• Home
  • About
  • Blog
  • Books
  • Training
  • Subscribe
  • Advertise
  • Contact
    • Email
    • Facebook
    • Twitter
    • RSS

Practical 365

  • Office 365
  • Exchange 2019
  • Exchange 2016
  • Exchange 2013
  • Hybrid
  • Certificates
  • PowerShell
  • Migration
You are here: Home / Blog / Important Change to Intune Device Compliance Policies is Coming in November

Important Change to Intune Device Compliance Policies is Coming in November

October 25, 2017 by Paul Cunningham Leave a Comment

Share16
Share62
Tweet
+1
Shares 78

Microsoft has posted to Message Center to flag an important change to how compliance policies are handled in Intune. This change will roll out in November and could impact any customer that has enrolled devices that have no compliance policy assigned to them.

The current behaviour of Intune towards enrolled devices that do not have a compliance policy assigned to them is to treat the devices as compliant devices. For an organization that is using Intune enrolment as a means to deploy device configurations only, such as wifi profiles, it's quite possible that they will not have any device compliance policies in place to enforce settings such as PIN codes for unlocking devices.

The “compliant unless proven otherwise” approach doesn't work in this day and age. Devices should be considered non-compliant (or untrusted) until proven otherwise. When the change is rolled out by Microsoft, any customers who are using conditional access policies based on device compliance may suddenly find that previously compliant devices are now unable to connect to Office 365 services.

To prove compliance, the device must meet the standards of your device compliance policy. Therefore, if you are using conditional access rules based on device compliance, then you must have at least one device compliance policy in place for the devices to be assessed against. In fact, you will need to have one device per platform that your users are enrolling from, because device compliance policies are platform-specific.

This is a good opportunity to reconsider your device compliance requirements and implement a baseline that improves your organization's security. However, the change does have the potential to impact users who may suddenly be required to change a configuration on their device to remain compliant, such as by adding a PIN code for unlocking the device, or by enabling Bitlocker to encrypt their local hard drives. For any compliance settings that you decide should be enforced, it would be wise to communicate the new requirements clearly to your end users, and be prepared to support them with anything that they might need as the new compliance policies are rolled out in your organization.

This change is scheduled to roll out to Intune customers around mid-November. To ease the transition Microsoft is planning to add a report to Intune to help you identify the devices in your organization that have no device compliance policy assigned to them. This report is yet to appear in my own tenants almost a week after the announcement on Message Center. Hopefully we'll see it soon, before it gets too close to the mid-November target date for the change in behaviour.

Image from the Intune Support blog on TechNet

Check your Message Center for more details, and start planning for any changes that you need to make so that your device users aren't inconvenienced in November.

Paul Cunningham

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.

Share16
Share62
Tweet
+1
Shares 78

Blog Change Alerts, Compliance, Conditional Access, Intune

Leave a Reply Cancel reply

Recent Articles

  • You Can Stop Deploying Exchange Server 2013 Now
  • Automating New User Account On-boarding Using SharePoint Online, Flow, and PowerApps
  • March 2018 Updates Released for Exchange Server
  • Securing Administrator Access with Privileged Identity Management for Azure Active Directory
  • The Junkings will Continue Until Morale Improves
Practical 365

Popular Articles

Microsoft Recommending Non-Expiring Passwords to Office 365 CustomersMicrosoft Recommending Non-Expiring Passwords to Office 365 Customers
PowerShell Scripts for Office 365PowerShell Scripts for Office 365
MeetEasier Helps Your Users Find Available Meeting RoomsMeetEasier Helps Your Users Find Available Meeting Rooms
PowerShell: Listing Azure AD/Office 365 User Accounts with Directory Sync StatusPowerShell: Listing Azure AD/Office 365 User Accounts with Directory Sync Status
First Steps: Configuring Exchange Online ProtectionFirst Steps: Configuring Exchange Online Protection

eBooks and Training

  • Office 365 for IT Pros
  • Exchange Server Troubleshooting Companion
  • Migrating to Exchange Server 2016
  • Exchange 2016 Exam 70-345
  • Managing Exchange Mailboxes and Distribution Groups in PowerShell
  • Exchange 2013 Boot Camp
  • Exchange 2010 Boot Camp

Recommended Resources

  • Office 365 Books
  • Exchange Server Books
  • Exchange PowerShell Scripts
  • Exchange Analyzer
  • Exchange 2010 to 2013 Migration
  • Exchange 2003 to 2010 Migration
  • Exchange 2007 to 2010 Migration
  • Digicert SSL Certificates

About This Site

Practical 365 is a leading site for Office 365 and Exchange Server news, tips and tutorials, run by Paul Cunningham, Microsoft MVP, author, speaker, and consultant. Read more...

To stay up to date:
  • Subscribe to the email newsletter
  • Follow @Practical365 on Twitter
  • Like us on Facebook
  • Write for Us

Copyright © 2018 LockLAN Systems Pty Ltd · Disclosure · Privacy Policy · Advertise
PO BOX 7002, Hemmant, Queensland 4174 · ABN: 25 121 101 255

We are an Authorized DigiCert™ SSL Partner.