If you have been using Intune you may have noticed all devices have a built-in device compliance policy assigned to them by default. In this post I am going to show you how use this in-built policy to mark devices as not compliant by default if they do not have a compliance policy assigned to them.
So what is this policy?
The built-in device compliance policy is situated in Microsoft Intune > Device Compliance > Compliance Policy Settings. There are three settings that you can control in the built-in policy.
- Mark devices with no compliance policy assigned as:
- Not Compliant
- Enhanced Jailbreak Detection
- Compliance Status Validity Period (Days)
You can change these settings to match your requirements but I strongly suggest you change the default behaviour for devices with no compliance policy assigned to Not Compliant. In this scenario if you have any users which have happened to be missed out of the group which is targeted then the device which they have enrolled will be marked as Not compliant until a policy has been deployed. This will allow you to block access to corporate resources using conditional access until the device has been evaluated against an additional compliance policy so you can ensure the device meets the requirements to be marked as compliant.
After changing the setting to Not Compliant I am now going to test enrolling a device which does not have a compliance policy assigned. As you can see the device is set to Not Compliant because built-in policy is evaluated as not compliant.
In summary this helps ensure that even if a user was accidently not included in a compliance policy assignment then the device they have enrolled would be marked as not compliant by the built-in policy until you deploy another compliance policy to them which in turn gives you confidence that only truly compliant devices can access corporate data when combined with Conditional access.