Check OS Version Compliance with Device Compliance Policy & Notify User | Microsoft Intune

Microsoft Intune Device compliance policies define the rules and settings that users and managed devices must meet to be compliant.

In this blog post, we will discuss how we can setup a device compliance policy to check minimum required OS version and send a notification to user if device is non compliant.

Table of contents

  • Create a Notification
  • Create device compliance policy
  • End user experience

Create a Notification

Let’s start with creating a notification which we will use later with device compliance policy.

In the Microsoft Endpoint Manager admin center, select Devices | Compliance policies | Notifications and click on Create notification.

Endpoint Manager | Device compliance | Notifications

Enter policy name in Basics tab and clock on Next.

Endpoint Manager | Device compliance | Notifications

In the Notification message templates, enter the required details and click on Next.

Endpoint Manager | Device compliance | Notifications

In the Review + create tab, review the details and click on Create. This will create a user notification. You can find this under Notification blade.

Endpoint Manager | Device compliance | Notifications

Create Device Compliance Policy

We will now create a Device Compliance Policy to identify the machines which OS versions are lower than Windows 10 21H1.

In the Microsoft Endpoint Manager admin center, select Devices | Compliance policies and click on Create policy.

Endpoint Manager | Device compliance Policy

In the Basics tab, enter policy name and click on Next.

Endpoint Manager | Device compliance Policy

In the Compliance settings tab, expand Device properties and enter the required details. Here we will check that minimum OS version should be Windows 10 21H1 (OS version 10.0.19043.1237). If a device OS version is lower than Windows 10 21H1 then device will be reported as Non-compliant.

Click on Next to move to next tab.

Endpoint Manager | Device compliance Policy

In the Action for noncompliance tab, select the following actions.

  • Mark device noncompliant – Immediately
  • Send email to end user :
  • Schedule days : Immediately
  • Message template : select notification message template which we created earlier
  • Additional recipients : Add AD group if you want to copy additional recipients in email sent to user.
  • Retire the noncompliance device: 120 days

Click on Next

Endpoint Manager | Device compliance Policy | Action

In the Assignments tab, select the Azure AD Group where you want to apply this policy and click on Next.

Endpoint Manager | Device compliance Policy | Assignments

In the Review + create tab, review the settings and click on Create.

Endpoint Manager | Device compliance Policy | Review

The policy is now created. You can check the newly created Device compliance policy from Device | Compliance policies blade

Endpoint Manager | Device compliance Policy | Status

You can see the compliance status once policy evaluated at client end.

Endpoint Manager | Device compliance Policy | Status

End User Experience

As soon as a non-compliance device is detected, an email will be sent to user informing device non-compliance state. You can add necessary instructions for user to upgrade the device by contacting help desk or by sharing a link for self upgrade guide.

Please see the sample email below which was sent by Intune Notification Service for this testing.

Endpoint Manager | Device compliance Policy | User notification email

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top