Keeping devices secure and up to date is critical for modern endpoint management. With Microsoft Intune, you can enforce minimum OS version requirements and automatically notify users when their devices fall out of compliance. In this guide, we’ll walk through creating compliance policies, configuring notifications, and ensuring users take timely action to stay secure and productive.
What is Device Compliance Policy
Microsoft Intune device compliance policies establish rules and configuration settings that managed devices and users must meet to remain compliant.
- Android device administrator
- Android AOSP
- Android Enterprise
- iOS
- Linux – Ubuntu Desktop, version 20.04 LTS and 22.04 LTS
- macOS
- Windows 10/11
How to Create a Notification for Device Compliance Policy
To alert users when their device is running a non‑compliant OS version, you first need to create an email notification template in the Microsoft Intune admin center. This template will later be linked to your device compliance policy and automatically trigger an email when a device fails to meet the minimum OS version requirement.
Steps:
Sign in to the Microsoft Intune admin center.
Navigate to Devices > Compliance policies > Notifications.
Select Create notification.
On the Basics page of the notification setup, provide the following details to ensure your email notification is branded and informative:
- Name: Enter a clear policy name (e.g., OS Version Compliance Notification).
- Email Header: Toggle Enable and include your company logo for professional branding.
- Email Footer – Company Name: Toggle Enable to display your organization’s name.
- Email Footer – Contact Information: Toggle Enable to add IT support or helpdesk contact details.
- Company Portal Website Link: Toggle Enable if you want users to access the Company Portal app to install updates or applications that make their device compliant.
On the Notification message templates page, enter the required details to customize the email that will be sent to users when their device is non‑compliant. This ensures the message is clear, branded, and actionable.
Update: Intune release 2312 introduced support for variables in noncomplaint email notifications. You can use variables in the subject line and body of the message to create a personalized email with dynamic content. The variables are replaced with the actual value when notification is sent. See the below table for supported variables.
| Variable name | Token to use | Description |
|---|---|---|
| User name | {{UserName}} | Insert primary user name for the noncompliant device. Example: Test user1 |
| Device name | {{DeviceName}} | Insert the name of the noncompliant device as it’s recorded in Microsoft Intune. Example: Test iPad1 |
| Device ID | {{DeviceId}} | Insert the Intune device ID that belongs to the noncompliant device. Example: 1234-5678-910111213 |
| Device OS version | {{OSAndVersion}} | Insert the operating system and version of the noncompliant device. Example: iPhone 17.1.2 |
On the Review + create tab, carefully review all the details you’ve configured for the notification template. Confirm that the name, header, footer, contact information, and Company Portal link are correct and aligned with your compliance requirements.
Once verified, click Create to finalize the notification. This action will generate a user notification template that can be linked to your Intune device compliance policy. You can find and manage this notification under the Notifications blade in the Intune admin center.
Notes: You can create multiple email notification templates and use them in a single compliance policy. For example, you can send the first notification immediately as soon as a device is marked as non-compliant. The second and third notifications can be sent on week 2 and week 3, respectively.
How to Create an Intune Device Compliance Policy
Create an Intune Compliance Policy for OS Version Enforcement
To detect devices running an OS version lower than Windows 10 21H1, you need to create a new compliance policy in Microsoft Intune. This policy will help identify non‑compliant machines and enforce minimum OS version requirements.
Steps:
Sign in to the Microsoft Endpoint Manager admin center.
Go to Devices > Compliance policies.
Click on Create policy.
Configure Basics for the Intune Compliance Policy
On the Basics tab, provide the required details to define your compliance policy:
Policy Name: Enter a clear, descriptive name (e.g., Windows 10 OS Version Compliance).
Review the information to ensure accuracy.
Click Next to proceed to the compliance settings configuration
Configure Compliance Settings
On the Compliance settings tab, expand Device properties and enter the required details to enforce OS version compliance:
- Minimum OS Version: Set the value to Windows 10 21H1 (OS version 10.0.19043.1237).
- Any device running an OS version lower than Windows 10 21H1 will be automatically reported as Non‑compliant.
This ensures that only devices meeting the minimum supported OS version remain compliant, helping maintain security and compatibility across your environment.
Click on Next to move to the next tab.
Configure Actions for Non‑Compliant Devices
On the Actions for noncompliance tab, define what should happen when a device fails to meet the minimum OS version requirement:
- Mark device noncompliant:
- Set to immediately or specify a number of days.
- This is the default action and cannot be removed.
- If you set a grace period (e.g., 7 days), the device is still flagged as non‑compliant but can continue accessing company resources until the grace period expires.
- Send email to end user:
- Schedule days: Set to Immediately.
- Message template: Select the notification message template you created earlier.
- Additional recipients: Add an Azure AD distribution group if you want IT admins or managers copied on the email.
- Retire noncompliant device:
- Configure to 120 days.
- After this period, devices that remain non‑compliant will be retired from Intune management.
Click on Next
Note: You can add multiple “Send email to end user” action to send reminders to users. You can use the same or different email notification template.
Assign the Compliance Policy
On the Assignments tab, choose the Azure Active Directory (Azure AD) group where you want to apply this compliance policy. Targeting specific groups ensures that only the intended users or devices are evaluated against the minimum OS version requirement.
Once the group is selected, click Next to proceed to the final Review + create tab.
Review and Create the Intune Compliance Policy
On the Review + create tab, carefully review all the settings you’ve configured for the compliance policy, including:
- Policy name
- Minimum OS version requirement
- Actions for noncompliance (notifications, grace period, and retire settings)
- Assignments to Azure AD groups
Once you’ve verified the details, click Create to finalize the policy. This will generate a new Intune compliance policy that enforces OS version requirements and automatically notifies users when their devices are non‑compliant
The Intune compliance policy has now been created. You can view the newly created device compliance policy under the Devices > Compliance policies blade in the Microsoft Endpoint Manager admin center.
Once the compliance policy has been evaluated on the client device, you can view the compliance status in the Devices > Compliance policies blade of Microsoft Intune.
End‑User Experience with Intune Compliance Notifications
As soon as a non‑compliant device is detected, Microsoft Intune automatically sends an email notification to the user. The email informs them of the device’s non‑compliance status and provides guidance on how to resolve the issue.
You can customize the notification to include:
- Upgrade instructions: Direct users to contact the IT help desk for assistance.
- Self‑service resources: Share a link to a step‑by‑step upgrade guide or the Company Portal app for remediation.
- Support details: Add contact information so users know where to seek help.
This proactive communication ensures users are aware of compliance requirements and can take immediate action to bring their devices back into compliance.
Sample Email Notification (from Intune Notification Service during testing):
Subject: Your Device is Non-compliant
Body: Your device does not have the latest Windows 10 operating system installed. Please contact the helpdesk to schedule an upgrade on your device at the earliest.
Conclusion
By creating and assigning an Intune device compliance policy with OS version enforcement, you ensure that all managed devices meet your organization’s minimum security and compatibility standards. Configuring notifications and actions for non‑compliant devices provides users with clear guidance while giving IT admins control over remediation and retirement timelines. This proactive approach strengthens endpoint security, improves compliance visibility, and helps maintain a consistent, reliable device environment across your enterprise.
Related Posts
- Block USB Device with Exception
- Deny Write Access to USB Devices Using Intune Catalog Settings
- Manage Windows 10 /11 Desktop Wallpaper with Microsoft Intune
- Manage Edge Chromium favorites with Endpoint Manager | Intune
- Configure Edge Chromium Homepage & Startup Page
- Configure Microsoft Edge Sleeping Tabs using Intune
- Configure Google Chrome settings using Administrative templates | Intune
- Check OS Version Compliance with Device Compliance Policy & Notify User | Microsoft Intune
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.