Device Compliance with Microsoft Intune
How to use Microsoft Intune to require device compliance and connect endpoint health to Conditional Access decisions.
Intune as the foundation of endpoint management
Microsoft Intune is Microsoft's unified endpoint management platform. It lets you enroll, configure, secure and monitor devices, whether Windows, macOS, iOS or Android, corporate or personal. Within a Zero Trust strategy, Intune provides the device health signal that feeds Conditional Access decisions.
The core idea is simple: only managed devices that comply with security policy should access sensitive corporate data.
What device compliance is
A compliance policy defines the minimum requirements a device must meet to be considered healthy. A device that fails the rules is marked non-compliant and can have its access restricted.
Typical compliance requirements include:
- Operating system at a minimum supported version.
- Disk encryption enabled.
- Antivirus active and up to date.
- Firewall enabled.
- Screen lock with password or biometrics.
- No signs of compromise such as jailbreak or root.
- Acceptable device risk level according to Defender for Endpoint.
Enrollment models
The enrollment path depends on the device type and ownership. Choosing the right model avoids friction and keeps the experience predictable.
| Scenario | Typical model |
|---|---|
| New corporate Windows | Windows Autopilot |
| Existing Windows | Enrollment via Entra join |
| Personal device (BYOD) | User enrollment with app protection |
| Corporate iOS and Android | Supervised enrollment |
| Corporate macOS | Automated device enrollment |
For BYOD scenarios, an alternative to full enrollment is app protection, which protects corporate data inside apps without managing the entire personal device.
Connecting compliance to Conditional Access
Intune's real power appears in its integration with Conditional Access. The flow works like this:
- Intune continuously evaluates each device against compliance policies.
- The compliance state is reported to Entra ID.
- A Conditional Access policy requires a compliant device to access sensitive resources.
- Non-compliant devices are blocked or receive restricted access.
This way, endpoint health stops being a point-in-time check and becomes a continuous condition of access.
Configuration and baselines
Beyond compliance, Intune distributes configuration profiles and security baselines. Baselines are sets of Microsoft-recommended settings to harden the operating system, covering dozens of settings with secure-by-default values.
The recommended approach is:
- Start from the relevant security baseline.
- Adjust only the settings that require a justified deviation.
- Document each deviation and its reason.
- Deploy in a pilot ring before expanding.
- Monitor for conflicts between policies.
Remediation and user messaging
When a device becomes non-compliant, the user experience matters. Intune lets you configure gradual actions: first notify the user with clear remediation instructions, then mark as non-compliant and only then restrict access. This grace period reduces tickets and gives the user a chance to fix the issue, such as enabling encryption or updating the system.
Common mistakes
- Requiring a compliant device in Conditional Access before the fleet is enrolled, locking users out.
- Creating conflicting policies that produce inconsistent compliance states.
- Ignoring personal devices, leaving corporate data unprotected.
- Not setting a grace period, causing abrupt blocks.
Compliance checklist
- Fleet enrolled in Intune before enforcing access requirements.
- Compliance policies covering encryption, antivirus and OS version.
- Security baselines applied with documented deviations.
- Compliance connected to Conditional Access.
- Grace period and remediation messages configured.
- BYOD handled with user enrollment or app protection.
RHC, a Microsoft CSP provider, deploys endpoint management with Intune connecting device compliance to Conditional Access within a Zero Trust architecture.
Frequently asked questions
Read next
Ready to do more with Microsoft?
Talk to an expert and discover how to optimize licensing, security and productivity.