Intune

How to Build Compliance Baselines in Intune to Determine the Compliance Status of Devices 

Topics: Intune

Establishing robust mechanisms for assessing and enforcing compliance is crucial. Microsoft Intune provides a valuable tool in this regard with its compliance baselines. This blog will guide you on how to leverage these baselines in Intune to maintain your device fleet’s compliance with your organization’s security and compliance standards

Introduction to Compliance Baselines in Intune

Compliance baselines in Intune are predefined sets of compliance policies that help determine the compliance status of devices across your organization. These baselines provide a benchmark for security and configuration settings, making it easier for IT administrators to identify and remediate non-compliant devices. By leveraging these baselines, organizations can automate the process of compliance assessment, ensuring devices adhere to corporate security policies and regulatory standards. 

Step 1: Understanding Your Compliance Requirements 

The initial step in constructing compliance baselines is to comprehensively understand your organization’s compliance needs. This involves pinpointing the regulatory standards you must comply with—such as GDPR, HIPAA, or PCI-DSS—and translating these into specific device configuration settings. Key aspects to consider include encryption standards, password policies, and software versions to compile a detailed checklist of compliance criteria. 

Step 2: Creating a Compliance Baseline in Intune 

Once you’ve identified your compliance requirements, the next step is to create a compliance baseline in Intune. In in this blog, we are building compliance baselines around these settings: 

  • BitLocker 
  • Secure Boot 
  • Code Integrity 
  • Firewall 
  • TPM 
  • Antivirus 
  • Antispyware 

A device lacking any of these enabled settings and tools will be considered “non-compliant.” 

Steps to Establish Your Compliance Baseline in Intune

Navigate to the Intune Admin Console: Log in to the Microsoft Intune admin center at intune.microsoft.com 

Create a New Compliance Policy: Go to Devices > Compliance > Policies > Create Policy. Select the platform relevant to your devices, such as Windows 10 and later and hit “Create”. 

Compliance -> create policy

Name and Description: Give you compliance policy a name and description and hit next. 

Compliance policy name and description

Configure Compliance Settings: Use the ‘Create a Compliance Policy’ wizard to set the compliance settings based on your organization’s requirements. Intune provides various settings including device health, device properties, system security, and custom configuration settings.  

Compliance Baselines in Intune - settings
Compliance Baselines in Intune - more settings

Define Actions for Non-compliance: Decide the actions to take if a device fails compliance checks. Options include sending an email notification, marking the device as non-compliant, or adding the device to a retirement list. For our example, I have marked the device as non-compliant after three days. 

Actions for noncompliance settings

Note

Sending an email to an end user for non-compliance is not recommended. Per a zero trust framework, most users will not have admin privileges to perform any remediations themselves. If you do decide to send an email, make sure to create a “group” of your sysadmins/helpdesk and have them added in “additional recipients” sections. For the email body/content, we will need to create a “notification” beforehand. To do that, go to Devices > Compliance > Notification > Create notification. 

Device compliance in Intune notifications

Assignments: Assign the group to apply this compliance policy. I would recommend creating a “Dynamic group” that hosts all the Windows devices and then applying it on that group. Hit next and “Create”. 

Devices with no assigned compliance policy: Ideally there should be no device without any compliance policy assigned. We can build one policy for Mac devices, one for Windows, so on and so forth. But we can specify behavior on a device who have no policy assigned. Go to Devices > Compliance > Compliance settings. Make sure you specify the compliance behavior on devices who have no policy assigned. I would recommend setting it to “non-compliant”. 

Compliance settings --> validity period

Step 4: Monitoring and Reporting 

With your compliance baselines in place, it’s essential to continuously monitor the compliance status of devices and take remedial actions if necessary. 

Use Intune’s Built-in Reports: Intune provides detailed reports on the compliance status of devices, highlighting deviations from the baseline. 

Compliance Baselines in Intune - reports

Compliance Baselines in Intune - report details

Act on Non-compliant Devices: Use the information from the reports to address non-compliance issues. This may involve updating device settings, installing necessary updates, or retiring devices that can no longer meet compliance standards. 

Ensuring Optimal Security with Compliance Baselines in Intune

Building compliance baselines in Intune is a proactive way to maintain the security and integrity of your device fleet. By setting clear benchmarks for compliance, automating the assessment process, and taking swift action on non-compliant devices, organizations can enhance their security posture and ensure that they meet regulatory requirements.  

By IT, for IT.

We are a dedicated group of Systems Administrators and tech-savvy product experts that love what we do and the IT community we do it with.

Back to Top