Require Configuration Manager Compliance

Quick blog post tip today for a question I hear all the time: “Can you force a Windows 10 device without a specific app or update installed to be non-compliant with Intune?

The answer I give always has two parts. First, modern cloud-based device management isn’t about checking and inventorying devices to see what’s on them to take action, it’s about creating conditions, based on policies, to ensure that devices are configured the way you want them to be. If you want an app to be installed, just make it required for the device. If the user uninstalls it, it will automatically be reinstalled.

If you don’t want an app on a device, there are policies for that too.

The second part of that answer, assuming you just won’t be able to sleep at night without knowing if a required app is installed is the famous, “it depends”.

It depends on whether or not the device is comanaged with Configuration Manager and Intune. If so, you can use Configuration Manager’s configuration baselines to ensure specific apps or updates are installed for a device to be marked compliant.

And no, this doesn’t require the compliance comanagement workload to be set to Configuration Manager.

This is the setting I’m talking about from an Intune Windows 10 device compliance policy:

clip_image002

There are two settings for this configuration when you deploy this compliance policy out to your Intune managed devices: Require and Not configured. Obviously, Not configured isn’t very interesting to us, so we’ll ignore that option for now.

When set to Require, comanaged Windows 10 devices will do one of two things depending on how the configuration workload is configured.

Comanaged compliance

When the comanagement compliance workload is set to Configuration Manager, the device will completely ignore the compliance policy coming from Intune. The MEM admin center will display “See Configmgr” for the device compliance state just like it would do for a sync’d server we can’t check compliance on. The Intune compliance policy is ignored and never applied (Not applicable):

clip_image003

Again, probably not very interesting to you since you’re reading this blog about using Intune compliance policies. Moving on.

The magic happens when you move the compliance workload over to Intune (or Pilot Intune for those machines lucky enough to be in your pilot collection):

clip_image004

Just one more thing to do in the Configuration Manager console. You’ll need to let Configuration Manager know to apply the security baseline to comanaged devices for this to work. It’s easy to do, just check these two boxes at the bottom of your security baseline and you’re all set:

This image has an empty alt attribute; its file name is baselineSettings.png

In this configuration (security baseline options configured, require Configuration Manager compliance in your compliance policy, and the comanagement workload is set to Intune), Configuration Manager’s configuration items are used in addition to Intune compliance settings when the device is checked for compliance. The basic idea is that because Configuration Manager can check for things that Intune doesn’t, using both provides a more granular compliance evaluation experience (i.e. does the system have X update installed that Intune can’t check for). Non-comanaged devices you assign this policy to will just ignore the ask to check for Configuration Manager compliance.

So, while a device would otherwise be perfectly compliant according to Intune’s compliance policy, Configuration Manager’s configuration items might have something else entirely to say on the matter.

clip_image005

Busted.

clip_image007

At this point, both the Intune Company Portal and Configuration Manager’s Software Center will be dutifully informing the user that the device does not meet the compliance and security policies of your organization and, if Conditional Access policies are being used, the device will be in the dog house.

You have two options to get the device back into compliance. The first, is obviously to do whatever it is that Configuration Manager is checking for to bring the device back into compliance. The second, is to just no longer require Configuration Manager compliance as part of your compliance policy. If you move that compliance policy setting to Not configured, then the device compliance status will go from Not Compliant to Not Evaluated until it can run the Intune-only compliance policy and return to a compliant state.

And that’s how Configuration Manager and Intune can be used at the same time when evaluating comanaged devices for compliance.


You’ve seen my blog; want to follow me on Twitter too? @JeffGilb

Loading