Custom Compliance Policy – The remarkable extension

In this post we will create a custom compliance in Intune and describe the way it functions (JSON file and script).

As we discussed in previous post, Intune allows us to create compliance policies to secure our devices and ensure that specific configurations and settings are applied. Although there are many settings that we can use in the policies, there are cases where we want to apply specific checks and controls that are not available directly into the built-in compliance policy settings.

To add custom checks we can create our custom compliance policies. These policies, expand the Intune’s built-in device compliance options and are applicable for Linux and Windows devices. Custom settings provide flexibility to base compliance on the settings that are available on a device without having to wait for Intune to add these settings.

A custom compliance policy basically consists of two parts:

  • The JSON file which defines the custom settings and the values that are considered as compliant. We can also configure messages for users to tell them how to restore compliance for each setting.
  • The Discovery Script which, during the policy evaluation, detects the settings from the JSON file, and then reports the results to Intune. It is delivered to devices through the compliance policy. Windows uses a PowerShell script and Linux uses a POSIX-compliant shell script.

First let’s start by defining the setting that we want to check in our custom compliance. Let’s suppose that our organization only wants Enterprise Windows OS and all other versions are regarded as not compliant. For this we have to initially create a script that will check the OS edition and return a value depicting if it is Enterprise or not.

Discovery Script

The discovery script as already mentioned will check if the endpoint has an Enterprise Windows edition or not, and return a relevant value.

$windowsEdition = (Get-WindowsEdition -Online).Edition

if ($windowsEdition.ToLower().Contains("enterprise") -eq $true){
    $isEnterprise = "Enterprise"
    $isEnterprise = "NotEnterprise"

$isEnterpriseJSON = @{Status = $isEnterprise}

return $isEnterpriseJSON | ConvertTo-Json -Compress

In the script above we define a variable that includes the Windows edition extracted from the endpoints and then we perform a check to see if it is Enterprise or not. Lastly, we return the variable by first converting it to JSON. This is done in order for Intune to be able to compare the output of the script with the JSON file we will provide in the next stage.


The JSON file we define below is used by Intune to evaluate if the returned value of the script is the desired one or not.

    "Rules": [
            "SettingName": "Status",
            "Operator": "IsEquals",
            "DataType": "String",
            "Operand": "Enterprise",
            "MoreInfoUrl": "",
            "RemediationStrings": [
                    "Language": "en_US",
                    "Title": "This machine does not have an Enterprise Windows edition.",
                    "Description": "To continue to use this device and access company resources, contact support."

First we define the SettingName, which corresponds to the variable return by the script. As you can see here, we have set it as “isEnterprise”. Moving forward in the Operator and DataType fields we define the action that we want to performed against the variable (in this case we want to check if it is equal with a desired value) and the data type of it. The Operand field defines the desired value of the variable, thus the value that will make the device compliant.

Furthermore, in the MoreInfoUrl field we can add a link that the users can click to find more details for this setting (here we enter a default value, but most of the times we can reference an internal link or a link to the help desk). Lastly, the RemediationStrings setting allows us to define a message that will be shown to the end user.

After defining and explaining the script and the JSON file, let’s move forward with the practical implementation of custom compliance policy.

Let’s do it

First go to the Intune portal and head to Endpoint security -> Device compliance -> Compliance Policies -> Scripts.

Click Add and select the Platform to which you are going to deploy the script. In this example we are using Windows 10 and later machines.

Give a name and a description to your script and press Next.

In the next screen enter your detection script, change any setting that may needed and press Next.

Review the entered configuration and press Create.

The script part of the custom compliance is ready. Now let’s move forward with creating the policy.

Go to Devices -> Windows -> Compliance Policies and click Create policy. Select Windows 10 and later as Platform and Create. Give a name and a description to your policy.

Now select Custom Compliance and choose the discovery script we created previously. Upload the JSON file we created in the previous stage.

Click Next and select if you want any action for not compliant. In this example we just choose to mark the device immediately as not compliant.

Assign the policy to a group and create it.

The custom compliance policy is created. Now we just have to wait until it is evaluated to an endpoint and check the status.

It is important to mention here that custom compliance policies may require significant time to be deployed and evaluated, so it is a good practice to allow some time before making conclusions. This can be also applied to specific cases where a status of “Not applicable” is shown. Giving a significant amount of time for the policy to evaluate will solve the problem most of the times.

References and documentation:

Leave a Reply

Your email address will not be published. Required fields are marked *