Table of Contents
Microsoft Intune compliance policy configuration step by step is one of the most critical — and most misunderstood — tasks in any modern endpoint management deployment. Get it right and you have a solid security baseline enforced automatically across every managed device. Get it wrong and you end up with users blocked from email, devices stuck in a non-compliant loop, and a helpdesk queue full of “I can’t access Teams” tickets.
In this guide I’ll walk you through the complete Microsoft Intune compliance policy configuration process — from understanding what compliance policies actually do, to creating and deploying them for Windows 10/11 and mobile devices, integrating with Conditional Access in Entra ID, configuring actions for noncompliance, and fixing the most common issues we see in production deployments. This is the deeper compliance layer that builds on top of basic MDM enrollment — if you haven’t enrolled devices yet, start with the Microsoft Intune Setup Guide: Complete MDM Configuration for Business first.

What Is a Microsoft Intune Compliance Policy?
A Microsoft Intune compliance policy is a set of rules and settings that a managed device must satisfy before it is considered “compliant.” These rules evaluate the device’s security state — things like whether BitLocker is enabled, whether the OS is patched to a minimum version, whether the firewall is active, or whether the device has a PIN lock. Intune checks these conditions and reports the device as either Compliant, Not compliant, or Not evaluated.
The compliance status is not just a label. When you connect Intune compliance policy to Conditional Access in Entra ID (formerly Azure AD), that status becomes the gatekeeper for all corporate resources — Microsoft 365, Exchange Online, SharePoint, Teams, and any app protected by Entra ID app proxy. A non-compliant device cannot authenticate to those resources until the issue is resolved.
Compliance policies are evaluated every time a device checks in with Intune. The default check-in interval for Windows devices is approximately every 8 hours, though you can trigger an immediate sync. The key thing to understand is that compliance is evaluated on the device and reported to Intune — it is not a policy that Intune pushes down and enforces directly. This distinction matters a lot when troubleshooting why a device shows as non-compliant in Intune even after applying the policy.
Intune Compliance vs Configuration Profile: Key Differences
The Intune compliance vs configuration profile difference is the most common confusion among admins new to Microsoft Intune compliance policy configuration. The answer comes down to one question: does the policy check a setting, or does it apply one?
| Feature | Compliance Policy | Configuration Profile |
|---|---|---|
| Purpose | Evaluates whether a device meets security standards | Actively configures settings on the device |
| Action | Reports compliant / non-compliant status | Pushes and enforces settings directly |
| BitLocker example | Checks if BitLocker is ON — fails if not | Enables and configures BitLocker encryption |
| Effect on access | Blocks access via Conditional Access if non-compliant | No direct effect on access control |
| Failure behavior | Marks device non-compliant, triggers actions | Reports error in device configuration state |
| Works without CA? | Yes — but non-compliance has no enforcement effect | Yes — independent of compliance or CA |
In practice, you always deploy both together: a configuration profile to configure BitLocker, and an Intune compliance policy to verify it is active. The compliance policy is your audit and enforcement layer; the configuration profile is your deployment layer.
Prerequisites and Licensing Requirements
Before you begin Intune compliance policy configuration, verify the following are in place. Missing any of these is the root cause of roughly 30% of the “policy not applying” issues we see in the field.
Licensing: Microsoft Intune compliance policy with Conditional Access enforcement requires at minimum Microsoft 365 Business Premium or Microsoft Intune Plan 1 (included in EMS E3/E5). Conditional Access enforcement requires Entra ID P1, included in Business Premium. For full licensing details, see the Microsoft 365 Business Plans: Complete Buyer’s Guide 2026.
Device enrollment: Devices must be enrolled in Intune via Autopilot, manual enrollment, or hybrid join. Check enrollment status at Intune admin center → Devices → All devices.
Entra ID access: You need at minimum the Intune Administrator or Conditional Access Administrator role in Entra ID.
Platform requirements:
- Windows 10 version 1903 or later (Windows 11 fully supported)
- iOS 14.0 or later
- Android 8.0 or later
- macOS 10.15 or later
How Intune Compliance Policy Works — Architecture Overview
Understanding the Microsoft Intune MDM compliance policy flow prevents a lot of troubleshooting confusion. Here is the complete evaluation chain from device check-in to access decision:
Device → checks in with Intune (every ~8 hrs or on-demand sync)
↓
Intune Compliance Engine evaluates policy rules against device state
↓
Compliance Status: Compliant / Not Compliant / Not Evaluated / In Grace Period
↓
Entra ID receives compliance signal via device object attribute
↓
Conditional Access Policy checks: "require device to be marked compliant"
↓
Access Decision: Allow / Block / Require MFA
The critical detail: Entra ID does not query Intune in real time during authentication. Intune writes the compliance state to the device’s Entra ID object, and Conditional Access reads that attribute. This means there can be a delay of up to 15–30 minutes between a device becoming compliant in Intune and Conditional Access allowing access — one of the most common sources of “I fixed the issue but I still can’t log in” support tickets.
For hybrid-joined devices (joined to on-premises AD and enrolled in Intune), the Intune compliance policy flow also involves Entra ID Connect syncing the device object, adding another 30-minute delay. For hybrid join troubleshooting, see the Azure AD Hybrid Join Not Working: Complete Fix Guide 2026.
Microsoft Intune Compliance Policy Configuration Step by Step
This section covers the complete Microsoft Intune compliance policy configuration step by step for Windows 10 and Windows 11 devices. Follow each phase in order for a clean, error-free deployment.
Phase 1: Access the Intune Admin Center
Navigate to intune.microsoft.com and sign in with your Intune Administrator account. Go to: Devices → Compliance (left navigation, under the Manage section).
Navigation path:
Intune Admin Center
└─ Devices
└─ Compliance
└─ Policies → + Create policy
Verification: If you do not see the Compliance option under Devices, your account is missing the Intune Administrator role. Verify at: Entra admin center → Roles → My roles.
Phase 2: Select Platform and Name the Policy
Click + Create policy and select your platform:
- Windows 10 and later — covers both Windows 10 and Windows 11
- iOS/iPadOS
- Android Enterprise (recommended over legacy Device Administrator)
- macOS
Give the policy a descriptive name using a consistent naming convention — for example: WIN-COMPLIANCE-Standard-v1 or CORP-Windows11-Compliance-Baseline. Avoid generic names like “Compliance Policy 1.”
Common mistake: Do not create one policy and apply it to all platforms. Each platform has entirely different Intune compliance policy settings — a Windows policy cannot apply to iOS. Create separate policies per platform.
Phase 3: Configure Compliance Settings for Windows 10/11
This is the core of your Intune device compliance policy Windows 10 11 configuration. For an enterprise security baseline, configure the following settings:
Device Health:
- Require BitLocker: Require
- Require Secure Boot: Require
- Require code integrity: Require
Device Properties:
- Minimum OS version: 10.0.19041 (Windows 10 2004 — adjust to your org standard)
- Maximum OS version: Leave blank unless blocking specific builds
System Security:
- Password type: Alphanumeric
- Minimum password length: 8
- Firewall: Require
- Antivirus: Require
- Antispyware: Require
- Microsoft Defender Antimalware: Require
Microsoft Defender for Endpoint (if licensed):
- Machine risk score: Medium (use Low for high-security environments)
The Intune BitLocker compliance policy Windows check is the most common failure point after initial Intune compliance policy configuration. Intune checks whether BitLocker is reported as active by the Windows Security Center API — not whether encryption has finished. If BitLocker was never enabled, the compliance check fails immediately.
Phase 4: Configure Intune Actions for Noncompliance
Under the Actions for noncompliance tab, configure what happens when a device fails the Intune compliance policy. The Intune actions for noncompliance setup is frequently overlooked — never leave it at default with a 0-day grace period, as that immediately blocks users with no warning.
Recommended baseline for SMB deployments:
| Action | Schedule (days after non-compliant) | Notes |
|---|---|---|
| Send email to end user | 0 (immediate) | Notify the user right away |
| Mark device non-compliant | 3 | 3-day grace period for self-remediation |
| Send push notification | 5 | Escalation reminder before block |
| Retire device | 30 | High-security orgs only |
Phase 5: Assign to an Entra ID Group
Under the Assignments tab, assign to the Entra ID group containing your managed devices or users. Use exclusion groups for test devices and break-glass accounts.
Best practice: Use a dynamic Entra ID device group with this membership rule so newly enrolled devices are automatically included in your Intune compliance policy scope:
(device.deviceOSType -eq "Windows") -and
(device.managementType -eq "MDM") -and
(device.accountEnabled -eq true)
For Entra ID group fundamentals, see the Active Directory Explained: Beginner to Advanced Guide 2026.
Phase 6: Review and Create
Review all settings on the Summary tab and click Create. The Microsoft Intune compliance policy deploys on the next device check-in cycle (up to 8 hours, or trigger an immediate sync).
Verify deployment: Open the policy → Device status tab. Within 15–30 minutes of the next check-in, devices appear with Compliant, Not compliant, or Not applicable status.
Intune Conditional Access Compliance Policy Integration
An Intune compliance policy without Conditional Access is advisory — it reports status but has no enforcement. Intune conditional access compliance policy integration transforms the compliance signal into real access control that blocks non-compliant devices from Microsoft 365 resources.
Navigate to: Entra admin center → Protection → Conditional Access → + New policy
Configure the CA policy:
- Users: Target the same Entra ID group as your Intune compliance policy (start with a pilot group)
- Target resources: All cloud apps for full enforcement, or Exchange Online and SharePoint first for staged rollout
- Conditions → Device platforms: Filter to Windows for platform-specific enforcement
- Grant → Require device to be marked as compliant: Enable this control
- Enable policy: Start in Report-only mode — review sign-in logs for one week before switching to On
The Intune compliance policy Entra ID 2026 configuration is identical to the Azure AD Conditional Access integration you may know from previous deployments — Microsoft rebranded Azure AD to Entra ID in 2023 but the policy structure is unchanged.
Non-compliant devices attempting to access SharePoint Online receive a block page. For broader SharePoint access troubleshooting that intersects with CA blocks, see the SharePoint Online Permissions Not Working Fix.
Compliance Policy Configuration for iOS and Android
Mobile Intune compliance policy configuration follows the same workflow with platform-specific settings. This also applies to Microsoft Intune MDM compliance policy small business deployments where BYOD mobile devices are common.
iOS/iPadOS compliance baseline:
- Minimum OS version: iOS 16.0
- Jailbroken devices: Block
- Require a password: Require
- Minimum password length: 6
- Password type: Alphanumeric
- Device Threat Level: Secured
Android Enterprise compliance baseline:
- Rooted devices: Block
- Minimum OS version: Android 12
- Require a password: Require
- Google Play Protect: Require
- SafetyNet attestation: Basic integrity and certified devices
Use Android Enterprise enrollment rather than legacy Device Administrator mode, which Google has been deprecating since Android 10.
Verifying Intune Compliance Policy Status
After completing Microsoft Intune compliance policy configuration step by step, verify it is working correctly using these checks.
From Intune admin center:
- Devices → Compliance → select your policy → Device status — lists every assigned device with compliance state
- Devices → All devices → select a device → Device compliance — shows pass/fail per individual rule
From Windows device (PowerShell — run as Administrator):
# Check MDM enrollment and compliance state
dsregcmd /status
# Key values:
# AzureAdJoined : YES
# MDMUrl : https://enrollment.manage.microsoft.com/...
# MdmCompliant : YES
Trigger an immediate Intune sync:
# Via Settings app:
# Settings → Accounts → Access work or school → Info → Sync
# Via PowerShell (run as Administrator):
Get-ScheduledTask | Where-Object {$_.TaskPath -like "*EnterpriseMgmt*"} | Start-ScheduledTask
# Via Company Portal app:
# Open Company Portal → Devices → select device → Check status
Troubleshooting: Intune Device Marked Non-Compliant Fix
This section covers the four most common Intune compliance policy not applying and Intune device marked non-compliant fix scenarios we resolve in production environments.
Issue 1: Device Shows Non-Compliant Immediately After Intune Compliance Policy Assignment
Symptoms: Device shows Not compliant in Intune within minutes of Intune compliance policy configuration, before the user has done anything.
Root cause: Device does not meet one or more compliance settings — most commonly BitLocker is not enabled, Windows Defender is disabled, or OS version is below the policy minimum.
# Identify which rule is failing:
# Intune admin center → Devices → [device] → Device compliance
# Check BitLocker status:
manage-bde -status C:
# Check Defender status:
Get-MpComputerStatus | Select-Object AMRunningMode, AntivirusEnabled, RealTimeProtectionEnabled
Prevention: Always deploy a configuration profile to enable settings before deploying the Intune compliance policy that checks for them. Deploy config profiles first, wait 24–48 hours, then deploy the compliance policy.
Issue 2: Intune Compliance Policy Not Applying to Device
Symptoms: Device shows “Not evaluated” or the Intune compliance policy does not appear under the device’s compliance section.
Root cause: Device is not in the assigned group, not correctly enrolled in Intune, or Intune license is not assigned to the user.
# Verify device group membership:
# Entra admin center → Groups → [group] → Members
# Verify enrollment:
dsregcmd /status | findstr MDM
# Expected: MDMUrl : https://enrollment.manage.microsoft.com/...
# Verify Intune license:
# M365 admin center → Users → [user] → Licenses
# Force sync:
Get-ScheduledTask | Where-Object {$_.TaskPath -like "*EnterpriseMgmt*"} | Start-ScheduledTask
Issue 3: Compliant in Intune but Conditional Access Still Blocks Access
Symptoms: Device shows Compliant in Intune compliance policy dashboard but user is still blocked from Microsoft 365 apps.
Root cause: Propagation delay between Intune updating compliance state and Entra ID reflecting it (15–30 minutes). Hybrid-joined devices add Entra Connect sync delay.
# Check Entra ID compliance status:
# Entra admin center → Devices → All devices → [device] → Properties
# Check "Is compliant" field
# Check sign-in logs:
# Entra admin center → Monitoring → Sign-in logs
# Filter by user → review CA policy result and failure reason
Issue 4: Intune BitLocker Compliance Policy Fails on Hybrid Azure AD Joined Devices
Symptoms: BitLocker is visibly enabled but Intune compliance policy still reports BitLocker as non-compliant.
Root cause: Intune reads BitLocker status from the Windows Security Center API. If BitLocker was enabled via GPO before Intune enrollment, the Security Center may not report it correctly.
# Check BitLocker volume status:
Get-BitLockerVolume -MountPoint C: | Select-Object VolumeStatus, ProtectionStatus
# Expected: VolumeStatus = FullyEncrypted, ProtectionStatus = On
# Remove conflicting BitLocker GPO, then trigger sync
# Rotate recovery key via Intune:
# Intune admin center → Devices → [device] → Recovery keys → Rotate
For deeper AD/GPO conflict diagnosis, the Active Directory Replication Failed: Complete Fix Guide 2026 covers GPO troubleshooting methodology that applies directly here.
Best Practices for Intune Compliance Policy Configuration
Security Best Practices
Start with a pilot group. Never deploy a new Intune compliance policy directly to all users. Create a pilot group of 10–20 users, deploy there first, run for 48 hours, review device status, then expand. This single practice prevents the majority of production incidents we see from rushed Microsoft Intune compliance policy configuration deployments.
Use report-only mode for Conditional Access first. Enable your CA policy in Report-only mode for at least one week before enforcing. Review sign-in logs daily to identify service accounts or legacy auth clients that would be blocked.
Separate compliance policies by device ownership type. Corporate-owned devices need stricter Intune compliance policy settings than BYOD. Use Enrollment Restriction profiles to distinguish them.
Operational Best Practices
Use consistent naming conventions. A name like WIN11-COMP-Corporate-Strict-v2 identifies platform, type, scope, and version at a glance.
Document every policy version. Intune does not maintain version history for Intune compliance policies — once you change a setting, the previous value is gone. Export or document settings before modifying.
Review the noncompliance report weekly. Devices non-compliant for more than 14 days need individual investigation — they often represent unenrolled devices or persistent hardware issues.
Customize noncompliance notification emails. The default email is generic. Customize at Intune → Devices → Compliance → Notifications with your branding and a clear self-service remediation link.
Scale and Performance Best Practices
Avoid over-scoping compliance policies. Separate settings by risk tier — a baseline Intune compliance policy for all devices and an elevated policy for privileged users accessing sensitive data.
Integrate Microsoft Defender for Endpoint. If licensed, connect MDE to Intune via the Defender for Endpoint connector for machine risk score–based compliance enforcement.
Frequently Asked Questions
How do I create a device compliance policy in Microsoft Intune?
The Microsoft Intune compliance policy configuration step by step process starts at Intune admin center → Devices → Compliance → + Create policy. Select your platform, configure compliance rules including BitLocker, firewall, and minimum OS version, set noncompliance actions with a grace period, and assign to an Entra ID device or user group.
What is the difference between a compliance policy and a configuration profile in Intune?
An Intune compliance policy evaluates whether a device meets security standards and reports compliant or non-compliant status — it does not change settings. A configuration profile actively pushes and enforces settings. You need both: a config profile to configure BitLocker, and a compliance policy to verify it is active.
Why is my device showing as non-compliant in Intune even after applying the policy?
The most common causes are: BitLocker not enabled before the Intune compliance policy check ran, Windows Defender disabled, OS version below the policy minimum, or a sync delay between Intune and Entra ID. Check per-setting compliance state under Devices → [device name] → Device compliance to identify exactly which rule is failing.
How does Intune compliance integrate with Conditional Access in Entra ID?
Intune writes the Intune compliance policy status to the device object in Entra ID. A Conditional Access policy configured with “Require device to be marked as compliant” reads this attribute during authentication. Non-compliant devices are blocked until the Intune compliance policy status propagates to Entra ID — typically 15–30 minutes.
How long does it take for an Intune compliance policy to apply to a device?
Windows devices check in with Intune approximately every 8 hours. Trigger an immediate sync via Settings → Accounts → Access work or school → Sync, or via Company Portal. After sync, Intune compliance policy evaluation completes within 5–10 minutes and propagates to Entra ID within 15–30 minutes.
Conclusion
Microsoft Intune compliance policy configuration step by step is the security backbone of any modern endpoint management deployment. When your Intune compliance policy is configured correctly — with platform-appropriate rules, staged rollout, meaningful grace periods, and tight Conditional Access integration — you get automated, continuous enforcement of your device security baseline without manual intervention.
Plan before you deploy: Know your licensing, device groups, and grace period strategy before creating a single Intune compliance policy. A well-planned deployment saves days of troubleshooting post-launch.
Layer your approach: Configuration profiles configure settings; Intune compliance policies verify them. Deploy config profiles first, confirm they’ve applied, then deploy compliance policies.
Use report-only mode: Always run Conditional Access in Report-only mode for at least a week before enforcing. Sign-in log review during this period is the most valuable pre-launch activity.
Monitor continuously: Check the noncompliance report weekly. Devices that stay non-compliant need individual attention before becoming a security gap.
Whether you’re completing Microsoft Intune compliance policy configuration for the first time or cleaning up an existing deployment, this guide reflects what works in real SMB and enterprise environments. For a broader foundation, the Microsoft Intune Setup Guide covers everything from initial enrollment to policy assignment.
Need Expert Help with Microsoft Intune Compliance Policy Configuration?
Intune compliance deployments have a lot of moving parts — licensing, group structure, Conditional Access policy, device enrollment, and BitLocker configuration all need to align. If you’re seeing persistent non-compliant devices, CA policy blocking the wrong users, or struggling to design a compliance baseline for your organisation, I can help.
I provide professional Microsoft 365 and Intune consulting for businesses across Pakistan and internationally.
Services
- Microsoft Intune MDM setup and compliance policy configuration
- Conditional Access policy design and deployment
- Microsoft 365 Business Premium implementation
- Entra ID and hybrid join troubleshooting
- BitLocker and Windows security baseline deployment
- Ongoing endpoint management support
Email: itexpert@navedalam.com
WhatsApp: +92 311 935 8005
Website: navedalam.com
Free 30-minute consultation — no obligation
About the Author
Naveed Alam is a certified Network and Cloud Engineer specializing in Microsoft 365, Azure, and enterprise endpoint management. He holds CCNA, AZ-900, AZ-104, and CompTIA A+ certifications and has completed Microsoft Intune compliance policy configuration for organizations ranging from 20-user SMBs to 500-seat enterprises across Pakistan and internationally.
Specializations: Microsoft Intune, Entra ID, Conditional Access, Azure networking, Cisco routing and switching, Windows Server, and hybrid infrastructure.
LinkedIn · navedalam.com · itexpert@navedalam.com