Skip to main content
Intune Commander provides full support for managing device compliance policies across all supported platforms, as well as custom compliance scripts for Windows devices.

Device Compliance Policies

Overview

Device compliance policies define the requirements that devices must meet to be considered compliant. Compliance status can be used with Conditional Access to control access to corporate resources. Graph Endpoint: /deviceManagement/deviceCompliancePolicies
Service: CompliancePolicyService
Permission: DeviceManagementConfiguration.ReadWrite.All

Supported Operations

OperationMethodDescription
ListListAsync()Retrieve all compliance policies
GetGetAsync(id)Retrieve a specific policy by ID
CreateCreateAsync(policy)Create a new compliance policy
UpdateUpdateAsync(id, policy)Update an existing policy
DeleteDeleteAsync(id)Delete a compliance policy
Get AssignmentsGetAssignmentsAsync(id)Retrieve assignment information
AssignAssignAsync(id, assignments)Assign policy to groups

Platform Support

Compliance policies are available for all major device platforms:

Windows 10/11

  • Operating system version - Minimum and maximum OS version requirements
  • BitLocker - Require BitLocker encryption
  • Secure Boot - Require Secure Boot to be enabled
  • Code integrity - Require code integrity validation
  • Microsoft Defender - Antivirus, antispyware, and real-time protection requirements
  • Microsoft Defender for Endpoint - Require device to be at or under machine risk score
  • Firewall - Require Microsoft Defender Firewall enabled
  • Password - Password complexity, length, expiration, and history requirements
  • Device security - TPM requirement
  • Configuration Manager compliance - Require device compliance from Configuration Manager

macOS

  • Operating system version - Minimum and maximum OS version requirements
  • Password - Password complexity, length, and expiration requirements
  • System integrity protection - Require SIP enabled
  • Device security - Firewall and FileVault requirements
  • Gatekeeper - Require Gatekeeper enabled

iOS/iPadOS

  • Operating system version - Minimum and maximum OS version requirements
  • Jailbroken devices - Block jailbroken devices
  • Password - Password complexity, length, and expiration requirements
  • Device security - Require passcode, Touch ID, Face ID
  • Restricted apps - Block specific apps from being installed
  • Email profile - Require managed email profile

Android

  • Operating system version - Minimum and maximum OS version requirements
  • Rooted devices - Block rooted devices
  • Google Play Protect - Require Google Play Services, device threat scan, SafetyNet attestation
  • Password - Password complexity, length, and expiration requirements
  • Device security - Encryption, USB debugging restrictions
  • Restricted apps - Block specific apps from being installed
  • Company Portal minimum version - Require minimum Company Portal app version

Graph API Details

GET https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies
GET https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies/{id}
POST https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies
PATCH https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies/{id}
DELETE https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies/{id}
GET https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies/{id}/assignments
POST https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies/{id}/assign

Compliance Actions

Each compliance policy can include one or more compliance actions that are triggered when a device becomes non-compliant:
ActionDescriptionTiming
Mark device non-compliantFlag the device as non-compliantImmediately or after grace period
Send email to end userSend notification email to the device userScheduled intervals
Send push notificationSend Company Portal push notificationScheduled intervals
Remotely lock deviceLock the non-compliant deviceAfter grace period
Retire deviceRemove company data from the deviceAfter grace period

Conditional Access Integration

Compliance policies are the foundation of device-based Conditional Access:
  1. Device checks in with Intune and evaluates compliance policies
  2. Compliance status is written to Entra ID
  3. Conditional Access policies check device compliance state
  4. Access to resources is granted or blocked based on compliance

Export/Import

Compliance policies export to: 
ExportFolder/
└── CompliancePolicies/
    ├── Windows_Security_Baseline.json
    ├── iOS_Minimum_Requirements.json
    └── Android_Enterprise_Compliance.json

Custom Compliance Scripts

Overview

Custom compliance scripts (also called compliance settings) allow you to evaluate compliance using PowerShell or shell scripts for scenarios not covered by built-in compliance settings. Graph Endpoint: /deviceManagement/deviceComplianceScripts
Service: ComplianceScriptService
Permission: DeviceManagementConfiguration.ReadWrite.All

Supported Operations

OperationMethodDescription
ListListAsync()Retrieve all compliance scripts
GetGetAsync(id)Retrieve a specific script by ID
Custom compliance scripts support List and Get operations through the AssignmentChecker service. Full CRUD operations may be added in future releases.

Platform Support

  • Windows 10/11 - PowerShell scripts (.ps1)
  • macOS - Shell scripts (.sh)
  • Linux - Shell scripts (.sh)

Script Components

Detection Script

The detection script runs on the device and outputs JSON with compliance settings: 
# Example Windows detection script
$output = @{
    "BitLockerEnabled" = (Get-BitLockerVolume -MountPoint C:).ProtectionStatus -eq "On"
    "TPMEnabled" = (Get-Tpm).TpmPresent
}
$output | ConvertTo-Json

Discovery Rules

Define the expected values for each setting returned by the detection script:
  • Data type (Boolean, Integer, String, DateTime)
  • Operator (Equals, NotEquals, GreaterThan, LessThan, etc.)
  • Expected value

Use Cases

  • Custom security controls - Check for specific registry keys, files, or configurations
  • Third-party software - Verify antivirus, DLP, or EDR agent installation and version
  • Hardware requirements - Check for specific hardware components or capabilities
  • Configuration drift - Detect unauthorized changes to critical settings
  • License compliance - Verify software licensing status

Graph API Details

GET https://graph.microsoft.com/beta/deviceManagement/deviceComplianceScripts
GET https://graph.microsoft.com/beta/deviceManagement/deviceComplianceScripts/{id}

Export/Import

Custom compliance scripts export to: 
ExportFolder/
└── ComplianceScripts/
    ├── BitLocker_Custom_Check.json
    └── ThirdParty_AV_Verification.json

Multi-Cloud Support

Compliance policies and scripts are supported across all four cloud environments:
CloudGraph Base URLAuthority Host
Commercialhttps://graph.microsoft.com/betalogin.microsoftonline.com
GCChttps://graph.microsoft.com/betalogin.microsoftonline.com
GCC-Highhttps://graph.microsoft.us/betalogin.microsoftonline.us
DoDhttps://dod-graph.microsoft.us/betalogin.microsoftonline.us
Each cloud environment requires a separate app registration. See the cloud configuration pages for setup details.

Required Permissions

The app registration must have the following Microsoft Graph permission consented: 
DeviceManagementConfiguration.ReadWrite.All
This permission grants:
  • Read access to all compliance policies and scripts
  • Create, update, and delete permissions for compliance policies
  • Assignment management for compliance policies
  • Read access to custom compliance script definitions
For read-only scenarios, DeviceManagementConfiguration.Read.All can be used instead.

Best Practices

Policy Design

  1. Start with platform-specific baselines - Use Microsoft’s recommended compliance settings as a starting point
  2. Avoid overly restrictive policies - Balance security with user productivity
  3. Use grace periods - Give users time to remediate compliance issues before blocking access
  4. Test in pilot groups - Deploy to small groups before broad rollout
  5. Monitor compliance reports - Review compliance status regularly and adjust policies as needed

Custom Scripts

  1. Keep scripts simple - Complex scripts may timeout or fail intermittently
  2. Handle errors gracefully - Return valid JSON even when detection fails
  3. Test across OS versions - Ensure compatibility with all supported Windows/macOS versions
  4. Document script logic - Include comments explaining what each setting checks
  5. Version control - Track script changes using export/import and external version control

Assignment Strategy

  1. Use Azure AD dynamic groups - Automatically target devices by platform, OS version, or ownership
  2. Layer policies - Combine platform-specific and security-level policies using multiple assignments
  3. Exclude service accounts - Prevent compliance policies from blocking kiosk or shared devices
  4. Monitor assignment coverage - Ensure all devices are covered by at least one compliance policy

Caching

Compliance policy data is cached locally for 24 hours using an AES-encrypted LiteDB database: Cache Location:
  • Windows: %LocalAppData%\Intune.Commander\cache.db
  • Linux: ~/.config/Intune.Commander/cache.db
  • macOS: ~/Library/Application Support/Intune.Commander/cache.db
The cache is automatically invalidated after 24 hours or when explicitly cleared through the UI.

Build docs developers (and LLMs) love

Get started for freeTalk to us