Hello and welcome to Compliance Policies in InTune. 

Microsoft InTune is a Mobile device management solution that is used to protect organizational data. Leveraging it allows you to require users and devices to meet certain requirements set forth by the organization. In Intune, compliance policies are used to accomplish this.

When you create a compliance policy, what you are doing is defining a set of rules and settings that users and devices must meet in order to be considered compliant. In addition to defining the rules and settings that users and devices must meet, you also specify actions that should apply to non-compliant devices. For example, you might specify an action that notifies a user that their device is non-compliant while protecting the data on the non-compliant device.

You can even combine compliance policies with Conditional Access in order to block non-compliant users and devices from accessing corporate resources. We’ll touch on this combination later on.

There are two parts to compliance policies in Intune. They include compliance policy settings and the device compliance policy.

Compliance policy settings are tenant-wide settings that every device receives – sort of like a built-in compliance policy. You use compliance policy settings to establish a set baseline for how compliance policy will function in your Intune environment. For example, you might configure a setting that governs the compliance status of a device that hasn’t yet received any compliance policies. Some companies may deem a device that hasn’t received a compliance policy to be non-compliant right out of the gate, while other companies might deem those same devices to be compliant – at least until a compliance policy is applied and determines the device is NOT compliant for some reason.

The second part I mentioned, Device compliance policy, consists of platform-specific rules that you define and then deploy to your users or devices. For example, you might use a device compliance policy to enforce minimum requirements for devices. You might want to specify a minimum operating system for your devices, or you might want to ensure all devices use disk encryption. If a device doesn’t meet these requirements, the device is considered to be non-compliant.

Compliance policy evaluations occur when devices check in with Intune. What happens is, Intune will notify a device to check in with the Intune service. When it checks in, it’s evaluated. If a non-compliant device becomes compliant, this is reflected. A device that’s currently compliant can also been deemed non-compliant if something changes since the last check-in.

If a device doesn't check in to get a policy after the first notification, Intune will try three more times. If a device is offline for some reason, it obviously won’t receive the notifications. When this happens, the offline device gets the policy during its next scheduled check-in with the Intune service.