Introduction To Intune Compliance Policies And Their Need

Introduction to Microsoft Intune Compliance Policies

Intune compliance policies define the health rules devices must meet before they can access corporate data. They cover OS version, disk encryption, password complexity, antivirus, and jailbreak detection. Non-compliant devices are blocked via Conditional Access until the user fixes the issue. This guide explains how compliance policies work, how to configure them, and how they map to HIPAA and SOC 2 requirements.

Key facts

• Compliance policies set device health requirements. Conditional Access enforces them — blocking or restricting non-compliant devices.
• Policies are platform-specific: separate policies for Windows, iOS, Android, and macOS.
• Non-compliant devices show a grace period (configurable 1–90 days) before access is blocked.
• Intune sends compliance status to Azure AD in real time. Conditional Access reads this status on every sign-in.
• EPC Group: 29 years of Microsoft consulting, 10,000+ enterprise deployments, Microsoft Solutions Partner (core designations).

What are Intune compliance policies?

Compliance policies are sets of rules that a device must satisfy to be considered healthy by Intune. Think of them as the minimum security bar your organization requires before a device touches corporate data.

Each policy covers settings across three categories.

• Device health — BitLocker enabled, Secure Boot on, Defender running, no jailbreak detected.
• Device properties — minimum and maximum OS version, minimum security patch level.
• System security — password complexity, minimum length, lockout threshold, screen timeout.

How compliance policies work with Conditional Access

Compliance policies alone do not block access — they report a device's compliance status. Conditional Access uses that status to make access decisions.

1. A user signs in to a corporate app (Outlook, SharePoint, Teams).
2. Azure AD evaluates Conditional Access policies for the user and the app.
3. Conditional Access checks the device's Intune compliance status. If the device is non-compliant, access is denied.
4. The user sees a message explaining why access is blocked and what they need to fix.
5. Once the device meets the compliance requirements, Intune reports it as compliant. Access is restored on the next sign-in.

How to create a compliance policy in Intune

1. In the Microsoft Intune admin center (intune.microsoft.com), go to Devices → Compliance policies → Create policy.
2. Select the platform: Windows 10/11, iOS/iPadOS, Android Enterprise, or macOS.
3. On the Compliance settings tab, configure the rules for each category (device health, properties, system security).
4. On the Actions for noncompliance tab, set the grace period. Common settings: mark non-compliant immediately, send email notification on Day 1, block access after 3 days.
5. On the Assignments tab, assign to an Azure AD group (e.g., All Corporate Devices, All Mobile Users).
6. Click Create. The policy deploys to assigned devices within 8 hours (or on next check-in).

Compliance policy settings by platform

Setting	Windows	iOS/iPadOS	Android Enterprise
Encryption required	BitLocker	Built-in encryption	Work profile encryption
Jailbreak detection	N/A	Yes	Root detection
Minimum OS version	Windows 11 22H2+	iOS 16.0+	Android 12.0+
Antivirus required	Microsoft Defender	N/A	Via Mobile Threat Defense
Password complexity	Yes (Alphanumeric)	Yes	Yes

Compliance policies by user type

Different user groups need different compliance requirements. Create separate policies per group.

• Executives — require biometric authentication (Face ID or Windows Hello), latest OS version, and Defender ATP integration.
• IT administrators — require privileged access workstations (PAW) configuration, Secure Boot, BitLocker, and an updated security patch within 7 days.
• Standard corporate users — minimum OS version, BitLocker, Defender active, and a 6-character PIN or password.
• Frontline workers (shared devices) — lighter policy appropriate for shared kiosk devices — PIN required, enrollment required, no personal app data mixing.

Compliance alignment: HIPAA and SOC 2

Intune compliance policies satisfy several regulatory control requirements.

• HIPAA §164.312(a) — Access controls: password complexity and MFA enforcement ensure only authorized users access PHI.
• HIPAA §164.312(a)(2)(iv) — Encryption: BitLocker and iOS built-in encryption at rest requirements satisfy this control.
• HIPAA Audit controls §164.312(b): Intune compliance audit logs in Azure Monitor provide evidence of policy enforcement.
• SOC 2 Security criterion (CC6.1): logical access controls via Conditional Access plus device compliance meet this criterion.
• CMMC 3.1.1 — Access control: Conditional Access requiring compliant devices limits system access to authorized users on authorized endpoints.

Frequently asked questions

What happens when a device goes non-compliant?

Intune marks the device non-compliant and sends a notification to the user. Conditional Access blocks or restricts access based on your grace period settings. The user must fix the issue (e.g., enable BitLocker, update the OS) before Intune marks the device compliant again and access is restored.

Can I create different compliance policies for different departments?

Yes. Create separate policies and assign each to the appropriate Azure AD group. Finance and HR typically need stricter policies than general staff. Executive devices often have the strictest requirements. Intune applies the most restrictive policy if multiple policies apply to the same device.

Do BYOD devices need a compliance policy?

Yes, if they access corporate data. For BYOD, use App Protection Policies combined with a lighter compliance policy that does not require BitLocker or domain join. This protects corporate data in managed apps (Outlook, Teams) without controlling the personal side of the device.

How often do devices check in for compliance?

Windows devices check in every 8 hours. iOS and Android devices check in every 8 hours when the Company Portal app is active. Conditional Access re-evaluates compliance on every sign-in attempt, so a device that goes non-compliant is blocked at the next sign-in — not just at the next scheduled check-in.

Can compliance policies detect if a device has malware?

Yes, through Microsoft Defender integration. Enable the "Microsoft Defender ATP Risk Score" compliance setting. Intune evaluates the Defender risk score (Clean, Low, Medium, High) and marks devices non-compliant if the risk score exceeds your threshold. This blocks infected devices from accessing corporate data automatically.

Design your Intune compliance strategy

EPC Group deploys Intune compliance policies for enterprise organizations across healthcare, financial services, and government. Call (888) 381-9725 or request a 30-minute discovery call.