Implement compliance policies using Intune Flashcards
What are the 2 areas in Intune regarding compliance policies
Compliance policy settings
&
device compliance policy
What are compliance policy settings?
- tenant wide configuration
- built in compliance policy that every device receives
- establishes how compliance policy works in intune environment: spcifically, how to treat a device without explicit compliance policy assigned
What is a device compliance policy?
discrete set of **platform-specific rules and settings **
deployed to group of users or devices
What are the 2 prerequisites to deploy a compliance policy (setting or device)?
- Entra ID P1 or P2
- Intune license for each user/device
In intunes, where do you go to manage Compliance policy settings?
In Endpoint security > Device compliance > Compliance policies > Compliance policy settings
What are the 2 settings you can manage in compliance policy settings?
- Mark devices with no compliance policy assigned as : Compliant (default) / not compliant
- compliance status validity period : period on which devices must successfully report on all their received compliance policy. After that, marked as not compliant
Where can you also set up or review compliance settings or the device compliance policies ?
In Devices > Under Manage devices > compliance
What is the key rule when you have several platform in your organization and you want to implement device compliance policies?
1 separate policy for each platform
Each device platform is different, so device compliance settings are different
List the 7 steps to create a device compliance policy
Step 1 : Go to Devices > Under Manage devices, select Compliance > Create policy.
Step 2 : Select a Platform for this policy from the following options:
Then select Create to open the configuration page.
Step 3 : On the Basics tab, enter a Name + Description for the policy.
Step 4 : On the Compliance settings tab, expand the available categories, and configure settings for your policy.
Optionally, you can add custom settings for Linux - Uuntu and Windows 10 & later if you already uploaded a detection script and have ready a JSON file that defines the settings
Step 5 : On the Actions for noncompliance tab, select a sequence of actions to apply automatically to devices that don’t meet this compliance policy.
Step 6 : On the Assignments tab, assign the policy to your groups. For Linux, you can choose only device groups
Step 7 : Review + create
On which platform can you create a device compliance policy?
Android device administrator
Android (AOSP)
Android Enterprise
iOS/iPadOS
Linux - (Ubuntu Desktop, version 20.04 LTS and 22.04 LTS, RedHat Enterprise Linux 8, or RedHat Enterprise Linux 9)
macOS
Windows 10 and later
Windows 8.1 and later
What is resulting compliance status?
If a device has multiple compliance policies, and the device has different compliance statuses for two or more of the assigned compliance policies, then a single resulting compliance status is assigned.
This assignment is based on a conceptual severity level assigned to each compliance status.
When a device has multiple compliance policies, then the highest severity level of all the policies is assigned to that device.
What is the default action for noncompliance in device compliance policies?
Mark device noncompliant with a schedule of zero days
This means Intune immediately marks the device as noncompliant when it detects a noncompliance issue.
What happens when a device is marked as noncompliant?
Microsoft Entra Conditional Access can block the device
This action prevents access to resources until compliance is achieved.
What is the purpose of configuring Actions for noncompliance?
Gain flexibility to decide actions for noncompliant devices and their timing
What can an organization choose regarding the blocking of a noncompliant device?
Not block the device immediately and provide a grace period
This gives users time to become compliant before any actions are taken.
What determines when an action for noncompliance takes effect?
A schedule defined in days after the device is marked as noncompliant
Organizations can set specific timelines for compliance actions.
Can multiple instances of an action be configured in a policy?
Yes
This allows the action to run again at a later scheduled time if the device remains noncompliant.
Are all actions available for all platforms?
No
Availability of actions may vary depending on the platform being used.
What is the default action taken for noncompliant devices?
Mark device non-compliant immediately.
This default action has a schedule of zero (0) days.
What are the 4 available actions for non compliance?
- Mark device non-compliant
- Send email to end user
- Remotely lock the noncompliant device
- Send push notification to end user
What action sends an email notification to the user regarding noncompliance?
Send email to end user.
This action includes details about the noncompliant device in the email notification.
What must be created before assigning a notification message template for email notifications?
A notification message template.
The template can be customized with locale, subject, message body, and company information.
What happens if no email address is defined in the user’s profile?
Intune doesn’t send a notification email.
Intune uses the email address defined in the end user’s profile.
What must the user do when the noncompliant device has been remotely locked bbecause of noncompliant device action?
The user must enter a PIN or password to unlock the device.
