In this module

AD3.3 Building the Windows Compliance Policy

5-6 hours · Module 3 · Free

Operational Objective

A compliance policy defines "compliant" — the specific requirements a device must meet to be considered secure enough for corporate data access. Without a compliance policy, Intune marks every enrolled device as compliant by default, and the conditional access policy CA003 has nothing to check. This subsection builds the Windows compliance policy step by step — each setting with its blast radius analysis, the order to enable checks, and the exact portal navigation for every click. By the end, you'll have a production compliance policy that verifies encryption, OS version, firewall, antivirus, and Secure Boot on every Windows device in your environment.

Deliverable: A production Windows compliance policy deployed to all Windows devices, with each check verified, grace period configured, and non-compliance actions set — ready for conditional access integration.

Estimated completion: 35 minutes

Figure AD3.3 — The five Windows compliance checks and their blast radius. BitLocker has the highest impact (devices without encryption need remediation). OS version has medium impact (old hardware may need replacement). Firewall, antivirus, and Secure Boot have low impact (almost always already enabled on managed devices). Deploy the low-impact checks first to build confidence, then add BitLocker and OS version.

Creating the compliance policy step by step

Navigate to intune.microsoft.com → Devices → Compliance → Create policy → Platform: Windows 10 and later.

Name: "Windows Security Compliance — All Devices"

Compliance settings — configure each section:

Device Health:

Require BitLocker: Require
Require Secure Boot to be enabled on the device: Require
Require code integrity: Require (validates the system hasn't been tampered with at boot)

Device Properties:

Minimum OS version: Set to a version that's currently supported. For Windows 11, use 10.0.22631 (23H2) as the minimum. For environments still running Windows 10, use 10.0.19045 (22H2) — but note that Windows 10 22H2 reaches end of support in October 2025. Set the minimum to the oldest version you'll accept, not the latest version available.

Check your audit data from AD3.2 before setting this. If 15 devices are on an older version, set the minimum to the version just below the oldest currently deployed, give users 2 weeks to update, then tighten the minimum to the target version.

System Security:

Firewall: Require
Antivirus: Require
Antispyware: Require
Microsoft Defender Antimalware: Require
Microsoft Defender Antimalware minimum version: Leave blank (any current version is acceptable)
Microsoft Defender Antimalware security intelligence up-to-date: Require
Real-time protection: Require

If any devices in your environment use a third-party antivirus product (Symantec, CrowdStrike, Sophos), the "Microsoft Defender Antimalware" check may fail because Defender enters passive mode when a third-party AV is installed. Check whether the third-party AV reports compliance through the Windows Security Center integration — most modern third-party AV products do, which satisfies the "Antivirus: Require" check even when Defender is in passive mode. The "Microsoft Defender Antimalware: Require" check specifically validates Defender, not third-party AV. If you use third-party AV, don't enable this specific check.

Actions for noncompliance:

This is where you configure what happens when a device fails the compliance check. Add these actions in order:

Mark device noncompliant: Set the grace period to 7 days. This gives users 7 days to remediate before the device is marked non-compliant and conditional access blocks access. During the grace period, the device shows as "In grace period" — the user receives notifications but isn't blocked yet.

Send email to end user: Configure a notification email that tells the user what's wrong and how to fix it. The email should say: "Your device doesn't meet our security requirements. Specifically: [list of failing checks]. You have 7 days to resolve these issues before access to company email and files is restricted. Contact the helpdesk if you need assistance."

Remotely lock the noncompliant device (optional): Only enable this for high-security environments. For most organizations, blocking M365 access via conditional access is sufficient — you don't need to lock the entire device.

Click "Create" to deploy the policy.

Verifying policy deployment

After creating the policy, verify it's evaluating devices correctly:

Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"

# Check compliance status across all Windows devices
Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'" |
    Select-Object DeviceName, ComplianceState, UserPrincipalName |
    Group-Object ComplianceState |
    Select-Object Name, Count

This shows how many devices are Compliant, NonCompliant, InGracePeriod, and Unknown. Run this 24-48 hours after deploying the policy (devices need to check in and be evaluated).

For a specific non-compliant device, check which settings are failing:

Navigate to intune.microsoft.com → Devices → All devices → click the non-compliant device → Device compliance. The compliance details show each check with a pass/fail status. This tells you exactly what the user needs to fix — BitLocker not enabled, OS version too old, firewall disabled, or antivirus not running.

The graduated deployment approach

Don't deploy all five checks simultaneously. Use a graduated approach:

Week 1: Deploy with firewall and Secure Boot checks only. These have near-zero blast radius — almost every modern Windows device passes both. This proves the compliance policy mechanism works without affecting any users.

Week 2: Add Defender Antivirus checks (antivirus active, real-time protection, signatures current). Most managed devices pass these. The few that fail are usually devices with disabled real-time protection — easily fixed.

Week 3: Add BitLocker requirement. This is the check with the highest blast radius. By this point, your BitLocker remediation from AD3.2 should be complete, and most devices should already be encrypted.

Week 4: Add minimum OS version. This is the check that requires the most user coordination — OS updates take time and require restarts. By deploying it last, you've resolved the other compliance issues first and only need to address the OS update gap.

This graduated deployment means you never have more than one compliance issue to troubleshoot at a time. If a user calls the helpdesk saying "my device is non-compliant," you know exactly which check was just added and can troubleshoot efficiently.

Compliance Myth: "We should set the strictest compliance requirements from day one to maximise security"

The strictest configuration is the one that gets rolled back on day two because 50 users are locked out. A graduated deployment that starts with low-impact checks and adds higher-impact checks over weeks achieves the same target state with dramatically less disruption. The difference is not in the end result — it's in whether the compliance policy survives its first week in production. Deploy the easy checks first, build confidence that the mechanism works, then add the checks that require remediation. The result after 4 weeks is the same strict policy — but nobody got locked out, nobody complained to the CTO, and nobody asked you to "turn off that security thing."

Decision point

Your compliance policy has been active for 2 weeks. The compliance dashboard shows 140 devices compliant, 3 in grace period, and 2 non-compliant (grace period expired). The 2 non-compliant devices belong to users who are on extended leave — the devices haven't been connected to the network since before the policy was deployed. What do you do?

Option A: Remove the compliance policy until both users return and can remediate their devices.

Option B: Leave the policy active. The users on leave can't access M365 anyway (their devices aren't connected). When they return, they'll connect to the network, receive the compliance notification, and have the standard grace period to remediate.

Option C: Contact the users on leave and ask them to connect their devices remotely.

The correct answer is Option B. The users on leave aren't affected because they're not accessing M365. When they return and try to access email, the compliance check will evaluate their device. If it fails, the 7-day grace period gives them time to update and encrypt. Contacting users on leave about a device compliance issue is unnecessary urgency — the policy handles it automatically when they return. Don't modify a working policy for an edge case that resolves itself.

Connect-MgGraph -Scopes "BitlockerKey.Read.All"

# Check which devices have BitLocker recovery keys stored in Entra
Get-MgInformationProtectionBitlockerRecoveryKey -All |
    Select-Object Id, DeviceId, CreatedDateTime |
    Sort-Object CreatedDateTime -Descending |
    Format-Table -AutoSize

Try it: Build your Windows compliance policy

Navigate to intune.microsoft.com → Devices → Compliance → Create policy → Windows 10 and later.

Start with the graduated approach: enable Firewall and Secure Boot requirements only. Set the grace period to 7 days. Configure email notification for non-compliant users. Deploy to all Windows devices.

After 48 hours, check the compliance dashboard: Devices → Compliance → Monitor → Device compliance. How many devices pass? How many fail? If any fail the firewall check, those devices have the Windows Firewall disabled — remediate before adding more checks.

Once the first two checks show 100% compliance, add the Defender Antivirus checks. Wait another 48 hours and verify. Then add BitLocker. Then OS version. Each addition gives you a single variable to troubleshoot if devices start failing.

Document each check you add, the date you added it, and the compliance rate after 48 hours. This graduated deployment log is your evidence that you deployed carefully and methodically — useful for the quarterly report and for any post-incident review.

Deploying BitLocker silently via Intune

The BitLocker compliance check is meaningless without a BitLocker configuration profile that actually enables encryption. Create the profile before (or simultaneously with) the compliance policy.

Navigate to intune.microsoft.com → Devices → Configuration → Create profile → Windows 10 and later → Templates → Endpoint protection.

Under Windows Encryption, configure:

- Encrypt devices: Require - Warning for other disk encryption: Disable (prevents a popup asking the user to confirm) - Allow standard users to enable encryption during Autopilot: Enable - Configure encryption methods: XTS-AES 256-bit (strongest available) - Startup authentication required: TPM only (silent — no user interaction) - Recovery key rotation: Enable after use

Under BitLocker OS Drive Settings: - Additional authentication at startup: Allow TPM (no startup PIN — this enables silent encryption) - Save BitLocker recovery information to Azure AD: Yes - Store recovery information before enabling BitLocker: Yes

Deploy this profile to all Windows devices. When the device checks in, BitLocker enables silently in the background. The drive encrypts without user intervention. The recovery key is automatically stored in Entra ID (visible at entra.microsoft.com → Devices → select device → BitLocker keys).

Verify BitLocker deployment is working:

If recovery keys are appearing in Entra ID, BitLocker is deploying successfully. Devices without recovery keys either haven't checked in since the profile was deployed or have a hardware issue preventing encryption (no TPM, legacy BIOS without UEFI).

Your Windows compliance policy requires BitLocker encryption. A user's laptop shows as non-compliant because BitLocker is not enabled. The user says: "BitLocker keeps asking me for a recovery key and I don't have one, so I never enabled it." What's the correct remediation?

Exempt the user from the BitLocker compliance check — No. An unencrypted device is a data breach waiting to happen. Exemption removes the protection for this device permanently.

Tell the user to enable BitLocker and save the recovery key to a USB drive — Not the best approach. Recovery keys saved to USB drives get lost. Intune can manage BitLocker and automatically store recovery keys in Entra ID.

Deploy a BitLocker configuration profile via Intune that enables BitLocker silently and stores the recovery key in Entra ID — the user doesn't need to do anything — Correct. Intune can push a BitLocker configuration that enables encryption silently (the drive encrypts in the background), stores the recovery key in Entra ID (accessible to admins), and doesn't require the user to manage keys. Navigate to Intune → Devices → Configuration profiles → Create profile → Endpoint protection → Windows Encryption. Enable silent encryption with TPM, require key storage in Entra ID. Deploy to the device. BitLocker enables automatically on the next policy check-in.

Replace the user's laptop with one that has BitLocker pre-configured — Disproportionate. BitLocker can be enabled on the existing device via Intune policy. Hardware replacement is only needed if the device lacks a TPM chip (very rare on modern hardware).

Operational Artifact — Windows Compliance Policy Configuration Reference

Your Windows compliance policy: BitLocker required, minimum OS version set, firewall required, Defender AV active with current signatures, Secure Boot required, code integrity required. Grace period: 7 days. Non-compliance actions: email notification at day 0, mark non-compliant at day 7. Graduated deployment: firewall + Secure Boot (week 1), AV checks (week 2), BitLocker (week 3), OS version (week 4). Document the policy name, deployment date, and the compliance rate at each stage in your configuration register alongside CA policies and email protection policies.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus

← Previous Next →