Sign in Subscribe

Get started with compliance policies!

Nicklas Olsen

4 min read
Get started with compliance policies!

Introduction

Compliance policies are in place to make sure that a device or user is compliant with the rules set by the organization. If they aren't compliant, there are multiple options available to the IT administrator. One of the options available is to combine compliance policies with conditional access.

Another option you can make use of is the notification within compliance policies. When a device is marked as non-compliant, you can configure an action that sends an email to the user.

In service release 2312 in December, Microsoft added support for variables in notifications.

Let's take a look at compliance policies and notifications! 😎

Configuration

First of all, we would have to create a compliance policy. Let's jump into our favorite portal of them all.

  1. Log into Intune.microsoft.com and click on the devices tab.
  2. Click compliance policies, and you will now see the below page.

Before we can start playing around with the notifications, we have to create a policy first.

  1. Click create policy, and make sure to pick 'Windows 10 and later' as the platform.
  1. Name your policy as you wish, and click next.
  2. From here, you have to decide which policies your devices and users must comply with.

I will keep it simple and pick the following settings:

  1. Once you have picked your settings, click next. As you can see, there is one default action.

When we have created our notification, we can link it to the compliance policy under actions.

  1. On the actions page, we won't change anything for now. We will change that later, once we create our notification.
  2. Last but not least, remember to assign the policy.
💡
You can either assign a compliance policy to devices or users. If you assign it to a device, and there is no user signed in, you will see entries with the system account in your reports.
Microsoft recommends assigning your policies, in the following way:

For devices with a user signed in - assign it to users.
For devices without a user signed in - assign it to devices.

Notifications

We have now created our compliance policy, and the next step is to create our notification. From the compliance tab, head down to notifications.

  1. Click create notification and name it as you like.
  2. Next are the settings for the header and footer. Modify it as you like, and click next when ready!

The logo and information for this page appear in the customization settings under 'Tenant Administration'. Under the 'End user experiences' category, there is a tab called 'Customization'.

  1. The next page is the notification message templates, from here, you can create your message for your users in different languages.

I have created my message for my users and used some of the variables available.

💡
At the moment of writing this blog, there is currently four different variables available to use.
You can see the variables available right here.

When you have created your notification, make sure to click create.

Assigning the notification to your policy

Before we can test this, we would have to assign the notification to our compliance policy.

  1. Click on your compliance policy and switch to the properties page.
  1. Scroll down to the 'actions for noncompliance' category, and click edit!
  2. Under action, we will pick 'send email to end user' and I will keep the schedule to 0 days after noncompliance. Make sure to select your notification message.

You also have the opportunity to add additional recipients if you wish to add an IT mailbox or something similar.

  1. Let's hit review + save, and test it!

Let's get it tested!

Our compliance policy has been assigned, and we have also created our notification. So what will happen if a device is non-compliant? We can wait for the device to report back to Intune and evaluate the compliance policy.

We can also simulate the notification that the user receives once a device is non-compliant.

Head into the notifications page and click on your notification. You have the option to 'send preview email'. When you click on that option, you will receive an email on the account you have signed into Intune with.

Please be aware that this requires the admin user to have a license.

The preview message isn't including all our variables, but this is how it looks:

The compliance policy sync on a device can take a while. If you wish to force it to evaluate the compliance policy, you can press Windows key + R or type 'run' in Windows. Once you have it open, you can paste the following: "intunemanagementextension://synccompliance" and hit enter.

After a while, the compliance policy has been evaluated, and the status will change in the Intune portal. If the device is non-compliant, the user will receive your notification.

Conclusion

Thank you very much for reading this blog. I hope you enjoyed it. I would recommend that you go ahead and experience the variables and see how they can help you.

Have a great day!

Sign up for more like this.

Enter your email
Subscribe