Key points
- Intune compliance policies enforce security baselines like passwords, encryption, firewalls, and antivirus across enrolled devices.
- Conditional Access in Azure AD (Entra ID) uses compliance data from Intune to grant or block access to Microsoft 365 apps and resources.
- Create a compliance policy via Intune
- Setup path: endpoint.microsoft.com → Devices → Managed devices → Compliance → Create Policy
- Choose your platform and define key settings, such as passwords, encryption, firewall, antivirus, etc.
- Set noncompliance actions like grace periods, notifications, or remote lock/wipe.
- Assign policies to specific users or devices to finalize and create the policy.
- Create a compliance policy via Azure AD (Entra ID)
- Navigate to Azure AD (Entra ID) → Security → Protect → Conditional Access → Create new policy.
- Apply policies to specific users, groups, and cloud apps like Exchange or SharePoint.
- Define conditions: device platform, compliant state, sign-in risk, location, or app type.
- Grant access only to compliant devices and optionally require Multi-Factor Authentication (MFA).
- Test policies with pilot groups before full rollout.
- Validate and review compliance and policy enforcement
- Validate via CMD and dsregcmd
- Use Windows Registry to review policy enforcement
- Use PowerShell for monitoring and evaluation
- Configure Group Policy for co-managed environments
An Intune compliance policy allows organizations and MSPs to efficiently enforce security standards across their IT network. In some scenarios, an IT team can use Microsoft Intune in conjunction with or as an alternative to an RMM, despite its limited scalability. Use this guide as a starting point to set and manage policies using Intune and Azure AD (Entra ID)
Device-based compliance vs app-based compliance
For BYOD (Bring Your Own Device) work arrangements, employee-owned devices that aren’t enrolled into Intune MDM typically cannot report a full compliance state. As a result, they cannot meet Conditional Access policies that require a “device to be marked as compliant.” In these cases, organizations should use Intune App Protection Policies (MAM) plus app-based Conditional Access, which protects corporate data at the app level without requiring full device enrollment.
On the other hand, device-based compliance policies rely on Intune to enroll and manage devices, allowing Intune to collect compliance data (such as OS version, encryption status, antivirus configuration) and pass that information to Entra ID so Conditional Access can make real-time access decisions.
Methods for creating and managing Intune policies
Refer to the table below to help you decide whether Intune compliance policies or Conditional Access suits your specific needs and requirements.
📌 Prerequisites:
- Intune licenses are assigned to target users.
- Microsoft 365 tenant with Azure AD Premium P1 or higher
- Devices must be enrolled in Intune (Windows, Android, iOS/iPadOS, macOS).
- Requires access to Microsoft Endpoint Manager Admin Center and Azure AD Conditional Access blade
| Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Create a Compliance Policy | ✓ | |
| Method 2: Create Conditional Access Policies in Azure AD | ✓ |
💡 Tip: Check out the Things to look out for section to optimize your action plan and manage risks.
Method 1: Create a compliance policy via Intune
You can create compliance policies directly within Microsoft Intune to ensure that only secure and designated devices can access business resources.
📌 Use cases: For general enterprise configuration; MDM alternative
- Go to endpoint.microsoft.com.
- Navigate to Devices → Managed devices → Compliance → Create Policy.
- Select a platform (e.g., Windows 10/11, iOS, Android Enterprise).
- To get started, here are examples of settings you can define:
- Password requirements: Enforce complexity, length, and expiration.
- Encryption: Set to require BitLocker (Windows) or FileVault (macOS).
- Firewall: Ensure it’s enabled and active.
- Defender antivirus and antispyware: Real-time protection, antispyware, and antivirus must be enabled and up to date.
- Minimum OS version: Prevent outdated or unsupported OS versions.
- Jailbreak/root detection (for mobile): Block compromised mobile devices.
- Under Actions for noncompliance, you may configure:
- Set grace period (e.g., 1-30 days before taking action).
- Mark the device as noncompliant immediately or after a grace period.
- Send notification emails to users or admins.
- Remotely lock or wipe (if integrated with Conditional Access policies).
- Assign or filter to target devices or user groups to finalize and create the policy.
Once deployed, the compliance policy will evaluate each enrolled device against the defined criteria, helping maintain a secure and compliant IT network.
Method 2: Create Conditional Access policies in Azure AD
Conditional Access policies can be jointly deployed with compliance policies to enforce access controls on endpoint devices.
📌 Use cases: For enterprise and system-wide deployments.
- Navigate to Azure AD (Entra ID) → Security → Protect → Conditional Access → Create new policy.
- Choose the Users or Groups that the new policy will apply to.
- Select the target Cloud apps ( e.g., Exchange Online, SharePoint Online).
- Define conditions such as:
- Device platform (e.g., iOS, Android, Windows)
- Filter for compliant state: Require only compliant devices
- Optional: Filter by sign-in risk, location, or client app
- Under Access Controls, you can set to grant access only if the device is marked as compliant, and optionally require Multi-Factor Authentication (MFA) for enhanced security.
- Test the policy with a pilot group before broad deployment to avoid any access issues.
Consider integrating Conditional Access with Intune compliance policies to enhance security protocols and user access control across the network.
How to validate and review compliance and policy enforcement
This section covers practical methods to confirm that devices meet compliance requirements and that policies are correctly applied and enforced across your environment.
You can use the following methods to evaluate your policies:
- Validate via CMD and dsregcmd
- Review policy enforcement via Registry
- Use PowerShell for monitoring and evaluation
- Ensure Group Policy configuration for co-managed environments
1. Validate compliance locally via CMD and dsregcmd
Use the following command to verify whether a Windows device is Azure AD-joined and Intune-enrolled as intended.
- Use Search 🔎 to open Terminal → Command Prompt → Run as administrator.
- Run the following command:
dsregcmd /status. - Review the output for the following key indicators:
- AzureAdJoined: YES – Confirms the device is Azure AD-joined
- MDMUrl: Should display an Intune enrollment URL – Confirms MDM enrollment
- DeviceCompliancePolicyReceived: YES – Indicates compliance policies have been received
- ComplianceState: Compliant – Confirms the device is currently in a compliant state
This method is useful for quick, local validation of a device’s Azure AD and Intune compliance status, especially during troubleshooting or pre-deployment checks.
2. Review policy enforcement via Windows Registry
As a reminder, Intune writes settings using CSPs (Configuration Service Providers), which can only be viewed in the PolicyManager registry path.
- Press Win + R, type regedit, and tap OK to open the Registry Editor.
- Navigate to or copy and paste the following path to the Registry address bar. If the path is incomplete, create the required key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\
- View the keys (e.g., SecurityKeys, BitLocker, Defender) to confirm whether Intune has enforced policies as intended.
⚠️ Warning: Editing the database can cause system issues. Create a registry backup before proceeding.
3. Use PowerShell for compliance monitoring and Conditional Access evaluation
You will need the appropriate Graph API permission (e.g., administrator access) to run the following scripts.
- Use Search 🔎 to open Terminal → PowerShell → Run as administrator.
- To authenticate and access device management data, connect with the necessary scopes using the following script:
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All", "Policy.Read.All", "DeviceManagementManagedDevices.Read.All"
- Retrieve a list of compliance policies using:
Get-MgDeviceManagementCompliancePolicy.
- Then, check specific policy assignments with:
Get-MgDeviceManagementCompliancePolicyAssignment -CompliancePolicyId<ID>
👉 Tip: Replace <ID> with the ID of the policy from the previous command.
- Finally, view the device compliance statuses using:
Get-MgDeviceManagementManagedDevice | Select DisplayName, ComplianceState
These data can also be filtered or exported (e.g., export to CSV for audits or tenant-level overviews) for reporting and analysis. Additionally, these scripts can be particularly beneficial to enterprise IT admins for automating reporting, policy validation, or compliance enforcement at scale.
💡 Note: This script may run or fail without displaying any confirmation or prompt. To confirm if changes have been applied successfully, check the corresponding Registry keys or system settings.
4. Ensure Group Policy configuration for co-managed environments
If you are using Microsoft Endpoint Configuration Manager (ConfigMgr/SCCM) in a co-management setup with Intune, you can use Group Policy to trigger automatic MDM enrollment for Windows devices.
Before you start, make sure to use a domain-joined management machine.
- Press Win + R, type gpmc.msc, and tap OK to open the Group Policy Management Console.
- Navigate to Computer Configuration → Administrative Templates → Windows Components → MDM.
- Look for the Enable automatic MDM enrollment using default Azure AD credentials policy, enable it, and choose Device Credential as the user credential option.
- Apply the policy and run
gpresult /h report.htmlto verify the policy application.
To review your configuration, open the report.html file in a browser and confirm that the MDM policy was applied successfully.
⚠️ Things to look out for when configuring policies in Intune
Missing something? Consider these scenarios and tips for handling errors, preventing system issues, and reinforcing policies.
| Risks | Potential Consequences | Reversals |
| Incorrectly configured policy | Devices could be unnecessarily blocked or allowed access despite being non-secure. | Review policy settings; test with pilot group; adjust thresholds and requirements based on organization needs. |
| Device not Azure AD joined or Intune-enrolled | Compliance and Conditional Access evaluations will fail; the device appears unmanaged. | Use dsregcmd /status or logs to validate; rejoin or re-enroll the device as needed. |
| Incomplete permissions for Graph API scripts | PowerShell scripts may fail to retrieve or apply policy/compliance information. | Ensure Graph permissions are consented and assigned; include appropriate scopes when connecting to Graph. |
As a reminder, it’s important to have a system to monitor compliance changes over time, so that gaps can be addressed along with each update. Schedule regular reporting and alerting via Graph API or Intune reporting dashboard to keep track of your security posture.
NinjaOne services and features to pair with Intune policies
Enforcing and monitoring endpoint compliance can be a rigorous process for IT teams in enterprise environments. So, how can it be done at scale? That’s where NinjaOne Endpoint Management® solutions shine the most in the hands of MSPs and IT administrators.
📊 Monitoring policy enforcement
NinjaOne has robust capabilities to automate alerts and remediation steps if managed endpoints fall out of Intune compliance. Routine tasks and monitoring can be seamlessly automated so that admins can focus on more urgent or actionable tasks.
In addition, NinjaOne can free up your Helpdesk since IT is alerted automatically even before some scenarios escalate and disrupt production.
🖥️ Unified endpoint visibility
NinjaOne MDM™ offers an assortment of solutions for dynamic IT networks or distributed endpoints. For instance, it can be used to maintain visibility and control over compliant and noncompliant devices across all tenants and OS types.
👨💻 Custom compliance scripts
One of the best ways to use NinjaOne RMM® is to deploy and schedule PowerShell or CMD scripts that detect and remediate local configuration issues that go beyond the visibility and control provided by Intune.
In addition, NinjaOne provides more granular authority over the network with custom scripts and deployment strategies. You can browse the NinjaOne script library to see the ready-to-use scripts that NinjaOne users can deploy on demand.
Want to learn more about NinjaOne Endpoint Management?
The best way to deploy Intune compliance policies
Combining compliance policies with Conditional Access in Intune is an excellent approach to building the foundation for a Zero Trust security model. However, Microsoft Intune may struggle at times or scale on its own. For a more comprehensive and future-proof strategy, consider pairing Intune with NinjaOne for enhanced visibility and automated remediation across all endpoints.
Related topics:
