This week is all about device compliance. More specifically, about using the combination of ConfigMgr and Microsoft Intune for device compliance. In a cloud-attached scenario, in which ConfigMgr is attached to Microsoft Intune, it’s possible to use the ConfigMgr client in combination with a MDM enrollment. This is also known as co-management. In that scenario it’s possible to slowly move workloads from ConfigMgr to Microsoft Intune, like the compliance policies workload. In that scenario Microsoft Intune will become responsible for the compliance state of the device. However, switching that workload to Microsoft Intune, also limits the available device compliance checks. In case the organization still needs to verify the availability of certain apps, or updates, there’s a solution. Even when the workload is switched to Microsoft Intune. That solution is: Configuration Manager Compliance. In this post I’ll start with an introduction about Configuration Manager Compliance and using that in combination with Microsoft Intune, followed by the configuration in Microsoft Intune. I’ll end this post by showing the end-user experience.
Introduction about Configuration Manager Compliance
Now let’s start with an introduction about Configuration Manager Compliance. Configuration Manager Compliance is a recently introduced configuration option in a device compliance policy in Microsoft Intune. That configuration options enables the administrator to use the device compliance policy in Microsoft Intune together with the device compliance state send from Configuration Manager. That enables the administrator to still use the configuration options from a compliance policy in Configuration Manager, even though the workload is switched to Microsoft Intune. In other words, it enables the administrator to still verify if specific required apps are installed, or that the device has the latest updates installed. End-to-end the following happens for the user/device:
- Device is managed by Configuration Manager;
- Device is enrolled with Microsoft Intune;
- Configuration Manager evaluates the device compliance;
- Configuration Manager sends the compliance state to Microsoft Intune;
- Microsoft Intune evaluates the device compliance;
- Microsoft Intune generates a combined compliance report;
- Azure AD enforces conditional access;
- Azure AD allows (or blocks) access for (non)compliant devices;
- End-user receives a friendly remediation experience via Microsoft Intune and Configuration Manager (see the section about the end-user experience).
Note: This configuration option requires Configuration Manager 1810, or later.
Configuration of Configuration Manager Compliance
Let’s continue by having a look at the configuration. The configuration assumes that a Configuration Manager compliance policy is already available. The following 3 steps walk through the configuration of the Configuration Manager Compliance policy setting in a device compliance policy. Nothing more, nothing less. After creation, the device compliance policy can be assigned like any other device compliance policy. The created device compliance policy is applicable to all targeted users and/or devices. The Configuration Manager Compliance policy setting is only applicable to co-managed devices.
||Open the Azure portal and navigate to Microsoft Intune > Device compliance > Policies to open the Device compliance – Policies blade;
||On the Device compliance – Policies blade, click Create Policy to open the Create Policy blade;
On the Create Policy blade, provide the following information and click Create;
- Name: Provide a valid name;
- Description: (Optional) Provide a description;
- Platform: Select Windows 10 and later;
- Settings: See step 3b;
- Actions for noncompliance: Leave default (for this post);
- Scope (Tags): Leave default (for this post);
Note: Configuring non-standard values for Actions for noncompliance and Scope (Tags), is out of scope for this post.
On the Windows 10 compliance policy blade, select Configuration Manager Compliance to open the Configuration Manager Compliance blade;
Note: Configuring non-standard values for the Device Health, Device Properties, System Security and Windows Defender ATP, is out of scope for this post.
||On the Configuration Manager Compliance blade, select Require with Require device compliance from System Center Configuration Manager and click OK to return to the Windows 10 compliance policy blade;
||Back on the Windows 10 compliance policy blade, click OK;
Note: To take full advantage of this device compliance policy configuration, it must be used in combination with a conditional access policy that requires the device to be marked as compliant.
Let’s end this post by having a look at the end-user experience. As a starting point for the example below I’ve created a compliance policy that requires all applications (and software updates) with a deadline older than 30 days to be installed. When one (or more) of the required applications is not installed, the end-user will receive a message in Software Center as shown below. It clearly explains the end-user that not all required applications are installed. Mentioning the required applications would be a nice addition.
Via the Company Portal app the message will be a little less clear. The end-user will simply receive the message that some changes need to be made. A referral to Software Center could be a nice addition.
The administrator can always see the status in the different consoles. Microsoft Intune will show a not compliant message for the Require with Require device compliance from System Center Configuration Manager setting and Configuration Manager will show a not compliant message for the specific rule of the compliance policy.
For more information regarding Configuration Manager Compliance, please refer to the section Configuration Manager Compliance in the Add a device compliance policy for Windows devices in Intune article.