 hours), 0.5 (12 hours), 1.5 (36 hours), and so on. While other values are possible, they can only be configured using Microsoft Graph and not via the admin center. Attempting to use other values in the admin center, such as 0.33 (8 hours) will result in an error when attempting to save the policy.

Available actions for noncompliance

Following are the available actions for noncompliance:

  • Mark device non-compliant: By default, this action is set for each compliance policy and has a schedule of zero (0) days, marking devices as noncompliant immediately.

    When you change the default schedule, you provide a grace period in which a user can remediate issues or become compliant without being marked as non-compliant.

    This action is supported on all platforms supported by Intune.

  • Send email to end user: This action sends an email notification to the user.When you enable this action:

    • Select a Notification message template that this action sends. You Create a notification message template before you can assign one to this action. When you create the custom notification, you customize the message locale, subject, message body, and can include the company logo, company name, and other contact information.
    • Choose to send the message to more recipients by selecting one or more of your Azure AD Groups.

    Intune uses the email address defined in the end user's profile and not their user principal name (UPN). If there's no defined email address defined in the user's profile, then Intune doesn't send a notification email. When the email is sent, Intune includes details about the noncompliant device in the email notification.

    This action is supported on all platforms supported by Intune.

    Note

    In the commercial cloud, notification emails are sent from: IntuneNotificationService@microsoft.com

    In government clouds, notification emails are sent from: microsoft-noreply@microsoft.com

    Ensure you do not have any mailbox policies that would prevent delivery of emails from these addresses, otherwise end users may not receive the email notification.

    (Video) Windows Device Compliance Policy | Intune
  • Remotely lock the noncompliant device: Use this action to issue a remote lock of a device. The user is then prompted for a PIN or password to unlock the device. More on the Remote Lock feature.

    The following platforms support this action:

    • Android device administrator
    • Android (AOSP)
    • Android Enterprise:
      • Fully Managed
      • Dedicated
      • Corporate-Owned Work Profile
      • Personally Owned Work Profile
      • Android Enterprise kiosk devices
    • iOS/iPadOS
    • macOS
  • Retire the noncompliant device: This action removes all company data off the device and removes the device from Intune management.

    The following platforms support this action:

    • Android device administrator
    • Android (AOSP)
    • Android Enterprise:
      • Fully Managed
      • Dedicated
      • Corporate-Owned Work Profile
      • Personally Owned Work Profile
    • iOS/iPadOS
    • macOS
    • Windows 10/11

    When this action applies to a device, that device is added to a list of devices in the Microsoft Endpoint Manager admin center at Devices > Compliance policies > Retire Noncompliant Devices. The device isn't retired until an admin takes explicit action to retire the device.

    Note

    Only devices to which the Retire the noncompliant device action has been triggered appear in the Retire Selected Devices view. To see a list of all devices that are not compliant, see the Noncompliant devices report mentioned in Monitor device compliance policy.

    To retire one or more devices from the list, select devices to retire and then select Retire Selected Devices. When you choose an action that retires devices, you're then presented with a dialog box to confirm the action. It's only after confirming the intent to retire the devices that they're cleared of company data and removed from Intune management.

    Other options include Retire All Devices, Clear All Devices Retire State, and Clear Selected Devices Retire State. Clearing the retire state for a device removes the device from the list of devices that can be retired until the action to Retire the noncompliant device is applied to that device again.

    Learn more about retiring devices.

  • Send push notification to end user: Configure this action to send a push notification about non-compliance to a device through the Company Portal app or Intune App on the device.

    The following platforms support this action:

    • Android device administrator
    • Android Enterprise:
      • Fully Managed
      • Dedicated
      • Corporate-Owned Work Profile
      • Personally Owned Work Profile
    • iOS/iPadOS

    The push notification is sent the first time a device checks in with Intune and is found to be non-compliant to the compliance policy. When a user selects the notification, the Company Portal app or Intune app opens and displays information about why they're non-compliant. The user can then take action to resolve the issue. The message details about non-compliance are generated by Intune and can't be customized.

    (Video) Intune Training Series No#11 | How to Configure actions for noncompliant devices in Intune

    Important

    Intune, the Company Portal app, and the Microsoft Intune app, can't guarantee delivery of a push notification. Notifications might show up after several hours of delay, if at all. This includes when users have turned off push notifications.

    Do not rely on this notification method for urgent messages.

    Each instance of the action sends a notification a single time. To send the same notification again from a policy, configure more instances of the action in that policy, each with a different schedule.

    For example, you might schedule the first action for zero days and then add a second instance of the action set to three days. This delay before the second notification gives the user a few days to resolve the issue, and avoid the second notification.

    To avoid spamming users with too many duplicate messages, review and streamline which compliance policies include a push notification for non-compliance, and review the schedules to avoid repeat notifications for the same too often.

    Consider:

    • For a single policy that includes multiple instances of a push notification set for the same day, only a single notification is sent for that day.

    • When multiple compliance policies include the same compliance conditions, and include the push notification action with the same schedule, Intune sends multiple notifications to the same device on the same day.

Note

The following actions for noncompliance are not supported for devices that are managed by a device compliance management partner:

  • Send push notification to end user
  • Remotely lock the noncompliant device
  • Retire the noncompliant device
  • Send push notification to end user

Before you begin

You can add actions for noncompliance when you configure device compliance policy, or later by editing the policy. You can add extra actions to each policy to meet your needs. Keep in mind that each compliance policy automatically includes the default action for noncompliance that marks devices as noncompliant, with a schedule set to zero days.

To use device compliance policies to block devices from corporate resources, Azure AD Conditional Access must be set up. See Conditional Access in Azure Active Directory or common ways to use Conditional Access with Intune for guidance.

To create a device compliance policy, see the following platform-specific guidance:

  • Android
  • Android (AOSP)
  • Android work profiles
  • iOS
  • macOS
  • Windows

Create a notification message template

To send email to your users, create a notification message template and associate that to your compliance policy as an action for noncompliance. Then, when a device is noncompliant, the details you enter in the template is shown in the email sent to your users.

A notification message template can include multiple messages that are each specified for a different locale. One local must be specified as the default.

(Video) Microsoft Endpoint Manager Intune Compliance Policy Part II Compliance Policies

When you specify multiple messages and locales, non-compliant end users receive the appropriate localized message based on their O365 preferred language. Intune sends the default message to users that haven’t set a preferred language or when the template doesn’t include a specific message for their locale.

To create the template

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Endpoint security > Device compliance > Notifications > Create notification.

  3. On the Basics page, configure the following settings:

    • Name - Give the template a friendly name to help you identify it.
    • Email header – Include company logo (default = Enable) - The logo you upload as part of the Company Portal branding is used for email templates. For more information about Company Portal branding, see Company identity branding customization.
    • Email footer – Include company name (default = Enable)
    • Email footer – Include contact information (default = Enable)
    • Company Portal Website Link (default = Disable) - When set to Enable, the email includes a link to the Company Portal website.

    Configure compliance policies with actions for noncompliance in Microsoft Intune (1)

    Select Next to continue.

  4. On the Notification message templates page, configure one or more messages. For each message, specify the following details:

    • Locale
    • Subject
    • Message body text

    Note

    The maximum number of characters for the Subject is 78, and the maximum number of characters for the message body text is 2000.

    Before continuing, you must select the checkbox for Is Default for one of the messages. Only one message can be set as default. To delete a message, select the ellipsis (...) and then Delete.

    Configure compliance policies with actions for noncompliance in Microsoft Intune (2)

    Select Next to continue.

  5. Under Review + create, review your configurations to ensure the notification message template is ready to use. Select Create to complete creation of the notification.

View and edit notifications

Notifications that have been created are available in the Compliance policies > Notifications page. From the page you can select a notification to view its configuration and:

  • Select Send preview email to send a preview of the notification email to the account you've used to sign in to Intune.

    To successfully send the preview email, your account must have permissions equal to those of the following Azure AD groups or Intune roles: Azure AD Global Administrator, Intune Administrator (Intune Azure AD Intune Service Administrator), or Intune Policy and Profile Manager.

  • Select Edit for Basics or Scope tags to make a change.

    (Video) Microsoft Intune Training in Telugu - Compliance Policies Configuration for Windows Devices

Add actions for noncompliance

When you create a device compliance policy, Intune automatically creates an action for noncompliance. If a device isn't meeting your compliance policy, this action marks the device as not compliant. You can customize how long the device is marked as not compliant. This action can't be removed.

You can add optional actions when you create a compliance policy, or update an existing policy.

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Select Devices > Compliance policies > Policies, select one of your policies, and then select Properties.

    Don't have a policy yet? Create an Android, iOS, Windows, or other platform policy.

    Note

    Devices managed by third-party device compliance partners that are targeted with device groups cannot receive compliance actions at this time.

  3. Select Actions for noncompliance > Add.

  4. Select your Action:

    • Send email to end users: When the device is noncompliant, choose to email the user. Also:

      • Choose the Message template you previously created
      • Enter any Additional recipients by selecting groups
    • Remotely lock the noncompliant device: When the device is noncompliant, lock the device. This action forces the user to enter a PIN or passcode to unlock the device.

    • Retire the noncompliant device: When the device is noncompliant, remove all company data off the device and remove the device from Intune management.

    • Send push notification to end user: Configure this action to send a push notification about non-compliance to a device through the Company Portal app or Intune App on the device.

  5. Configure a Schedule: Enter the number of days (0 to 365) after noncompliance to trigger the action on users' devices. After this grace period, you can enforce a conditional access policy. If you enter 0 (zero) number of days, then conditional access takes effect immediately. For example, if a device is noncompliant, use conditional access to block access to email, SharePoint, and other organization resources immediately.

    When you create a compliance policy, the Mark device noncompliant action is automatically created, and automatically set to 0 days (immediately). With this action, when the device checks-in with Intune and evaluates the policy, if it isn't compliant to that policy Intune immediately marks that device as noncompliant. If the client checks-in at a later time after remediating the issues that lead to noncompliance, its status will update to its new compliance status. If you use Conditional Access, those policies also apply as soon as a device is marked as noncompliant. To set a grace period to allow for a condition of noncompliance to be remediated before the device is marked as noncompliant, change the Schedule on the Mark device noncompliant action.

    In your compliance policy, for example, you also want to notify the user. You can add the Send email to end user action. On this Send email action, you set the Schedule to two days. If the device or end user is still evaluated as non-compliant on day two, then your email is sent on day two. If you want to email the user again on day five of noncompliance, then add another action, and set the Schedule to five days.

    For more information on compliance, and the built-in actions, see the compliance overview.

    (Video) Windows 10 Compliance Policy Intune

  6. When finished, select Add > OK to save your changes.

Next steps

Monitor your policies.

FAQs

How do you set a compliance policy on Intune? ›

To manage the compliance policy settings, sign in to Microsoft Endpoint Manager admin center and go to Endpoint security > Device compliance > Compliance policy settings. This setting determines how Intune treats devices that haven't been assigned a device compliance policy.

What are configuration policies in Intune? ›

App configuration policies can help you eliminate app setup problems by letting you assign configuration settings to a policy that is assigned to end-users before they run the app. The settings are then supplied automatically when the app is configured on the end-users device, and end-users don't need to take action.

How does Intune check compliance? ›

Intune follows the device check-in schedule for all compliance evaluations on the device. Learn more about the device check-in schedule. Descriptions of the different device compliance policy states: Compliant: The device successfully applied one or more device compliance policy settings.

How do I create a conditional access policy Intune? ›

To create an app-based Conditional Access policy
  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Select Endpoint security > Conditional access > New policy.
  3. Enter a policy Name, and then under Assignments, select Users or workload identities, and apply the policy to Users and groups.
Apr 15, 2022

How do you implement a compliance policy? ›

How to create or improve a compliance program
  1. Establish and adopt written policies, procedures, and standards of conduct. ...
  2. Create program oversight. ...
  3. Provide training and education. ...
  4. Establish two-way communication at all levels. ...
  5. Implement a monitoring and auditing system. ...
  6. Enforce consistent discipline.
Dec 28, 2020

What happens if a device is not compliant in Intune? ›

The result of this default is when Intune detects a device isn't compliant, Intune immediately marks the device as noncompliant. After a device is marked as noncompliance, Azure Active Directory (AD) Conditional Access can block the device.

Which two 2 types of configurations are set in group policy? ›

Each Group Policy object contains two classes of configuration: user and computer.

What are the 4 steps associated with configuration management? ›

To prevent any gaps or oversights, approach the configuration management process in four distinct steps.
  • Step 1: Create a configuration management baseline. ...
  • Step 2: Don't let the baseline become obsolete. ...
  • Step 3: Continuous auditing. ...
  • Step 4: Test, test, test.
Jun 22, 2020

Which of the following are the three policies in configuration files? ›

This article describes the syntax of configuration files and provides information about the three types of configuration files: machine, application, and security.

What should a compliance policy include? ›

The OIG notes that “At a minimum, comprehensive compliance programs should include…the development and distribution of written standards of conduct, as well as written policies and procedures that promote the [organization's] commitment to compliance and that address specific areas of potential fraud, such as claims ...

How often does Intune check for compliance? ›

Right after the enrollment Windows 10 devices checks policies and settings every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours. Already enrolled device checks Intune settings every 8 hours.

How do you troubleshoot Intune policies? ›

Use the built-in Troubleshoot pane
  1. In the Microsoft Endpoint Manager admin center, select Troubleshooting + support > Troubleshoot.
  2. Choose Select user > select the user having an issue > Select.
  3. Confirm that Intune license shows the green check: Helpful links: ...
  4. Under Devices, find the device having an issue.
Oct 28, 2022

How do you configure and enable risk policies? ›

Enable sign-in risk policy for MFA
  1. Select the Sign-in risk policy from the menu on the left-hand side.
  2. By default, the policy applies to All users. ...
  3. Under Conditions, choose Select conditions > Select a risk level, then choose Medium and above.
  4. Choose Select, then Done.
  5. Under Access, choose Select a control.
Aug 25, 2022

What is Conditional Access policy in Intune? ›

Conditional Access is an Azure Active Directory capability that is included with an Azure Active Directory Premium license. Through Azure Active Directory, Conditional Access brings signals together to make decisions, and enforce organizational policies.

How do I add Conditional Access policy? ›

Create a Conditional Access policy
  1. Sign in to the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
  2. Browse to Azure Active Directory > Security > Conditional Access.
  3. Select New policy.
  4. Give your policy a name. ...
  5. Under Assignments, select Users or workload identities.
Nov 3, 2022

What are the 4 steps in maintaining compliance? ›

  1. Step 1 :: Review the compliance and security features of your software in each of these categories. eDiscovery. ...
  2. Step 2 :: Identify your company's specific security and compliance needs and policies. ...
  3. Step 3 :: Implement your policies, settings, and management in your software. ...
  4. Step 4 :: Report & Audit.
Sep 16, 2022

What are the four types of compliance? ›

Different types of compliance business owners need to know
  • Regulatory compliance. Regulatory compliance is when a business follows the local and international laws and regulations that are relevant to its operations. ...
  • HR compliance. ...
  • Data compliance. ...
  • Health and safety compliance.
May 18, 2022

What happens when a device isn't in the MDM scope? ›

User is not in MDM scope: If users aren't in MDM scope, Azure AD join completes without any MDM enrollment. This scope results in an unmanaged device.

How do I make my device compliant in Azure? ›

Under Access controls > Grant.
  1. Select Require multifactor authentication, Require device to be marked as compliant, and Require hybrid Azure AD joined device.
  2. For multiple controls select Require one of the selected controls.
  3. Select Select.
Dec 2, 2022

What does active non compliance mean? ›

If you have received a Notice of Non-Compliance, it is because our records indicate that you have registered previously for a Business Tax Registration Certificate, but have not yet filed for your annual renewal and failed to make your payment for the given tax period.

What are the three types of configuration? ›

The three types of configurations are Common Base, Common Emitter and Common Collector configurations. In every configuration, the emitter junction is forward biased and the collector junction is reverse biased.

Which Group Policy setting should you configure? ›

8 best Group Policy settings for effective administration
  • Prohibit access to the control panel. ...
  • Prevent access to the command prompt. ...
  • Deny all removable storage access. ...
  • Prohibit users from installing unwanted software. ...
  • Reinforce guest account status settings. ...
  • Do not store LAN Manager hash values on next password changes.

What are the 5 pillars of configuration management? ›

The five CM functions are:
  • Configuration Management Planning and Management.
  • Configuration Identification.
  • Configuration Change Management.
  • Configuration Status Accounting.
  • Configuration Verification and Audit.

What are the five stages of the configuration management process? ›

Here's a refresher on how to do it.
  • First, Plan. Configuration management begins at the beginning of the project when you're putting together you project management plan. ...
  • Next, Identify Config Items. ...
  • Control Your Records. ...
  • Status Accounting. ...
  • Finally, Audit.

Which two items are required for a configuration setting? ›

Each Configuration Item must include the following:
  • Name and description.
  • Category (and possibly sub-categories, if applicable)
  • Direct relationships with other Configuration Items.
Sep 27, 2022

What is a configuration example? ›

When you position items into any spatial arrangement, you are creating a configuration, or specific shape. For example, scientists refer to the specific, bonded arrangement of atoms to make a molecule as a configuration.

What five 5 factors must a compliance plan include? ›

The five elements are:
  • Leadership.
  • Risk Assessment.
  • Standards and Controls.
  • Training and Communications.
  • Oversight.
Dec 1, 2019

What are the 7 elements of compliance? ›

7 Elements Of A Legally Effective Compliance Program
  • Policies & Procedures.
  • Chief Compliance Officer/Compliance Committee.
  • Education & Training.
  • Reporting.
  • Monitoring & Auditing.
  • Enforcement.
  • Responding To Issues.

What are the four key compliance issues? ›

The 4 Most Common Compliance Risks and How to Avoid Them
  • Legal & Liability Concerns.
  • Data Security.
  • Business Reputation.
Aug 11, 2022

How do I get a patch compliance report from Intune? ›

In the admin center, go to Reports > Windows updates > select the Reports tab > select Windows Feature Update Report. Click on Select a feature update profile, select a profile, and then Generate report.

How do I check my Intune enrollment failure? ›

Sign in to the Microsoft Endpoint Manager admin center and select Troubleshooting + support > Select user. Choose a user > Select. Under Enrollment failures, select a row to view more details about the failure and recommended remediation steps.

How often do Intune policies update? ›

Policy refresh intervals for Devices managed by Microsoft Intune
PlatformFrequency
iOSEvery 15 minutes for 6 hours and then every 6 hours
AndroidEvery 3 minutes for 15 minutes then every 15 minutes for 2 hours, and then every 8 hours
2 more rows
Sep 29, 2015

Which type of deployment action should you configure using Intune policies? ›

Which type of deployment action should you configure using Intune policies? You would choose Available for enrolled devices install. This deploys the app to the Intune Company Portal so that users can decide whether they want to install it on their devices or not.

What conditions can you configure in a user risk policy? ›

As an administrator, you can configure a user risk conditional access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state.

How do you implement a risk action plan? ›

Eight steps to establishing a risk management program are:
  1. Implement a Risk Management Framework based on the Risk Policy. ...
  2. Establish the Context. ...
  3. Identify Risks. ...
  4. Analyze and Evaluate Risks. ...
  5. Treat and Manage Risks. ...
  6. Communicate and Consult. ...
  7. Monitor and Review. ...
  8. Record.
Jul 21, 2019

How can you set a compliance policy in Intune? ›

To manage the compliance policy settings, sign in to Microsoft Endpoint Manager admin center and go to Endpoint security > Device compliance > Compliance policy settings. This setting determines how Intune treats devices that haven't been assigned a device compliance policy.

Which two options are example of Conditional Access policies? ›

Some of the commonly applied policies for businesses using conditional access includes:
  • Multifactor authentication for admin users and Azure management tasks.
  • Blocking access to users who are trying to use legacy authentication protocols.
  • Blocking/granting access to specific locations, and risky sign-in behaviors.

What are examples of Conditional Access policies? ›

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multi-factor authentication to access it.

What are the three key elements of Conditional Access? ›

The Name section is straightforward enough, but let's review the other three critical elements of Conditional Access: Assignments, Access controls and Enable policy.

What is compliance policy in Azure? ›

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity.

What is compliance policy? ›

Compliance policies detail the laws, industry regulations and government legislation around managing your business, employees and customers. Compliance policies include a Human Resources Policy, Financial Services Policy, Data Security Policy and Work-place Safety Policy.

What Microsoft tool can you use to track your compliance? ›

Key features of Microsoft Purview Compliance Manager

Choose from over 320 ready-to-use and customizable regulatory assessment templates that help meet multicloud compliance requirements with Microsoft 365 or non-Microsoft products or services.

Which tool within Azure helps you track your compliance? ›

Which tool within Azure helps you to track your compliance with various international standards and government laws? Compliance Manager will track your own compliance with various standards and laws.

What are the 2 types of compliance? ›

There are two main types of compliance that denote where the framework is coming from: corporate and regulatory. Both corporate and regulatory compliance consist of a framework of rules, regulations and practices to follow.

Videos

1. Microsoft Endpoint Manager Intune Compliance Policy Part I The Basics and Beyond
(Microsoft Endpoint Manager - Steve Rachui)
2. Microsoft Intune Training Part 8 - How to Create & Configure Compliance Policy in Endpoint Manager
(KELVGLOBAL ICT)
3. How to create Compliance Policy in Microsoft 365 Management | Device compliance policies in Intune
(KELVGLOBAL ICT)
4. Preventing Access on Noncompliant Devices
(T-Minus365)
5. Intune Tutorial 23 -How to Create Compliance policy in Intune
(Harvansh Singh)
6. Microsoft Endpoint Manager Intune Compliance Policy Part III ConfigMgr Integration
(Microsoft Endpoint Manager - Steve Rachui)
Top Articles
Latest Posts
Article information

Author: Prof. Nancy Dach

Last Updated: 01/01/2023

Views: 6176

Rating: 4.7 / 5 (77 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Prof. Nancy Dach

Birthday: 1993-08-23

Address: 569 Waelchi Ports, South Blainebury, LA 11589

Phone: +9958996486049

Job: Sales Manager

Hobby: Web surfing, Scuba diving, Mountaineering, Writing, Sailing, Dance, Blacksmithing

Introduction: My name is Prof. Nancy Dach, I am a lively, joyous, courageous, lovely, tender, charming, open person who loves writing and wants to share my knowledge and understanding with you.