Use your own compliance policies for Intune

This post describes how to use your own compliance policies for Intune and what to consider when doing so.

In this article, I’ll show you how to use custom compliance policies for Intune.

Compliance policies are an important part of securing access to data in Microsoft 365. After all, if possible, only devices that meet our requirements for security should be able to access or edit data locally.

The realization is done by conditional access rules and the compatibility of the device. Compliance policies can be used to define the compatibility of the device. By default, there are already some compliance policies that can be used. These define, for example, whether the device is encrypted or whether a current patch level is installed.

However, I can also use custom compliance policies for Intune to cover more complex requirements. The whole thing works via PowerShell and only for Windows 10/11 devices. Using PowerShell gives us countless possibilities to write our own compliance policies for Intune.

In this example, the following properties are to be checked:

  • Manufacturer of the device, in this case we only allow devices from Microsoft.
  • Available/installed RAM, in this case at least 16 GB.
  • Installed programs, in this case VirtualBox must not be installed. Of course, installing programs for users could be prevented in general, but often the users are equipped with administrator rights on their own clients after all.

With the PowerShell script, there is not really anything to consider except that a string must be returned in JSON format (line 29):

#Get basic information about our machine
$biosinfo = Get-CimInstance -ClassName Win32_ComputerSystem
$manufacturer = $biosinfo.Manufacturer
$RAM = $biosinfo.TotalPhysicalMemory

#Check if it's a Microsoft Device
if ($manufacturer -like "*Microsoft Corporation*") {
    $manufacturer = "Microsoft Corporation"
}
else {
    $manufacturer = "Unknown"
}

#Calculate RAM
$RAM =  ($RAM / 1024 / 1024)
$RAM = [math]::Round($RAM, 0)

#Look for VirtualBox
$installedSoftware = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*

if ($installedSoftware -like "*VirtualBox*") {
    $virtualBox = "Installed"
}
else {
    $virtualBox = "Not Detected"
}

$hash = @{ Manufacturer = $manufacturer; RAM = $RAM; VirtualBox = $virtualBox}
return $hash | ConvertTo-Json -Compress

For custom compliance policies in Intune, we need not only the PowerShell script that collects the information, but also a JSON file that does the evaluation:

{
    "Rules":[ 
        { 
           "SettingName":"Manufacturer",
           "Operator":"IsEquals",
           "DataType":"String",
           "Operand":"Microsoft Corporation",
           "MoreInfoUrl":"https://frankeisel.de",
           "RemediationStrings":[ 
              { 
                 "Language":"de_DE",
                 "Title":"Diese Maschine ist nicht von Microsoft!",
                 "Description": "Wir erlauben nur die Verwendung von Maschinen von Microsoft, bitte kontaktieren Sie uns um weitere Informationen zu erhalten."
              },
              { 
                 "Language":"en_US",
                 "Title":"Diese Maschine ist nicht von Microsoft!",
                 "Description": "Wir erlauben nur die Verwendung von Maschinen von Microsoft, bitte kontaktieren Sie uns um weitere Informationen zu erhalten."
              }
           ]
        },
        { 
           "SettingName":"RAM",
           "Operator":"GreaterEquals",
           "DataType":"int64",
           "Operand":16,
           "MoreInfoUrl":"https://frankeisel.de",
           "RemediationStrings":[ 
              { 
                 "Language": "de_DE",
                 "Title": "Nicht ausreichend Arbeitsspeicher vorhanden!",
                 "Description": "Ihre Maschine muss getauscht werden, oder der Arbeitsspeicher muss auf mindestens 16GB erweitert werden. Bitte kontaktieren Sie uns um weitere Informationen zu erhalten."
              },
              { 
                 "Language": "en_US",
                 "Title": "Nicht ausreichend Arbeitsspeicher vorhanden!",
                 "Description": "Ihre Maschine muss getauscht werden, oder der Arbeitsspeicher muss auf mindestens 16GB erweitert werden. Bitte kontaktieren Sie uns um weitere Informationen zu erhalten."
              }
           ]
        },
        { 
           "SettingName":"VirtualBox",
           "Operator":"IsEquals",
           "DataType":"String",
           "Operand":"Not Detected",
           "MoreInfoUrl":"https://frankeisel.de",
           "RemediationStrings":[ 
              { 
                 "Language": "de_DE",
                 "Title": "Virtual Box Anwendung wurde auf Ihrem System erkannt!",
                 "Description": "Die Verwendung von VirtualBox ist nicht gestattet. Bitte deinstallieren Sie die Anwendung und versuchen es erneut."
              },
              { 
                "Language": "en_US",
                "Title": "Virtual Box Anwendung wurde auf Ihrem System erkannt!",
                "Description": "Die Verwendung von VirtualBox ist nicht gestattet. Bitte deinstallieren Sie die Anwendung und versuchen es erneut."
             }
           ]
        }
     ]
    }

Actually, the JSON file should be quite understandable. Of course, it is important that the SettingsName in the file matches the one in the JSON of our PowerShell script. More information about the JSON file and the available operators can be found at Microsoft. And for the RemediationStrings it is mandatory to have the en_US language, otherwise the validation will throw an error later. In this example, I just copied the same texts again for the en_US language.

Now we have everything together to create our own compliance policy using our PowerShell script. So we open the Microsoft Endpoint Manager Admin Center and navigate to the compliance policies:

Microsoft Endpoint Manager Admin Center

After that, we deploy the PowerShell script we created. This is done in the Scripts section.

Add new script

We provide the script a name and, if necessary, a short description of what it does.

Create custom script

In the next section we add the actual script and can make a few more settings. In our example, however, we take the default settings, which should fit for a large part of the use cases.

Upload the detection script

After that, we get another short overview of the configurations made and can create the script.

Create script

If the creation worked, we can now find our script in the overview.

own compliance policies for intune
Overview of the existing scripts

And now we can create a compliance policy that uses our detection script.

own compliance policies for intune
Create new policy

We again give the policy an appropriate name and an optional description of what exactly the policy does.

own compliance policies for intune
Create new compliance policy

In the next step, we then select the Custom Compliance item and select the script we just uploaded.

own compliance policies for intune
Select detection script

Now we still need to upload the prepared JSON file and have it validated. If no errors occurred during validation, our settings will be displayed accordingly.

own compliance policies for intune
Select JSON file and let it validate

After that, we can make the familiar settings about what should happen when the device is no longer compliant.

own compliance policies for intune
Define actions in case of non-compliance

The last step is to specify to whom the policy should be applied. In this case, just select All users for simplicity.

own compliance policies for intune
Define assignment for the policy

Now a short summary of the configurations made appears again, and we can create the policy. After that, the compliance policy appears in the overview.

own compliance policies for intune
Overview of all compliance policies

Now, if we look at the compatibility of our device via the company portal app, we will notice the following:

own compliance policies for intune
Company portal app device status

Our PowerShell script has detected that we have installed VirtualBox on the machine without permission and now denies access to the company data in the cloud. The defined texts from the JSON file are also displayed and also offer a possible fix in this case. However, the machine fulfills the other queried parameters (manufacturer and RAM)

Of course, you can also see this in the Microsoft Endpoint Manager Admin Center. There you can see the defined settings and whether they are fulfilled.

own compliance policies for intune
Device compatibility overview

With the ability to write PowerShell scripts ourselves, we now have a powerful tool at our fingertips to determine our compliance of devices ourselves.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *