Microsoft has posted to Message Center to flag an important change to how compliance policies are handled in Intune. This change will roll out in November and could impact any customer that has enrolled devices that have no compliance policy assigned to them.
The current behaviour of Intune towards enrolled devices that do not have a compliance policy assigned to them is to treat the devices as compliant devices. For an organization that is using Intune enrolment as a means to deploy device configurations only, such as wifi profiles, it’s quite possible that they will not have any device compliance policies in place to enforce settings such as PIN codes for unlocking devices.
The “compliant unless proven otherwise” approach doesn’t work in this day and age. Devices should be considered non-compliant (or untrusted) until proven otherwise. When the change is rolled out by Microsoft, any customers who are using conditional access policies based on device compliance may suddenly find that previously compliant devices are now unable to connect to Office 365 services.
To prove compliance, the device must meet the standards of your device compliance policy. Therefore, if you are using conditional access rules based on device compliance, then you must have at least one device compliance policy in place for the devices to be assessed against. In fact, you will need to have one device per platform that your users are enrolling from, because device compliance policies are platform-specific.
This is a good opportunity to reconsider your device compliance requirements and implement a baseline that improves your organization’s security. However, the change does have the potential to impact users who may suddenly be required to change a configuration on their device to remain compliant, such as by adding a PIN code for unlocking the device, or by enabling Bitlocker to encrypt their local hard drives. For any compliance settings that you decide should be enforced, it would be wise to communicate the new requirements clearly to your end users, and be prepared to support them with anything that they might need as the new compliance policies are rolled out in your organization.
This change is scheduled to roll out to Intune customers around mid-November. To ease the transition Microsoft is planning to add a report to Intune to help you identify the devices in your organization that have no device compliance policy assigned to them. This report is yet to appear in my own tenants almost a week after the announcement on Message Center. Hopefully we’ll see it soon, before it gets too close to the mid-November target date for the change in behaviour.
Check your Message Center for more details, and start planning for any changes that you need to make so that your device users aren’t inconvenienced in November.