All insights
Device & EndpointISO 27001

Device Compliance as Governance Control: The Intune Baseline Regulators Expect

Regulators and auditors expect demonstrable evidence that every device accessing corporate data meets a defined security baseline. This guide sets out the Intune compliance policy foundation that satisfies Cyber Essentials, ISO 27001, and insurer requirements - converting device security from aspiration into an enforced, evidenced control that management can report on with confidence.

INSIGHTS OF 2026
7 min read
Practitioner Insight

Intune Compliance Policies: The Baseline Every Regulated Tenant Needs

Intune compliance policies are the most underutilised security control in Microsoft 365. While most organisations deploy Intune for device management (configuration profiles, app deployment), remarkably few implement robust compliance policies that actually enforce security posture at the authentication layer. The distinction matters enormously: a configuration policy pushes settings to a device; a compliance policy evaluates whether the device meets requirements and, critically, feeds that assessment into Conditional Access to permit or deny access.

Compliance vs Configuration Policies: The Critical Distinction

Configuration policies (Devices > Configuration > Profiles) actively push settings to devices. They configure the firewall, deploy Wi-Fi profiles, set BitLocker encryption, and enforce password requirements. They are proactive, they change the device state.

Compliance policies (Devices > Compliance) evaluate the device state and report it. They check whether the firewall is on, whether encryption is active, whether the OS is up to date. They are reactive, they assess and report. The compliance state (Compliant, Not Compliant, In Grace Period, Not Evaluated) is then consumed by Conditional Access policies to make access decisions.

The critical architecture is: Configuration policies enforce the settings. Compliance policies verify them. Conditional Access acts on the verification. Without all three layers, you have gaps.

Essential Compliance Checks

Every regulated tenant should implement the following compliance checks as a baseline. Navigate to Microsoft Intune admin centre > Devices > Compliance > Create policy.

For Windows 10/11 devices:

Device Health:

  • Require BitLocker: Yes
  • Require Secure Boot: Yes
  • Require code integrity: Yes

These checks leverage the Windows Health Attestation Service and verify that the device booted securely. If an attacker disables BitLocker or compromises the boot chain, the device fails compliance.

Device Properties:

  • Minimum OS version: Set to the current servicing channel build (e.g., 10.0.22631.xxxx for Windows 11 23H2). Update this monthly after Patch Tuesday.
  • Maximum OS version: Optional, but useful for preventing preview builds in production.

System Security:

  • Require a password: Yes
  • Minimum password length: 12 characters
  • Password expiration: Per organisational policy (NCSC now recommends no expiration if using MFA, but some frameworks still require it)
  • Firewall: Required
  • Antivirus: Required
  • Antispyware: Required
  • Microsoft Defender Antimalware: Required
  • Microsoft Defender Antimalware minimum version: Current version
  • Real-time protection: Required

Microsoft Defender for Endpoint:

  • Require the device to be at or under the machine risk score: Medium (or Low for high-security environments)

This last check is exceptionally powerful. It means that if Defender for Endpoint detects active threats on a device and raises its risk score, the device automatically fails compliance and loses access to Microsoft 365 - without any human intervention.

For macOS devices:

  • Require system integrity protection: Yes
  • Require FileVault encryption: Yes
  • Minimum OS version: Current macOS version minus one minor release
  • Password requirements: Minimum 12 characters, complex

For iOS/iPadOS devices:

  • Minimum OS version: Current version minus one minor release
  • Jailbreak detection: Block jailbroken devices
  • Require a password: Yes, minimum 6 digits
  • Maximum minutes of inactivity before password is required: 5

For Android Enterprise devices:

  • Minimum OS version: Current version minus two major releases
  • Rooted devices: Block
  • Require encryption: Yes
  • Google Play Services: Required (ensures security patches are deliverable)

Non-Compliant Device Actions

When a device fails compliance, Intune can execute a sequence of actions. Configure these under the compliance policy's Actions for noncompliance section:

  1. Day 0 - Mark device non-compliant: Immediately. This triggers Conditional Access to block access.
  2. Day 0 - Send email to end user: Notify the user that their device is non-compliant and provide remediation steps. Use the Intune notification message template to include specific guidance.
  3. Day 3 - Send push notification: Remind the user via Company Portal push notification.
  4. Day 7 - Send second email: Escalate to the user's manager (using the Entra ID manager attribute).
  5. Day 14 - Retire device: For corporate-owned devices, remove all corporate data. For BYOD, selectively wipe corporate apps and data.

The grace period is critical. Setting compliance enforcement to immediate with no grace period will lock out users who are, for example, mid-flight when a patch is released. A 24-48 hour grace period for OS version compliance balances security with usability.

Integration with Conditional Access

The compliance policy alone does nothing to protect resources. It must be consumed by a Conditional Access policy. Navigate to Entra ID > Security > Conditional Access > Create policy:

  • Users: All users (exclude emergency access accounts)
  • Cloud apps: All cloud apps (or target Microsoft 365 specifically)
  • Conditions: Any device platform
  • Grant: Require device to be marked as compliant

This single Conditional Access policy transforms every compliance check into an access control. A device without BitLocker cannot access SharePoint. A device with an outdated OS cannot access Exchange Online. A device with active malware (detected by Defender for Endpoint raising the risk score) cannot access anything.

Monitoring and Reporting

Compliance policy effectiveness must be monitored continuously:

  • Intune Reports > Device compliance > Policy compliance: Shows the percentage of devices compliant per policy. Target 95% or higher.
  • Intune Reports > Device compliance > Setting compliance: Drills into which specific settings are causing failures. Common culprits: OS version (users deferring updates) and BitLocker (devices that were enrolled before BitLocker was enforced).
  • Noncompliant device report: Export this monthly as evidence for ISO 27001 (A.8.1 User Endpoint Devices), Cyber Essentials, or SOC 2 audits.

Configure alerts in the Intune admin centre to notify the IT security team when the compliance rate for any policy drops below 90%. This provides early warning of systemic issues, such as a Windows Update deployment failure - before they become access outages.

The compliance policy baseline described here is not optional for regulated organisations. It is the minimum viable security posture that transforms Intune from a device management tool into a genuine Zero Trust enforcement point.

Facing this in your environment?

We implement and operate these exact controls inside Microsoft 365 tenants. Find the right first step for your situation.

Explore Readiness Sprint
PreviousShadow AI: The Ungoverned Data Leakage Path Boards Have Not Yet AssessedNext BYOD Data Governance: Protecting Corporate Information on Unmanaged Devices

More in Device & Endpoint

GDPR

BYOD Data Governance: Protecting Corporate Information on Unmanaged Devices

5 min readISO 27001

Encryption Evidence at Scale: Automating BitLocker Governance for Audit Readiness

6 min readZero Trust

Removing Local Admin Rights: The Governance Control That Blocks Lateral Movement

11 min read