Microsoft Intune Device compliance policies define the rules and settings that users and managed devices must meet to comply. The following platforms are supported for device compliance policy.
- Android device administrator
- Android AOSP
- Android Enterprise
- Linux – Ubuntu Desktop, version 20.04 LTS and 22.04 LTS
- Windows 10/11
In this blog post, we will discuss how we can set up a device compliance policy to check the minimum required OS version. We will also understand how to send notifications to noncompliant devices.
How to Create a Notification for Device Compliance Policy
Let’s start with creating a notification which we will use later with the Intune device compliance policy when a non-compliant OS version is detected on the user’s device. This email notification template will be used to trigger an email notification to the user.
In the Microsoft Intune admin center, select Devices | Compliance policies | Notifications and click on Create notification.
Provide the following details on the Basics page.
- Name: Enter a policy name
- Email header – include company logo – Click on the toggle button to Enable the settings
- Email footer – Include company name – Click on the toggle button to Enable the settings
- Email footer – Include contact information – Click on the toggle button to Enable the settings
- Company portal Website Link: Click on Enable if you want the user to install an application from the Company portal to make the device compliant.
In the Notification message templates, enter the required details and click on Next.
Update: Intune release 2312 introduced support for variables in noncomplaint email notifications. You can use variables in the subject line and body of the message to create a personalized email with dynamic content. The variables are replaced with the actual value when notification is sent. See the below table for supported variables.
|Token to use
|Insert primary user name for the noncompliant device.
Example: Test user1
|Insert the name of the noncompliant device as it’s recorded in Microsoft Intune.
Example: Test iPad1
|Insert the Intune device ID that belongs to the noncompliant device.
|Device OS version
|Insert the operating system and version of the noncompliant device.
Example: iPhone 17.1.2
In the Review + create tab, review the details and click on Create. This will create a user notification. You can find this under Notification blade.
Notes: You can create multiple email notification templates and use them in a single compliance policy. For example, you can send the first notification immediately as soon as a device is marked as non-compliant. The second and third notifications can be sent on week 2 and week 3 respectively.
How to Create an Intune Device Compliance Policy
We will now create an Intune Compliance Policy to identify the machines which OS versions are lower than Windows 10 21H1.
In the Microsoft Endpoint Manager admin center, select Devices | Compliance policies and click on Create policy.
In the Basics tab, enter the policy name and click on Next.
On the Compliance settings tab, expand Device properties and enter the required details. Here we will check that the minimum OS version should be Windows 10 21H1 (OS version 10.0.19043.1237). If a device OS version is lower than Windows 10 21H1 then the device will be reported as Non-compliant.
Click on Next to move to the next tab.
Now we will configure actions for noncompliance devices in the Action for noncompliance tab, select the following actions.
- Mark device noncompliant – set to Immediately or n number of days. This is a default action and you can’t remove this one. If you set a number other than 0 then the device is still considered as non-compliant. However, it will be in the grace period for the given number of days. The device can continue to access company resources during the grace period.
- Send email to end user :
- Schedule days : Immediately
- Message template: select the notification message template that we created earlier
- Additional recipients: Add an AAD distribution group if you want to copy additional recipients in the email sent to the user.
- Retire the noncompliance device: 120 days
Click on Next
Note: You can add multiple “Send email to end user” action to send reminders to users. You can use the same or different email notification template.
In the Assignments tab, select the Azure AD Group where you want to apply this policy and click on Next.
In the Review + create tab, review the settings and click on Create.
The policy is now created. You can check the newly created Device compliance policy from Device | Compliance policies blade
You can see the compliance status once policy has been evaluated at client end.
End User Experience
As soon as a non-compliance device is detected, an email will be sent to user informing device non-compliance state. You can add necessary instructions for user to upgrade the device by contacting help desk or by sharing a link for self upgrade guide.
Please see the sample email below which was sent by Intune Notification Service for this testing.
- Block USB Device with Exception
- Deny Write Access to USB Devices Using Intune Catalog Settings
- Manage Windows 10 /11 Desktop Wallpaper with Microsoft Intune
- Manage Edge Chromium favorites with Endpoint Manager | Intune
- Configure Edge Chromium Homepage & Startup Page
- Configure Microsoft Edge Sleeping Tabs using Intune
- Configure Google Chrome settings using Administrative templates | Intune
- Check OS Version Compliance with Device Compliance Policy & Notify User | Microsoft Intune
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.