Microsoft Intune Device compliance policies define the rules and settings that users and managed devices must meet to be compliant.
In this blog post, we will discuss how we can setup a device compliance policy to check minimum required OS version and send a notification to user if device is non compliant.
Table of contents
- Create a Notification
- Create device compliance policy
- End user experience
Create a Notification
Let’s start with creating a notification which we will use later with device compliance policy.
In the Microsoft Endpoint Manager admin center, select Devices | Compliance policies | Notifications and click on Create notification.

Enter policy name in Basics tab and clock on Next.

In the Notification message templates, enter the required details and click on Next.

Endpoint Manager | Device compliance | Notifications
In the Review + create tab, review the details and click on Create. This will create a user notification. You can find this under Notification blade.

Create Device Compliance Policy
We will now create a Device Compliance Policy to identify the machines which OS versions are lower than Windows 10 21H1.
In the Microsoft Endpoint Manager admin center, select Devices | Compliance policies and click on Create policy.

In the Basics tab, enter policy name and click on Next.

In the Compliance settings tab, expand Device properties and enter the required details. Here we will check that minimum OS version should be Windows 10 21H1 (OS version 10.0.19043.1237). If a device OS version is lower than Windows 10 21H1 then device will be reported as Non-compliant.
Click on Next to move to next tab.

In the Action for noncompliance tab, select the following actions.
- Mark device noncompliant – Immediately
- Send email to end user :
- Schedule days : Immediately
- Message template : select notification message template which we created earlier
- Additional recipients : Add AD group if you want to copy additional recipients in email sent to user.
- Retire the noncompliance device: 120 days
Click on Next

In the Assignments tab, select the Azure AD Group where you want to apply this policy and click on Next.

In the Review + create tab, review the settings and click on Create.

The policy is now created. You can check the newly created Device compliance policy from Device | Compliance policies blade

You can see the compliance status once policy evaluated at client end.

End User Experience
As soon as a non-compliance device is detected, an email will be sent to user informing device non-compliance state. You can add necessary instructions for user to upgrade the device by contacting help desk or by sharing a link for self upgrade guide.
Please see the sample email below which was sent by Intune Notification Service for this testing.

Related Posts
- Block USB Device with Exception
- Deny Write Access to USB Devices Using Intune Catalog Settings
- Manage Windows 10 /11 Desktop Wallpaper with Microsoft Intune
- Manage Edge Chromium favorites with Endpoint Manager | Intune
- Configure Edge Chromium Homepage & Startup Page
- Configure Microsoft Edge Sleeping Tabs using Intune
- Configure Google Chrome settings using Administrative templates | Intune | Endpoint Manager