Compliance / Remediation ยท Modern Endpoint Guides
โ
Microsoft Intune
Compliance Policies & Proactive Remediation
From defining compliance requirements per platform and configuring non-compliance actions, to Custom Compliance JSON scripts and Proactive Remediations for auto-fixing common device issues before they trigger alerts.
๐ Compliance Overview & Lifecycle
Intune compliance policies define the rules a device must meet to be considered compliant. The compliance state is fed into Conditional Access โ non-compliant devices can be blocked from accessing corporate resources.
๐ Compliance States
- Compliant โ All settings met โ full access
- Non-Compliant โ At least one setting failed
- In Grace Period โ Not compliant but within deadline
- Not Evaluated โ Policy not yet applied
- Unknown โ Device not checked in recently
โฑ๏ธ Compliance Lifecycle
1
Policy Created & Assigned
Policy targets a device group. Device receives policy on next check-in.
2
Device Evaluates Settings
Device checks local settings against policy rules and reports to Intune.
3
Non-Compliance Actions Triggered
If not compliant: send email, mark non-compliant, add to retirement schedule.
4
CA Blocks Access
If CA policy requires compliant device, access to M365 is blocked for non-compliant device.
๐ช Windows Compliance Settings
๐ Recommended Windows Compliance Settings
| Setting | Recommended Value | Risk if Not Set |
|---|---|---|
| Minimum OS version | 10.0.22000 (Win 11) or 10.0.19044 (Win 10 21H2) | Old OS with known vulnerabilities |
| BitLocker required | Required | Data exposure on lost/stolen device |
| Secure Boot enabled | Required | Boot-time malware risk |
| Code integrity | Required | Unsigned driver loading |
| Antivirus (Windows Defender) | Required | No malware protection |
| Antivirus signatures up-to-date | Required | Known malware not detected |
| Firewall | Required | Network attack exposure |
| MDE Device Risk Score | Medium or below | Compromised device accessing corp data |
| Password required | Required (6+ chars, complexity) | Unauthorized physical access |
๐ฑ iOS & Android Compliance
๐ฑ iOS Compliance Settings
| Setting | Recommended |
|---|---|
| Minimum iOS version | 17.0 (or latest - 1) |
| Passcode required | Required |
| Minimum passcode length | 6 characters |
| Jailbroken devices | Block (Non-Compliant) |
| MDE threat level | Secured or Low |
| Maximum minutes of inactivity before lock | 5 minutes |
๐ค Android (Enterprise) Compliance
| Setting | Recommended |
|---|---|
| Minimum Android version | 13.0 |
| Rooted devices | Block |
| Device encryption | Required |
| Google Play Protect | Required |
| Threat scan on apps | Required |
| MDE threat level | Secured or Low |
| PIN required | Required (6+ digits) |
๐ macOS Compliance
๐ป macOS Compliance Settings
| Setting | Recommended |
|---|---|
| Minimum macOS version | 14.0 (Sonoma) |
| FileVault disk encryption | Required |
| Firewall enabled | Required |
| System Integrity Protection (SIP) | Required |
| Gatekeeper | Required (Mac App Store and identified developers) |
| Password required | Required |
| MDE threat level | Secured or Low |
๐ ๏ธ Custom Compliance (JSON + PowerShell)
Custom Compliance allows you to define any compliance requirement not available in the built-in settings โ using a PowerShell detection script that outputs JSON, and a JSON rule file that Intune evaluates against.
# Detection Script (PowerShell โ runs on device)
# Returns JSON with key-value pairs for Intune to evaluate
$result = @{}
# Check if specific software version is installed
$app = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" |
Where-Object { $_.DisplayName -like "*CorporateSecurity*" }
$result["CorporateSecurityInstalled"] = [bool]$app
$result["CorporateSecurityVersion"] = if ($app) { $app.DisplayVersion } else { "0.0.0" }
# Check custom registry setting
$regVal = Get-ItemPropertyValue "HKLM:\SOFTWARE\Contoso\Security" -Name "HardeningLevel" -ErrorAction SilentlyContinue
$result["HardeningLevel"] = $regVal ?? 0
# Output JSON (required format)
return $result | ConvertTo-Json -Compress// Compliance Rule JSON (uploaded to Intune)
{
"Rules": [
{
"SettingName": "CorporateSecurityInstalled",
"Operator": "IsEquals",
"DataType": "Boolean",
"Operand": true,
"MoreInfoUrl": "https://contoso.com/security/agent",
"RemediationStrings": [
{
"Language": "en_US",
"Title": "Corporate Security Agent Missing",
"Description": "Install the Corporate Security Agent from the Software Center."
}
]
},
{
"SettingName": "HardeningLevel",
"Operator": "GreaterEquals",
"DataType": "Int64",
"Operand": 2,
"RemediationStrings": [
{
"Language": "en_US",
"Title": "Hardening Level Too Low",
"Description": "Run the Hardening script from Software Center to achieve Level 2."
}
]
}
]
}โก Non-Compliance Actions
๐ Available Actions (in order)
| Action | When to Use |
|---|---|
| Mark device non-compliant | Day 0 โ immediately block CA |
| Send email to end user | Day 1 โ notify with remediation steps |
| Send push notification | Day 1 โ Company Portal push alert |
| Send email to additional users | Day 3 โ notify manager/helpdesk |
| Remotely lock device | Day 7 โ enforce device lock |
| Retire device | Day 30 โ remove corporate data |
๐ง Email Template Tips
- Use a custom email template with company branding
- Include clear remediation steps (numbered)
- Include helpdesk contact info
- Link to a self-service remediation guide
- Available template variables: {{DeviceName}}, {{UserName}}, {{ComplianceStatus}}
โณ Grace Period
โฐ Grace Period Settings
- Configure per policy or per action
- Device shows "In Grace Period" state โ CA still allows access
- Typical: 3โ7 days for standard settings
- 0 days = immediately non-compliant (use for critical settings)
- Grace period starts from when non-compliance is first detected
๐ฏ Grace Period Strategy
- Security-critical settings (BitLocker, AV): 0โ1 day grace
- OS version: 7โ14 days (allow time to update)
- Password policy: 3 days
- New policy rollout: 30 days for first month
๐ Conditional Access Integration
The compliance state from Intune is automatically fed to Entra ID Conditional Access. No manual sync needed โ when a device becomes compliant, the CA token is updated within minutes.
๐ How Compliance โ CA Works
| Compliance State | CA "Require compliant device" Result |
|---|---|
| Compliant | โ Access granted |
| In Grace Period | โ Access granted (until grace expires) |
| Non-Compliant | โ Blocked โ must remediate |
| Not Evaluated / Unknown | โ Blocked (no policy = no compliance claim) |
๐ค Proactive Remediations
Proactive Remediations (Endpoint Analytics) run PowerShell scripts on devices on a schedule. A detection script identifies an issue; if detected, a remediation script automatically fixes it โ before the user even notices.
๐ Detection Script Logic
- Exit code 0 = No issue detected (healthy)
- Exit code 1 = Issue detected (trigger remediation)
- Can also output string messages for reporting
- Runs in 32-bit or 64-bit PowerShell, as SYSTEM or user
๐ ๏ธ Remediation Script Logic
- Runs only if detection exits with code 1
- Exit code 0 = Remediation successful
- Exit code 1 = Remediation failed
- Should fix the issue found by detection script
- Runs as SYSTEM โ elevated by default
๐ Common Proactive Remediation Scenarios
| Scenario | Detection | Remediation |
|---|---|---|
| Time zone incorrect | Check if TZ = corp standard | Set-TimeZone to correct zone |
| Windows Update service stopped | Check wuauserv service state | Start-Service wuauserv; Set-Service auto |
| Stale DNS cache causing issues | Always true (scheduled task) | Clear-DnsClientCache |
| Old temp files consuming disk | Check C:\Windows\Temp size | Remove old temp files |
| OneDrive sync stuck | Check OneDrive sync status | Restart OneDrive process |
| Expired WiFi certificate | Check cert expiry date | Remove and re-request cert via SCEP |
๐ป Proactive Remediation Script Examples
# DETECTION: Check if Windows Update service is running
$service = Get-Service -Name wuauserv -ErrorAction SilentlyContinue
if ($service.Status -eq "Running") {
Write-Output "Windows Update service is running"
exit 0 # Healthy
} else {
Write-Output "Windows Update service is NOT running"
exit 1 # Issue detected โ trigger remediation
}
# REMEDIATION: Start Windows Update service and set to automatic
try {
Set-Service -Name wuauserv -StartupType Automatic
Start-Service -Name wuauserv
Write-Output "Windows Update service started successfully"
exit 0 # Remediation successful
} catch {
Write-Output "Failed to start Windows Update service: $($_.Exception.Message)"
exit 1 # Remediation failed
}
###################################################
# DETECTION: Check if device timezone is correct
$expectedTZ = "Israel Standard Time"
$currentTZ = (Get-TimeZone).Id
if ($currentTZ -eq $expectedTZ) {
exit 0
} else {
Write-Output "Timezone mismatch: $currentTZ"
exit 1
}
# REMEDIATION: Set correct timezone
Set-TimeZone -Id "Israel Standard Time"
exit 0๐ Reports & Monitoring
๐ Compliance Dashboard
- Intune โ Reports โ Device compliance
- % compliant per platform
- Non-compliant device list
- Setting-level compliance drill-down
๐ค Remediation Reports
- Intune โ Reports โ Endpoint analytics
- Detection rate per script
- Remediation success/failure count
- Export to CSV
๐ Non-Compliance Trend
- Historical compliance rate over time
- Top non-compliant settings
- Devices stuck in grace period
- Export and integrate with SIEM
๐ง Troubleshooting
โ Common Issues & Fixes
| Issue | Cause | Fix |
|---|---|---|
| Device stuck in "Not Evaluated" | Policy not reached device; stale enrollment | Force Intune sync; re-enroll if needed |
| BitLocker compliance fails even when encrypted | BitLocker not using correct protector type | Verify TPM protector in use: manage-bde -status |
| MDE risk level wrong | MDE not fully onboarded; risk not updated | Verify SENSE service running; check MDE onboarding |
| Remediation script fails | Script error or runs in wrong context | Test script manually as SYSTEM; check output in Intune |
| Compliance email not sent | Mail connector not configured | Verify email notification settings in Intune tenant |
| Custom compliance script error | JSON format incorrect or missing fields | Validate JSON format; check Intune-required schema |
โ Implementation Checklist
๐ Compliance Policies
- Windows compliance policy (BitLocker, AV, OS version)
- iOS compliance policy (jailbreak, min OS)
- Android compliance policy (root, encryption, Play Protect)
- macOS compliance policy (FileVault, SIP, Gatekeeper)
- MDE risk level integrated into compliance
- Grace periods set appropriately per setting type
โก Non-Compliance Actions
- Day 0: Mark non-compliant configured
- Day 1: Email notification to user configured
- Email template customized with remediation steps
- Day 7: Remote lock for mobile devices
- CA policy requiring compliant device enabled
๐ค Proactive Remediations
- Windows Update service check/fix remediation
- Time zone correction remediation
- Disk space cleanup remediation
- Schedules set appropriately (daily/weekly)
- Remediation reports monitored weekly
๐ Reporting
- Compliance dashboard reviewed weekly
- Non-compliant device list actioned
- Custom compliance policies for org-specific requirements
- Integration with SIEM for compliance alerts