Device Compliance Policies
Configure and troubleshoot Intune device compliance policies for Windows, iOS, and Android.
Overview
Device compliance policies in Microsoft Intune define the rules and settings that devices must meet to be considered compliant. Non-compliant devices can be blocked from accessing corporate resources through Conditional Access integration.
Key Policy Settings
- Minimum OS version requirements
- BitLocker encryption enforcement (Windows)
- Password complexity and length
- Jailbreak/root detection (iOS/Android)
- Microsoft Defender for Endpoint risk score
- Firewall and antivirus status
Creating a Compliance Policy
Navigate to Intune admin center → Devices → Compliance policies → Create policy. Select the platform and configure the required settings.
Get-MgDeviceManagementManagedDevice -Filter "complianceState eq 'noncompliant'" `
| Select-Object DeviceName, UserPrincipalName, ComplianceStateTip
Always create a "mark device non-compliant" action with a grace period (e.g., 3 days) to give users time to remediate before access is blocked.
Common Compliance Issues
- Devices showing as "Not evaluated" — check that the policy is assigned to the correct group
- Compliance state not updating — trigger a manual sync from Company Portal or the device
- BitLocker compliance failing — ensure the recovery key is escrowed to Azure AD before enforcing
Invoke-MgDeviceManagementManagedDeviceSyncDevice -ManagedDeviceId $deviceIdConditional Access Integration
Compliance policies become most powerful when paired with Conditional Access. Create a CA policy that requires device compliance as a grant control to enforce access restrictions across Microsoft 365 services.
Warning
Avoid enabling compliance-based Conditional Access without first ensuring all targeted devices have compliance policies assigned and evaluated. Unassigned devices default to non-compliant.