Create a Compliance Policy in Microsoft Intune
Start course

This course will provide you with a solid understanding of compliance policies and where they fit into Microsoft 365. You'll also have the chance to watch a guided demonstration showing you how to create a Compliance Policy in Microsoft Intune.

Learning Objectives

  • Learn the basics of compliance policies in Microsoft 365
  • Gain an understanding of Compliance Policy Settings and Device Compliance Policies
  • Learn how to integrate compliance policies and conditional access
  • Learn how to create a compliance policy in Endpoint Security within the Microsoft Endpoint Manager admin center

Intended Audience

This quick-hitting course is intended for those who wish to learn about using Compliance Policies in Microsoft 365.


To get the most out of this course, it would be beneficial to have a basic understanding of compliance in general, as well as some basic experience using Microsoft 365.


Hello, and welcome back. What we're gonna do here in this brief demonstration is walk through the process of creating a compliance policy in Microsoft Endpoint Manager admin center. It's a pretty straightforward process, but in the interest of completeness, I just wanna walk through the process here to show you how it's done.

Now on the screen here, I'm logged into my Endpoint Manager admin center using my global admin for my fictional Berks batteries organization, and what I'm going to do here is create a new policy. Now to do that from this homepage here in Endpoint Manager admin center is, I browse to devices here. Once I go into devices, I can look at the status of all the different devices within my environment, but what I wanna do here is go down to compliance policies under policy, that only makes sense right.

Now once I go into compliance policies from the default main page here, or the home page here for compliance policies, I can see any existing policies that exist. You'll notice here, I have no compliance policy set up, so what we'll do here is we'll create a new policy, and when I create a policy, I need to select the platform. And I have a couple different choices here, Android device administrator, Android Enterprise, the IOS or iPadOS, macOS, Windows 10 and later, and Windows 8.1 and later. For this demonstration here, we'll just create Android Enterprise.

So we're gonna create a policy for the Android Enterprise platform, and this is important because each platform has different settings that can be controlled so that's why you have to select the platform. Now, if we select a dropdown for profile type, we have two different options here, a fully managed, corporate-owned work profile, or a personally owned profile. For this exercise, we'll do fully managed, we'll just assume this is a corporate device we wanna control and we'll create it.

And then what we need to do here is complete some information, We have five sections here we have to work through. The basics, the compliance settings, the actions for non-compliance, any assignments, and then we need to review and create the actual compliance policy. So what I'll do here is I'll give my policy a name and we'll just call it AndroidPolicy, and we'll just call this Policy for Androids. We'll go ahead next here, and then we have different settings here.

We have the Defender for Endpoint settings, device health, device properties, and system security. What we'll do for this exercise here is configure the Microsoft Defender for Endpoint rules, and essentially what we wanna do here is required devices that get this policy to be at or under the machine risk score that we define here, and we'll just set this to low for here, this is just a demo.

So, with our Defender for Endpoint compliance settings configured, we'll go ahead and click next. And then here we need to specify the sequence of actions for noncompliant devices, know what are we going to do when a device is picked up as noncompliant. If we select the drop-down here under action, we can see we can send an email to the end user, we can send a push notification, we can remotely lock noncompliant devices, or we can retire devices.

What we'll do here is send a push notification, and then what we can do is tell it how quickly this should happen. Now you'll notice the default action here is mark device noncompliant, and that happens immediately. And then what we can do is schedule this send push notification, we'll do this immediately as well. So we'll go ahead and next it, and now here is where we get to assign this policy. We can include groups, or we can exclude groups. We can also add all users here, and that's what I'm gonna do here, so we'll just add all users. So essentially, we're assigning this policy to all users in our organization, we're not gonna do any exclusions here and we'll go ahead and next this.

So at this point we can review our settings, we are creating a policy called AndroidPolicy and it's targeting the Android Enterprise platform, and also fully managed, dedicated, and corporate-owned work profile. So basically these are corporate-owned devices we're targeting here. We've set our compliance settings for machine risk score to be low, and then the actions for noncompliance are basically marking the device as noncompliant immediately, and then immediately letting a user know that their device has been marked noncompliant, and we're assigning this to all users in the organization. If we're happy with these settings, we can go ahead and create the policy.

And there you have it, we have our Android policy set up, now we don't have any assignments here because I don't have any Androids in my actual environment, this is just a brief lab environment. But you can see here, the profile type, the platform that's supported, whether there's any groups excluded, whether it's been assigned, and to how many groups it's been assigned. If we go into properties, we can look at the properties for the policy, we can monitor device status, user status, and per-setting status.

So that is how you create a compliance policy in Microsoft Endpoint Manager admin center.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.