Keep Windows Secure with Intune Compliance Policies

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we review InTune device compliance policies for Windows clients [Music] hello everyone I'm Travis and welcome to my channel this is the continuation of my series on InTune coming up we'll configure a compliance policy for our users and devices before that please like subscribe and share with a friend check out my courses on Azure virtual Desktop Windows 365 and hybrid identities with Windows 80 and Azure ad also subscribe to my newsletter links to all that goodness is below back to it there are two parts for compliance policies in InTune there are compliance policy settings these are tenant-wide settings that dictate how devices without a policy are handled and how long a device can be offline before falling out of compliance next we have device compliance policies these are platform specific rules that Define items like minimum allowed operating system password policy for mobile devices and if disk encryption firewalls and Antivirus are required these device compliance policies can be assigned to users so it's applied to MDM enabled users when they log into the device or we can signed the policy to devices this is used when the device doesn't have a dedicated user an Azure virtual desktop session host for example we also Define actions for non-compliance we can mark the device as non-compliant so we can identify a potential problem we can also send an email to the user and to a distribution group into an admins for example we can also retire the device after a specific number of days of non-compliance coming up we're going to create a compliance policy on a new InTune tenant if you're just getting started with InTune be sure to check out my playlist for more information let's jump into the portal to get started here we are in the InTune portal let's start with the tenant compliance policy settings these are a couple of settings that apply to the entire tenant let's go to devices compliance policies and compliance policy settings we have two options first is how we Mark a device with no compliance policy assigned Right Now the default is compliant this tenant has no device compliance policy assigned at all so all devices will show as compliant the default is not what we want to use going forward left this way if a device had no firewall enabled and outdated antivirus but no policy was applied it would show as compliant we want to switch this to not compliant now the device will need a policy and meet the policy settings before it's marked as compliant this is especially useful if compliance is part of a conditional access policy next is the number of days a device can be compliant without checking in the allowed values are 1 to 120 and the default is 30. for this example we'll leave it at 30. but consider your organization with this setting 30 days may seem sufficient but in many cases it may not be parental leave that's longer than 30 days employee furlough seasonal workers or extended vacations could move a device to non-compliant after the 30 days has passed once you've changed the settings click save next we'll create a notification template we use this template in an upcoming device policy so we'll create it first from devices compliance policies go to Notifications create a notification give it a name this one will call compliance notification we have the option to add the company logo in the header and the company name in the contact information in the email this information can be found in tenant Administration under customization we can edit to update the settings updated as you'd like for this example we'll leave it as is and go back to creating the notification template for this example we'll disable everything but the company name we'll go next to notification message templates for this example we'll select the locale English United States for this example and we'll add a subject again this is an email template so for this example we'll use device out of compliance we'll add a message and of course you can add whatever is appropriate for your organization finally I'll mark this as a default we can add more as needed for this example I'll go next to review and create and create now that we have our notification template let's move on to create a device policy let's go to policies under device compliance policies we'll create a new policy we need to select a platform this one is for Windows 10 and newer we'll create give it a name we'll call this one Windows 10 11 compliance and a description as well base Windows 10 and 11 compliance policy we'll go next to compliance settings at the top we can create a custom compliance settings if we need we'll skip this for this example for device health we can select if BitLocker is required as well as secure Boot and code Integrity we'll use all for this policy let's go to device properties we can set a minimum and maximum version of the OS for desktop and mobile devices I'll put a link to Windows release information below if you want to Target a minimum or maximum version for this example we'll use Windows 10 21h2 the version number is 10.0.19044.1 it has to be in the major minor build version number format no maximums and we'll leave the mobile device blank we can also specify specific OS builds builds allows us to specify a specific version a version with all the updates for example instead of just a minimum version next let's go to configuration manager compliance this option lets us set compliance based on configuration manager this lab doesn't have configuration manager or what I used to call SCCM so we'll leave it set to not configured we'll go to system security we have a lot of security related settings here most are self-explanatory and I'm not going to review each one let's look at password require a password to unlock mobile devices only applies to mobile devices and we're working with Windows 10 and 11 here so we don't need to configure this setting password policies are set in either Azure ID or active directory domain services for our user accounts we can configure firewall a TPM chip antivirus and spyware this example will use the first three we can require Defender anti-malware let's set that will also require real-time protection for this finally if we're using Microsoft Defender for endpoint in this environment we can set the minimum score here let's go to next now we have the actions for non-compliance the first default setting will Mark the device's non-compliant we can set how long it'll take for a device to be marked as non-compliant if it fails to match the policy xero is immediate we can also add a notification if the device becomes non-compliant under message template this is where we set the notification template we configured earlier we'll select that we can also add an email notification group to send the notice to as well finally we can add the device to a retired device list this is helpful to enable if the device doesn't become compliant after a given number of days let's say 15. let's go next to assignments we have a section where we can include groups and another where we can exclude groups we can Target a user or device group if we target the user group the setting will apply to the user on any MDM enabled device they log into use a device group if we want the policy to apply to a device no matter who signs in this could be an avd session host or a shared device we could also add all users and then exclude specific users with the exclude group for this example We'll add a group this lab has a group of MDM enabled users we'll select that we'll go to next and if that all looks good we'll click create that creates and assigns the policy we created the policy and we'll verify the status next before we do be aware that changes in InTune are not immediate the client will check for updates at different intervals some at login some every few minutes some once a day restarting may help it took several minutes for the policy to apply and update and the computers we'll take a look at next speaking of that let's take a look now let's go to devices then windows we can see the compliance status here let's open the first compliant device and go to device compliance and the policy we created earlier all settings are showing compliant that's good let's go back to devices we'll open the device that's non-compliant go to device compliance open the policy we just created the client shows its missing BitLocker we set the option to require BitLocker and this device doesn't have that enabled on the local drive that's good that's telling us there's a problem with this device that is how to create apply and review a compliance policy in InTune I hope that helps you better understand how to create compliance policies in InTune please don't forget to like And subscribe and thanks for watching

Info

Channel: Travis Roberts

Views: 2,764

Rating: undefined out of 5

Keywords: Device Policy, Compliance Policy, Intune Policies, Windows 10, Windows 11, Win, Intune Enrollment, AD DS, Azure AD, Intune, Microsoft, Mobile Device Management, MDM, Mobile Application Management, MAM, Intune Portal, free, tutorial, Intune learning, walkthrough, azure, azure training, azure free, mobile endpoint management

Id: kvhJtek-JMQ

Channel Id: undefined

Length: 11min 10sec (670 seconds)

Published: Sun Aug 13 2023