Windows compliance settings in Microsoft Intune (2023)

  • Article
  • 12 minutes to read

This article lists and describes the different compliance settings you can configure on Windows devices in Intune. As part of your mobile device management (MDM) solution, use these settings to require BitLocker, set a minimum and maximum operating system, set a risk level using Microsoft Defender for Endpoint, and more.

This feature applies to:

  • Windows 10/11
  • Windows Holographic for Business
  • Surface Hub

As an Intune administrator, use these compliance settings to help protect your organizational resources. To learn more about compliance policies, and what they do, see get started with device compliance.

Before you begin

Create a compliance policy. For Platform, select Windows 10 and later.

Device Health

Windows Health Attestation Service evaluation rules

  • Require BitLocker:
    Windows BitLocker Drive Encryption encrypts all data stored on the Windows operating system volume. BitLocker uses the Trusted Platform Module (TPM) to help protect the Windows operating system and user data. It also helps confirm that a computer isn't tampered with, even if its left unattended, lost, or stolen. If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys can't be accessed until the TPM verifies the state of the computer.

    • Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • Require - The device can protect data that's stored on the drive from unauthorized access when the system is off, or hibernates.

    Device HealthAttestation CSP - BitLockerStatus

    Note

    If using a device compliance policy in Intune, be aware that the state of this setting is only measured at boot time. Therefore, even although BitLocker encryption may have completed - a reboot will be required in order for the device detect this and become compliant. For more information, see the following Microsoft support blog on Device Health Attestation.

  • Require Secure Boot to be enabled on the device:

    • Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • Require - The system is forced to boot to a factory trusted state. The core components that are used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies the signature before it lets the machine start. If any files are tampered with, which breaks their signature, the system doesn't boot.

    Note

    The Require Secure Boot to be enabled on the device setting is supported on some TPM 1.2 and 2.0 devices. For devices that don't support TPM 2.0 or later, the policy status in Intune shows as Not Compliant. For more information on supported versions, see Device Health Attestation.

  • Require code integrity:
    Code integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory.

    (Video) Windows Device Compliance Policy | Intune

    • Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • Require - Require code integrity, which detects if an unsigned driver or system file is being loaded into the kernel. It also detects if a system file is changed by malicious software or run by a user account with administrator privileges.

More resources:

  • For details about how the Health Attestation service works, see Health Attestation CSP.
  • Support Tip: Using Device Health Attestation Settings as Part of Your Intune Compliance Policy.

Device Properties

Operating System Version

To discover build versions for all Windows 10/11 Feature Updates and Cumulative Updates (to be used in some of the fields below), see Windows release information. Be sure to include the appropriate version prefix before the build numbers, like 10.0 for Windows 10 as the following examples illustrate.

  • Minimum OS version:
    Enter the minimum allowed version in the major.minor.build.revision number format. To get the correct value, open a command prompt, and type ver. The ver command returns the version in the following format:

    Microsoft Windows [Version 10.0.17134.1]

    When a device has an earlier version than the OS version you enter, it's reported as noncompliant. A link with information on how to upgrade is shown. The end user can choose to upgrade their device. After they upgrade, they can access company resources.

  • Maximum OS version:
    Enter the maximum allowed version, in the major.minor.build.revision number format. To get the correct value, open a command prompt, and type ver. The ver command returns the version in the following format:

    Microsoft Windows [Version 10.0.17134.1]

    When a device is using an OS version later than the version entered, access to organization resources is blocked. The end user is asked to contact their IT administrator. The device can't access organization resources until the rule is changed to allow the OS version.

  • Minimum OS required for mobile devices:
    Enter the minimum allowed version, in the major.minor.build number format.

    When a device has an earlier version that the OS version you enter, it's reported as noncompliant. A link with information on how to upgrade is shown. The end user can choose to upgrade their device. After they upgrade, they can access company resources.

  • Maximum OS required for mobile devices:
    Enter the maximum allowed version, in the major.minor.build number.

    When a device is using an OS version later than the version entered, access to organization resources is blocked. The end user is asked to contact their IT administrator. The device can't access organization resources until the rule is changed to allow the OS version.

  • Valid operating system builds:
    Specify a list of minimum and maximum operating system builds. Valid operating system builds provides additional flexibility when compared against minimum and maximum OS versions. Consider a scenario where minimum OS version is set to 10.0.18362.xxx (Windows 10 1903) and maximum OS version is set to 10.0.18363.xxx (Windows 10 1909). This configuration can allow a Windows 10 1903 device that doesn't have recent cumulative updates installed to be identified as compliant. Minimum and maximum OS versions might be suitable if you have standardized on a single Windows 10 release, but might not address your requirements if you need to use multiple builds, each with specific patch levels. In such a case, consider leveraging valid operating system builds instead, which allows multiple builds to be specified as per the following example.

    Example:
    The following table is an example of a range for the acceptable operating systems versions for different Windows 10 releases. In this example, three different Feature Updates have been allowed (1809, 1909 and 2004). Specifically, only those versions of Windows and which have applied cumulative updates from June to September 2020 will be considered to be compliant. This is sample data only. The table includes a first column that includes any text you want to describe the entry, followed by the minimum and maximum OS version for that entry. The second and third columns must adhere to valid OS build versions in the major.minor.build.revision number format. After you define one or more entries, you can Export the list as a comma-separated values (CSV) file.

    DescriptionMinimum OS versionMaximum OS version
    Win 10 2004 (Jun-Sept 2020)10.0.19041.32910.0.19041.508
    Win 10 1909 (Jun-Sept 2020)10.0.18363.90010.0.18363.1110
    Win 10 1809 (Jun-Sept 2020)10.0.17763.128210.0.17763.1490

Configuration Manager Compliance

Applies only to co-managed devices running Windows 10/11. Intune-only devices return a not available status.

  • Require device compliance from Configuration Manager:
    • Not configured (default) - Intune doesn't check for any of the Configuration Manager settings for compliance.
    • Require - Require all settings (configuration items) in Configuration Manager to be compliant.

System Security

Password

  • Require a password to unlock mobile devices:

    (Video) Windows 10 Compliance Policy Intune

    • Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • Require - Users must enter a password before they can access their device.
  • Simple passwords:

    • Not configured (default) - Users can create simple passwords, such as 1234 or 1111.
    • Block - Users can't create simple passwords, such as 1234 or 1111.
  • Password type:
    Choose the type of password or PIN required. Your options:

    • Device default (default) - Require a password, numeric PIN, or alphanumeric PIN
    • Numeric - Require a password or numeric PIN
    • Alphanumeric - Require a password, or alphanumeric PIN.

    When set to Alphanumeric, the following settings are available:

    • Password complexity:
      Your options:

      • Require digits and lowercase letters (default)
      • Require digits, lowercase letters, and uppercase letters
      • Require digits, lowercase letters, uppercase letters, and special characters

      Tip

      The Alphanumeric password policies can be complex. We encourage administrators to read the CSPs for more information:

      • DeviceLock/AlphanumericDevicePasswordRequired CSP
      • DeviceLock/MinDevicePasswordComplexCharacters CSP
  • Minimum password length:
    Enter the minimum number of digits or characters that the password must have.

  • Maximum minutes of inactivity before password is required:
    Enter the idle time before the user must reenter their password.

  • Password expiration (days):
    Enter the number of days before the password expires, and they must create a new one, from 1-730.

  • Number of previous passwords to prevent reuse:
    Enter the number of previously used passwords that can't be used.

  • Require password when device returns from idle state (Mobile and Holographic):

    • Not configured (default)
    • Require - Require device users to enter the password every time the device returns from an idle state.

    Important

    When the password requirement is changed on a Windows desktop, users are impacted the next time they sign in, as that's when the device goes from idle to active. Users with passwords that meet the requirement are still prompted to change their passwords.

Encryption

  • Encryption of data storage on a device:
    This setting applies to all drives on a device.

    (Video) Microsoft Intune Configuration for Compliance Retrieval Service

    • Not configured (default)
    • Require - Use Require to encrypt data storage on your devices.

    DeviceStatus CSP - DeviceStatus/Compliance/EncryptionCompliance

    Note

    The Encryption of data storage on a device setting generically checks for the presence of encryption on the device, more specifically at the OS drive level. Currently, Intune supports only the encryption check with BitLocker. For a more robust encryption setting, consider using Require BitLocker, which leverages Windows Device Health Attestation to validate Bitlocker status at the TPM level. However, when leveraging this setting, be aware that a reboot may be required before the device will reflect as compliant.

Device Security

  • Firewall:

    • Not configured (default) - Intune doesn't control the Microsoft Defender Firewall, nor change existing settings.
    • Require - Turn on the Microsoft Defender Firewall, and prevent users from turning it off.

    Firewall CSP

    Note

    • If the device immediately syncs after a reboot, or immediately syncs waking from sleep, then this setting may report as an Error. This scenario might not affect the overall device compliance status. To re-evaluate the compliance status, manually sync the device.

    • If a configuration is applied (for example, via a group policy) to a device that configures Defender Firewall to allow all inbound traffic, or turns off the firewall, setting Firewall to Require will return Not compliant, even if Intune device configuration policy turns Firewall on. This is because the group policy object overrides the Intune policy. To fix this issue, we recommend that you remove any conflicting group policy settings, or that you migrate your Firewall-related group policy settings to Intune device configuration policy. In general, we recommend that you keep default settings, including blocking inbound connections. For more information, see Best practices for configuring Windows Defender Firewall.

  • Trusted Platform Module (TPM):

    • Not configured (default) - Intune doesn't check the device for a TPM chip version.
    • Require - Intune checks the TPM chip version for compliance. The device is compliant if the TPM chip version is greater than 0 (zero). The device isn't compliant if there isn't a TPM version on the device.

    DeviceStatus CSP - DeviceStatus/TPM/SpecificationVersion

  • Antivirus:

    • Not configured (default) - Intune doesn't check for any antivirus solutions installed on the device.
    • Require - Check compliance using antivirus solutions that are registered with Windows Security Center, such as Symantec and Microsoft Defender.

    DeviceStatus CSP - DeviceStatus/Antivirus/Status

  • Antispyware:

    • Not configured (default) - Intune doesn't check for any antispyware solutions installed on the device.
    • Require - Check compliance using antispyware solutions that are registered with Windows Security Center, such as Symantec and Microsoft Defender.

    DeviceStatus CSP - DeviceStatus/Antispyware/Status

    (Video) Device compliance - Notifications - Microsoft Intune Training Series video No#31

Defender

The following compliance settings are supported with Windows 10/11 Desktop.

  • Microsoft Defender Antimalware:

    • Not configured (default) - Intune doesn't control the service, nor change existing settings.
    • Require - Turn on the Microsoft Defender anti-malware service, and prevent users from turning it off.
  • Microsoft Defender Antimalware minimum version:
    Enter the minimum allowed version of Microsoft Defender anti-malware service. For example, enter 4.11.0.0. When left blank, any version of the Microsoft Defender anti-malware service can be used.

    By default, no version is configured.

  • Microsoft Defender Antimalware security intelligence up-to-date:
    Controls the Windows Security virus and threat protection updates on the devices.

    • Not configured (default) - Intune doesn't enforce any requirements.
    • Require - Force the Microsoft Defender security intelligence be up-to-date.

    Defender CSP - Defender/Health/SignatureOutOfDate CSP

    For more information, see Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware.

  • Real-time protection:

    • Not configured (default) - Intune doesn't control this feature, nor change existing settings.
    • Require - Turn on real-time protection, which scans for malware, spyware, and other unwanted software.

    Policy CSP - Defender/AllowRealtimeMonitoring CSP

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint rules

For additional information on Microsoft Defender for Endpoint integration in conditional access scenarios, see Configure Conditional Access in Microsoft Defender for Endpoint.

  • Require the device to be at or under the machine risk score:
    Use this setting to take the risk assessment from your defense threat services as a condition for compliance. Choose the maximum allowed threat level:

    • Not configured (default)
    • Clear -This option is the most secure, as the device can't have any threats. If the device is detected as having any level of threats, it's evaluated as non-compliant.
    • Low - The device is evaluated as compliant if only low-level threats are present. Anything higher puts the device in a non-compliant status.
    • Medium - The device is evaluated as compliant if existing threats on the device are low or medium level. If the device is detected to have high-level threats, it's determined to be non-compliant.
    • High - This option is the least secure, and allows all threat levels. It may be useful if you're using this solution only for reporting purposes.

    To set up Microsoft Defender for Endpoint as your defense threat service, see Enable Microsoft Defender for Endpoint with Conditional Access.

Windows Holographic for Business

Windows Holographic for Business uses the Windows 10 and later platform. Windows Holographic for Business supports the following setting:

  • System Security > Encryption > Encryption of data storage on device.

To verify device encryption on the Microsoft HoloLens, see Verify device encryption.

Surface Hub

Surface Hub uses the Windows 10 and later platform. Surface Hubs are supported for both compliance and Conditional Access. To enable these features on Surface Hubs, we recommend you enable Windows automatic enrollment in Intune (requires Azure Active Directory (Azure AD)), and target the Surface Hub devices as device groups. Surface Hubs are required to be Azure AD joined for compliance and Conditional Access to work.

For guidance, see set up enrollment for Windows devices.

(Video) Intune Training Series No#8 | How to configure Windows Enrollment | Intune Compliance Settings

Special consideration for Surface Hubs running Windows 10/11 Team OS:
Surface Hubs that run Windows 10/11 Team OS do not support the Microsoft Defender for Endpoint and Password compliance policies at this time. Therefore, for Surface Hubs that run Windows 10/11 Team OS set the following two settings to their default of Not configured:

  • In the category Password, set Require a password to unlock mobile devices to the default of Not configured.

  • In the category Microsoft Defender for Endpoint, set Require the device to be at or under the machine risk score to the default of Not configured.

Next steps

  • Add actions for noncompliant devices and use scope tags to filter policies.
  • Monitor your compliance policies.
  • See the compliance policy settings for Windows 8.1 devices.

FAQs

How does Intune check compliance? ›

Intune follows the device check-in schedule for all compliance evaluations on the device. Learn more about the device check-in schedule. Descriptions of the different device compliance policy states: Compliant: The device successfully applied one or more device compliance policy settings.

How can you set a compliance policy in Intune? ›

To manage the compliance policy settings, sign in to Microsoft Endpoint Manager admin center and go to Endpoint security > Device compliance > Compliance policy settings. This setting determines how Intune treats devices that haven't been assigned a device compliance policy.

How do I fix my device is not compliant Intune? ›

Add actions for noncompliance
  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Select Devices > Compliance policies > Policies, select one of your policies, and then select Properties. ...
  3. Select Actions for noncompliance > Add.
  4. Select your Action:
Dec 13, 2022

How often does Intune check for compliance? ›

Right after the enrollment Windows 10 devices checks policies and settings every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours. Already enrolled device checks Intune settings every 8 hours.

What should a compliance policy include? ›

The OIG notes that “At a minimum, comprehensive compliance programs should include…the development and distribution of written standards of conduct, as well as written policies and procedures that promote the [organization's] commitment to compliance and that address specific areas of potential fraud, such as claims ...

Can Intune see my browsing history? ›

Intune doesn't collect nor allow an Admin to see the following data: An end users' calling or web browsing history. Personal email. Text messages.

What are compliance policies and procedures? ›

What is Compliance Policies & Procedures? Compliance policies detail the laws, industry regulations and government legislation around managing your business, employees and customers. Compliance policies include a Human Resources Policy, Financial Services Policy, Data Security Policy and Work-place Safety Policy.

How do you write a compliance policy and procedure? ›

  1. Ensure all the policy statements are short, declarative, and specific to a single issue.
  2. Write the document in the active voice.
  3. Make documents user friendly to those that have to live by them.
  4. Make sure the policy does not conflict with other policy documents.
  5. Anchor the document in applicable cited authority.

How do you establish a compliance function? ›

If your organization is the latter, here are the basics of setting up a compliance department:
  1. Start at the top. ...
  2. Perform a compliance audit. ...
  3. Appoint a compliance officer. ...
  4. Draft a code of conduct. ...
  5. Coordinate internal teams. ...
  6. Don't forget about international locations. ...
  7. Focus on training. ...
  8. Make reporting easy.
Jul 26, 2021

Why is my device not compliant? ›

Device is not application compliant: Device will be marked as non-compliant if the device has any blacklisted apps installed on it or has any mandatory apps missing from it.

How do I force Windows Update through Intune? ›

In the admin center, go to Devices > Windows > Quality updates for Windows 10 and later and select the policy that you want to manage.

How do I force a device to enroll in Intune? ›

Enroll Windows 10 version 1607 and later device
  1. Go to Start.
  2. Open the Settings app. ...
  3. Select Accounts > Access work or school > Connect. ...
  4. To get to your organization's Intune sign-in page, enter your work or school email address. ...
  5. Sign in to Intune with your work or school account.

What can my employer see with Microsoft Intune? ›

Your organization can't see your personal information when you enroll a device in Microsoft Intune. Enrolling your device makes certain information, such as device model and serial number, visible to IT administrators and support people with administrator access.

How often do Intune applications check? ›

In general, the report refreshes every 7 days from the time of enrollment (not a weekly refresh for the entire tenant). The only exception to this refresh cycle for the Discovered apps report is application information collected through the Intune Management Extension for Win32 Apps, which is collected every 24 hours.

How often does Intune check for Windows updates? ›

Client-based data from Intune devices that are configured to send data to Intune – This data is processed in batches and refreshes every eight hours, but is only available after you configure data collection. The data contains information like when a client doesn't have enough disk space to install an update.

What are the four types of compliance? ›

Different types of compliance business owners need to know
  • Regulatory compliance. Regulatory compliance is when a business follows the local and international laws and regulations that are relevant to its operations. ...
  • HR compliance. ...
  • Data compliance. ...
  • Health and safety compliance.
May 18, 2022

What are the 7 elements of compliance? ›

7 Elements Of A Legally Effective Compliance Program
  • Policies & Procedures.
  • Chief Compliance Officer/Compliance Committee.
  • Education & Training.
  • Reporting.
  • Monitoring & Auditing.
  • Enforcement.
  • Responding To Issues.

Can Intune wipe personal device? ›

Wiping a device

Sign in to the Microsoft Endpoint Manager admin center. Select Devices > All devices. Select the name of the device that you want to wipe. In the pane that shows the device name, select Wipe.

Does Intune track user activity? ›

Microsoft Azure portal for Intune provide you the information about user sign-in activities (includes usage of managed applications) and Audit Logs (information about users ,group management ,your managed applications and directory activities) through reporting.

Can my company see what I do on my personal phone? ›

If you have a cell phone that your company issued, your employer may have the right to monitor those text messages. However, in general, the law does not allow an employer to monitor text conversations on an employee's personal cell phone.

What are the 4 steps in maintaining compliance? ›

  1. Step 1 :: Review the compliance and security features of your software in each of these categories. eDiscovery. ...
  2. Step 2 :: Identify your company's specific security and compliance needs and policies. ...
  3. Step 3 :: Implement your policies, settings, and management in your software. ...
  4. Step 4 :: Report & Audit.
Sep 16, 2022

What are the four key compliance issues? ›

The 4 Most Common Compliance Risks and How to Avoid Them
  • Legal & Liability Concerns.
  • Data Security.
  • Business Reputation.
Aug 11, 2022

What are the 2 types of compliance? ›

There are two main types of compliance that denote where the framework is coming from: corporate and regulatory. Both corporate and regulatory compliance consist of a framework of rules, regulations and practices to follow.

What five 5 factors must a compliance plan include? ›

The five elements are:
  • Leadership.
  • Risk Assessment.
  • Standards and Controls.
  • Training and Communications.
  • Oversight.
Dec 1, 2019

What is compliance give an example? ›

Compliance with something, for example a law, treaty, or agreement means doing what you are required or expected to do. [formal] Inspectors were sent to visit nuclear sites and verify compliance with the treaty. The company says it is in full compliance with U.S. labor laws. [ + with]

What is an example of a compliance issue? ›

Common compliance risks involve illegal practices and include fraud, theft, bribery, money laundering and embezzlement. Privacy breaches. A common compliance risk is the violation of privacy laws. Hacking, viruses and malware are some of the cyber risks that affect organizations.

What is the most important requirement for a compliance function? ›

The compliance function should have a preventive, advisory and supervisory role, with particular emphasis on: • Facilitating the effective identification of risk of violation of relevant external requirements, such as compliance with laws and regulations, as well as providing advice on risk reduction measures.

Why do we need compliance function? ›

Enforcing compliance helps your company prevent and detect violations of rules, which protects your organization from fines and lawsuits. The compliance process should be ongoing. Many organizations establish a program to consistently and accurately govern their compliance policies over time.

What is the main purpose of compliance? ›

The purpose of compliance is to adhere to both internal policies and procedures, along with governmental laws. By implementing compliance procedures protects your company's reputational risk and improves your company's vision and value as well prevent and detect violations of rules.

How do I check my device compliance on Windows 10? ›

Open the device compliance policy, look under Properties > Actions for noncompliance, select Mark device noncompliant, and then enter a nonzero number in Schedule (days after noncompliance). This creates a grace period during which to mark the devices as noncompliant.

What is a compliant device? ›

Compliant Device means a mobile communications device upon which is installed an Approved Complete ICQ Application, which is an Authorized Platform for that particular Approved Complete ICQ Application, which has been authorized for distribution under Section 4.4, and which otherwise meets the requirements of this ...

What should I do if my device is not compatible with an app? ›

It appears to be an issue with Google's Android operating system. To fix the “your device is not compatible with this version” error message, try clearing the Google Play Store cache, and then data. Next, restart the Google Play Store and try installing the app again.

Can Intune push Windows updates? ›

You can configure, deploy, and pause update installation with Windows Update for Business settings using Microsoft Intune.

Can Intune control Windows updates? ›

With Intune, you can configure update settings on devices and configure deferral of update installation. You can also prevent devices from installing features from new Windows versions to help keep them stable, while allowing those devices to continue installing updates for quality and security.

How do I manually trigger Windows updates? ›

If you want to install the update now, select Start > Settings > Update & Security > Windows Update , and then select Check for updates. If updates are available, install them.

How do I check my Intune enrollment failure? ›

Sign in to the Microsoft Endpoint Manager admin center and select Troubleshooting + support > Select user. Choose a user > Select. Under Enrollment failures, select a row to view more details about the failure and recommended remediation steps.

How do you check if a device is joined to Intune? ›

How to Confirm a Device Is Enrolled in Intune
  1. Click Start on your Windows device.
  2. Click on Settings.
  3. Click Accounts.
  4. Click Access work or school.
  5. Click Connected to MESA AD domain then click Info. Note: If the Info button does not appear on your device, your device has not been successfully enrolled.
Mar 2, 2021

How long does it take for a device to show up in Intune? ›

Time Interval Manually Sync Intune Policies ASAP

iOS and Mac OS X: Every 6 hours. Android: Every 8 hours. Windows Phone: Every 8 hours. Windows 8.1 and Windows 10 PCs enrolled as devices: Every 8 hours.

Can my employer listen to me through my computer? ›

Is My Work Computer Listening to Me at Home? The answer to this question may depend on the technical qualities of your laptop (see more below). But the answer is no – nothing gives your workplace the right to record in-person interactions that may occur in your home.

How do you test for Intune compliance? ›

View compliance reports
  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Select Devices > Monitor, and then from below Compliance select the report you want to view. Some of the available compliance reports include: Device compliance. Noncompliant devices. Devices without compliance policy. Setting compliance.

Does Microsoft track their employees? ›

Employee Monitoring Using Microsoft Teams

And its approach to surveillance is quite comprehensive. Microsoft Teams enables managers to track the workforce's video and voice calls, chats, and meetings, along with the durations of each.

What happens if a device is not compliant in Intune? ›

The result of this default is when Intune detects a device isn't compliant, Intune immediately marks the device as noncompliant. After a device is marked as noncompliance, Azure Active Directory (AD) Conditional Access can block the device.

Do Intune compliance policies enforce settings? ›

Compliance policies configure rules and settings that users and devices must meet. Microsoft 365 Intune provides the tools to enforce compliance and security policies on end user devices.

Can company see Intune browsing history? ›

Intune doesn't collect nor allow an Admin to see the following data: An end users' calling or web browsing history. Personal email. Text messages.

What is update compliance? ›

Update Compliance: Provides detailed deployment monitoring for Windows client feature and quality updates. Reports when devices need attention due to issues related to update deployment. Shows bandwidth usage and savings for devices that are configured to use Delivery Optimization.

Is update compliance free? ›

Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data. Desktop Analytics users should use the same workspace for Update Compliance.

How do devices check in with Intune? ›

Devices check in with Intune when they receive a notification to check in, or during the scheduled check-in. When you target a device or user with an action, then Intune immediately notifies the device to check in to receive these updates. For example, when a lock, passcode reset, app, or policy assignment action runs.

Does Intune do vulnerability scanning? ›

After you connect Intune to Microsoft Defender for Endpoint, Defender for Endpoint receives threat and vulnerability details from managed devices. Vulnerabilities that are discovered aren't based on configurations from Intune. They're based on Microsoft Defender for Endpoint configurations and scan details.

What is not evaluated in Intune? ›

Device will show “Not Evaluated” if the User Account Control (UAC) not enabled. Though the device is registered with Azure AD and Azure Intune your device will show Not Evaluated in Azure portal if UAC is not enabled in your system. It is mandatory to enable UAC to enroll your system in Azure Intune.

Can Intune block apps? ›

Whatever the reason is, it might be a reason for companies to block the app on the end-users device which has access to corporate access. With Microsoft Intune (Endpoint Manager) we have the possibility to block such apps on iOS and Android.

How often do scripts run in Intune? ›

PowerShell scripts are executed before Win32 apps run. In other words, PowerShell scripts execute first. Then, Win32 apps execute. PowerShell scripts time out after 30 minutes.

How does Intune know if a device is personal or corporate? ›

Intune only reads one IMEI number per enrolled device. If you import an IMEI number but it is not the IMEI inventoried by Intune, the device is classified as a personal device instead of a corporate-owned device.

How long does a device take to show up in Intune? ›

Immediately after the deployment has taken place, Intune will attempt to notify the device that it should check-in with the Intune service. This process normally takes less than 5 minutes. But if the device would not check in to get the new policy, Intune will attempt to notify the device 3 more times.

How many devices can Intune handle? ›

The Azure Maximum number of devices per user setting is set to 3. The Intune Device limit setting is set to 5.

Can Intune manage Windows Defender? ›

In addition to managing settings for Microsoft Defender for Endpoint on devices you manage with Intune, you can manage Defender for Endpoint security configurations on devices that aren't enrolled with Intune.

Does Intune require TPM? ›

Require - Intune checks the TPM chip version for compliance. The device is compliant if the TPM chip version is greater than 0 (zero). The device isn't compliant if there isn't a TPM version on the device.

Does Intune override GPO? ›

Result – Intune Policies Override Group Policy Settings – The winner is here Group Policy Vs. Intune Policy. Finally, MDM CSP wins over GP. As shown below, MDM CSP configures the “Home Page” value.

Videos

1. Microsoft Intune Training Part 8 - How to Create & Configure Compliance Policy in Endpoint Manager
(KELVGLOBAL ICT)
2. Microsoft Intune Endpoint Manager Device Compliance Policy setup | MDM, BYOD | Windows, iOS, Android
(Praveen Balan)
3. Microsoft EndPoint Manager: Compliance Policy Intune
(Hashmat IT Solution)
4. Microsoft Intune -Module6.2- Windows Update for Business Reports | Update Compliance v2 | HowToSetup
(@Chander Mani Pandey)
5. Understand Built in Device Compliance Policy End to End - Microsoft Intune Training Series No#98
(Paddy Maddy)
6. Microsoft Endpoint Manager Intune Compliance Policy Part I The Basics and Beyond
(Microsoft Endpoint Manager - Steve Rachui)
Top Articles
Latest Posts
Article information

Author: Kerri Lueilwitz

Last Updated: 02/05/2023

Views: 5711

Rating: 4.7 / 5 (47 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Kerri Lueilwitz

Birthday: 1992-10-31

Address: Suite 878 3699 Chantelle Roads, Colebury, NC 68599

Phone: +6111989609516

Job: Chief Farming Manager

Hobby: Mycology, Stone skipping, Dowsing, Whittling, Taxidermy, Sand art, Roller skating

Introduction: My name is Kerri Lueilwitz, I am a courageous, gentle, quaint, thankful, outstanding, brave, vast person who loves writing and wants to share my knowledge and understanding with you.