This week I’m going to look at the recent introduction of the feature to configure the default compliance state for devices when no compliance policies are targeted. This enables additional security for all devices, as it enables administrators to mark devices as non compliant when no compliance policies are targeted to the device. In this post I’ll start with a short introduction about this security feature, followed by a walk through the configuration. I’ll end this post by looking at the end-user experience.
Introduction
As should be known by now, compliance policies are basically rules, such as requiring a device PIN, or requiring encryption. These device compliance policies define rules and settings that a device must follow to be considered compliant. The recently introduced security feature enables administrators to determine the default compliance state of devices when no compliance policies are targeted. The default state (for new tenants) is that devices are marked as compliant. From a security perspective it can be required to switch this to non complaint, as this will make sure that all devices that have access are actually compliant with the company requirements.
Configuration
Let’s have a look at the required configuration. This configuration is actually quite simple. To make sure that the default compliance status is switched to non compliant, simply follow the next 3 steps.
1 | Open the Azure portal and navigate to Intune > Device compliance to open the Device compliance blade; |
2 | On the Device compliance blade, click Compliance policy settings to open the Device compliance – Compliance policy settings blade; |
3 | ![]() Note: Compliant means the security feature is off and Non Compliant means that the security feature on. |
End-user experience
Now let’s end this post by having a look at the end-user experience on the different platforms. The first platform is Windows 10. In a co-management configuration the compliance state can be seen in the Company Portal app and Software Center. So I’ll show them both. Below on the left is an example of Software Center and below on the right is an example of the Company Portal app.
![]() |
![]() |
The next platforms are iOS and Android. Nothing too fancy for these platforms. Below on the left is an example of the Company Portal app (latest update) on iOS and below on the right is an example of the Company Portal app on Android.
![]() |
![]() |
More information
For more information about compliance policies and Microsoft Intune, refer to this article named Get started with device compliance policies in Intune.
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Hi Peter,
Do you assign Compliance Policies to Devices or Users? I notice when you assign them to Device they only get evaluated when the enroller logs/logged in. They work best when assigning them to Users.
Hi Rkast,
Depends on the use case, but in general it’s user assigned.
Regards, Peter
Hi Peter,
Literally i got following reply from Intune support
“I would like to tell you that the option to deploy compliance policy on device group has been recently introduced , and many admins have reported that it is not working as expected for some of the devices. That is why we suggested you to deploy the policy to User group instead of device group.”
Familiar with this advice and recognize the problems?
Regards,
Hi RKast,
No, I haven’t heard that specific response yet. Having said that I also don’t use the device targeting often. I’ll ask around.
Regards, Peter