Compliance policy - Configure and apply the default Compliance Policy

This step by step tutorial will show you how to configure and apply the default Compliance Policy and ensure it does not conflict with your configurations in the Intune / Endpoint Manager Security Baseline and Windows Hello for Business.

This is Part 3 of a 5 part series

=======================================================================

Welcome to part 3 of my five part series of tutorials taking you step by step on how to configure Microsoft Endpoint Manager / Intune focusing on the essential security configurations.

Security Essentials - Five part series

1. Configure and apply the Security Baseline - Link 

2. Configure Windows Hello for Business - Link 

3. Configure Windows 10 Compliance Policy - Link - This Tutorial

4. Enabling and Configuring BitLocker - Link
5. Utilize dedicated Intune admin accounts rather than Global Admin accounts - Link

If you don't have a test environment for Intune / Endpoint Manager, just follow this guide on 

How to get a Free Developer Tenant with 25 x E5 licenses and a free Top Level domain name - Link

=========================================================================

3. Configure Windows 10 Compliance Policy

As explained in the previous tutorials, it is imperative to ensure that your security configurations in the Security Baseline, Windows Hello for Business and your Compliance Policy all match, or a conflict will occur. This tutorial will focus on configuring your Compliance Policy.

Resources
Compliance Policies - Getting started - Link
Windows 10 and later settings to mark devices as compliant or not compliant using Intune - Link

========================================================================

Create a compliance policy in Microsoft Intune - Link

Endpoint Manager - Devices - Compliance Policies -


Create policy


Use the drop down to select - Windows 10 and later
Create


Name - Windows 10 default compliance policy for Corporate devices
Description - Windows 10 default compliance policy for Corporate devices
Next


Compliance settings - Device Health -


Note -
In testing, I have found that setting Require Bitlocker to Require shows the device as non-compliant even when the device is encrypted. This is why I have not configured the section - Require Bitlocker.

Compliance settings - System Security -
As per the previous tutorials, this needs to match the settings in the Security Baseline and Windows Hello for Business.
I have configured the settings below to match these settings in both the Security Baseline and Windows Hello for Business to ensure no conflicts.

Password - (Matches the configuration in my Security Baseline)


Other configurations - set as per company needs.
Next


Actions for non-compliance
In production, it is recommended to speak to the business to devise a plan on how non-compliant devices will be treated and at what intervals action is taken.
For this tutorial, I have only set to mark the device as non-compliant which is the default.


Assignments -
I have set the assignments to match the Security Baseline.
Click - Select


Assignment have been added
Next


Review and Create
Create




Create -

=====================================================================

Check out all my tutorials - Link 

Highlights include - 
13 part series on how to perform the initial Tenant and Intune Configuration - Link 

1. Configure DNS and CNAME
2. Company Branding - Self Service Password Reset (SSPR) - Enable Enterprise State Roaming
3. Enable Conditional Access and MFA (Multi factor authentication)
4. Configure Conditional Access Terms of Use
5. Company Terms and Conditions
6. User and Device Groups, and Device Categories
7. Set-up Autopilot profile and configure MAM and MDM scope for automatic enrollment
7a. More information regarding options for configuring the MDM and MAM user scopes
8. Enrollment Status Page
9. Enrollment Restrictions
10. Deploying Microsoft 365 apps (Office apps)
11. Enable Microsoft Store for Business and publish the Company Portal app
12. Assign Company Portal app
13. Test autopilot via register online

===============================================================

 

About the author -
Terry Munro is an IT specialist based in Brisbane, Australia.
He draws upon over 20 years experience designing and delivering technical solutions to a variety of enterprise clients in the private, Government and Education sectors, to revolutionise client businesses through collaboration and getting the most value from a variety of cloud solutions.
He is passionate about learning new technologies and is a firm believer in sharing knowledge to provide a better experience for all.

You can connect with Terry
LinkedIn - https://www.linkedin.com/in/terry-munro/
Facebook - @IntuneAdmin - https://www.facebook.com/IntuneAdmin/
Facebook Community Group - https://www.facebook.com/groups/intuneadmin/ 
GitHub Repository - https://github.com/TeamTerry