Exploring Compliance Policies in Intune
Exploring Compliance Policies in Intune

This course explores the suite of tools available in Microsoft Endpoint Manager for establishing and maintaining security posture in an organization. These include tools like Microsoft Intune, used for enrolling devices as well as creating and enforcing device compliance, and Microsoft Defender, used for implementing device antivirus and malware defense tools. This course will also review the activities involved in reducing attack surfaces in an organization that bad actors could use to penetrate and expose sensitive data. This sensitive data is protected through the implementation of attack surface reduction rules which are deployed through careful auditing and testing to prevent any loss of productivity. This course will also touch on the security baselines made available to organizations wishing to enact a more granular security posture and have access to tools like secure score for evaluating the effectiveness of these efforts against known best practices.  

Learning Objectives

  • Create a compliance policy 
  • Monitor enrolled devices
  • Setup surface attack reduction rules
  • Deploy surface attack reduction rules
  • Review security baselines
  • Examine Microsoft secure score

Intended Audience

This course is designed for individuals who are responsible for setting up and monitoring device compliance and security in Microsoft 365 as well as those pursuing Microsoft certifications.


To get the most from this course, you should have some familiarity and experience with the Microsoft 365 security suite of tools including Microsoft Endpoint Manager.  


Let's explore a bit about compliance policies in Intune. Intune is a cloud based service that focuses on Mobile Device Management (MDM) and Mobile Application Management (MAM). With it we can control how our organization's devices are used, including mobile phones, tablets and laptops. We can configure specific policies to control applications. A simple policy example might be preventing emails from being sent to people outside the organization. Intune also allows for personal devices to be used for work or school by protecting organization data and isolating it from personal data.

Intune is part of Microsoft's Enterprise Mobility and Security suite and integrates with Azure Active Directory to control who has access and what they can access. It also integrates with Azur Information Protection for data protection. We use it with the Microsoft 365 suite of products allowing us to deploy Microsoft teams, OneNote, and other Microsoft apps to devices. Devices are either organization-owned or personal. For organization owned, we can use Intune to exert full control over the devices, including settings, features and security.

In this approach, users receive organization rules and settings through policies configured in Intune for personal devices, or bring-your-own-devices, users may not want their organization to have full control. Rather, users may only want access on their personal devices to email or Microsoft Teams, then us protection policies that require multi-factor authentication to use these apps. For devices that are managed by Intune, we can use device compliance policies to define how devices should be configured. These defined rules and settings that determine whether a device is considered compliant.

Once a compliance policy is deployed, we can monitor device compliance status across individual devices. To implement compliance policies, organization must have devices enrolled in Intune, be licensed for Azure Active Directory premium, and have devices running supported software platforms such as Windows, iOS, and Android. Intune can manage several device types such as Android and iOS. A compliance policy is platform-specific, but organizations can create compliance policies for all supported device types.

Some of the more commonly used device compliance settings include requiring a password to access devices, using local data encryption, whether a device is jail broken or rooted, the minimum OS version required or the maximum OS version allowed and requiring the device to be at or under the Mobile Threat Defense level. When a device is identified as being non-compliant, Intune marks it as non-compliant. At this point we can configure actions to take in each compliance policy.

Another simple example would be to block access to company resources if a device is out of compliance. There are two types of non-compliant actions, we can notify end users through an email or simply mark the device as non-compliant. The email provides official documentation to all parties of the non-compliance issue. Prior to marking a device as non-compliant, we can establish a grace period for the user to correct the issue. If that period passes and no fix is made, the device is marked as non-compliant and the rules established for that action are put into effect.

About the Author

Steve is an experienced Solutions Architect with over 10 years of experience serving customers in the data and data engineering space. He has a proven track record of delivering solutions across a broad range of business areas that increase overall satisfaction and retention. He has worked across many industries, both public and private, and found many ways to drive the use of data and business intelligence tools to achieve business objectives. He is a persuasive communicator, presenter, and quite effective at building productive working relationships across all levels in the organization based on collegiality, transparency, and trust.