Share via

Intune Compliance

Handian Sudianto 6,886 Reputation points
2026-03-25T10:14:41.8+00:00

I try to integrate my Network Access ontrol to Intune to get device compliance status so only compliant device can connect to the network.

From Intune point of view what criteria intune will consider the device as compliant or not compliant?

If the device now in compliant state then what can i do to make the device as not compliant for testing purpose?

User's image

Microsoft Security | Intune | Compliance
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Prathista Ilango 1,065 Reputation points Microsoft Employee
    2026-03-25T17:40:12.5233333+00:00

    Hello Handian Sudianto

    I understand you’re trying to mark the device as non‑compliant to test the Network Access Control (NAC) integration. As mentioned earlier, a device becomes non‑compliant when it fails to meet any configured compliance criteria such as OS version, password requirements, BitLocker, Microsoft Defender, and so on.

    For testing purposes, the simplest approach is to temporarily remove the device from any groups targeted with compliance policies and then set the tenant setting “Mark devices with no compliance policy assigned as” to Not compliant. This allows you to validate the NAC behavior without changing device security settings.

    User's image

    Hope this helps!

    If you found the information above helpful, please Click Yes. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.

    0 comments
  2. Q&A Assist
    2026-03-25T10:15:03.7533333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Intune considers a device compliant or noncompliant based on:

    1. Tenant-wide Compliance policy settings
      • Mark devices with no compliance policy assigned as:
        • Compliant (default): Devices without any assigned device compliance policy are treated as compliant.
        • Not compliant: Devices without any assigned device compliance policy are treated as noncompliant. This is recommended when using Conditional Access so only confirmed-compliant devices can access resources.
      • Compliance status validity period (days):
        • If a device does not successfully report on all assigned compliance policies within this period (1–120 days, default 30), it is treated as noncompliant.
    2. Device compliance policies assigned to the user/device
      • These are platform-specific rule sets (for example, Windows, iOS, Android) that define what “compliant” means. Examples of rules:
        • Minimum OS version
        • Not jail-broken/rooted
        • Threat level from integrated threat management software
        • Windows-specific items like OS build ranges or Configuration Manager compliance
      • If the device meets all rules in all assigned compliance policies, its status is Compliant.
      • If it fails any rule, the policy’s actions for noncompliance are applied and the device becomes Noncompliant. Conditional Access can then block access based on that status.
    3. Evaluation behavior
      • Devices are evaluated when they check in with Intune. Newly enrolled devices can show Unknown until evaluated.
      • Devices actively syncing cannot move from Compliant/Noncompliant back to Unknown.
    4. NAC integration
      • A NAC solution queries Intune for the device’s compliance state and managed by Intune status and then allows or blocks network access accordingly.

    To make a currently compliant device noncompliant for testing NAC:

    1. Use compliance policy rules
      • Edit an existing device compliance policy (or create a test policy) and configure a rule that the test device will intentionally fail. Examples based on the available concepts:
        • Set a minimum OS version or OS build range that is higher than the device’s current version so the device falls outside the compliant range.
        • For co-managed Windows devices, set Require device compliance from Configuration Manager and ensure the Configuration Manager compliance baseline is not met.
      • Assign this policy to the user or device group that contains the test device.
      • After the device checks in, it will evaluate the policy, fail the rule, and become Noncompliant. NAC should then see the noncompliant state and block network access according to its configuration.
    2. Use the compliance status validity period
      • Reduce Compliance status validity period (days) to a very small value (for example, 1 day) for testing.
      • Stop the test device from checking in with Intune until the period expires.
      • After the validity period passes without a successful compliance report, Intune will treat the device as Noncompliant.

    For production, ensure that:

    • Every device has at least one appropriate device compliance policy assigned.
    • Mark devices with no compliance policy assigned as is set to Not compliant when using Conditional Access and NAC, so only devices that actually meet defined rules are allowed.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.