Intune Compliance Policies for Small Businesses in Berlin: Blocking Unhealthy Devices from Company Data
Intune Compliance Policies for Small Businesses in Berlin: Blocking Unhealthy Devices from Company Data
Every device accessing your Microsoft 365 environment is a potential entry point. Intune Compliance Policies define the minimum health requirements a device must meet — and when combined with Conditional Access, devices that fall below the bar are automatically blocked from accessing email, Teams, and SharePoint.
Compliance Policies vs. Configuration Profiles
Intune has two distinct policy types that serve complementary purposes. Configuration profiles push settings to devices — they configure BitLocker encryption, push Wi-Fi settings, deploy certificate profiles. Compliance policies evaluate whether a device meets defined health criteria — they do not change settings, they assess them and report a compliant or non-compliant status. That compliance status is then consumed by Conditional Access to make allow/block decisions.
This distinction matters operationally: a configuration profile that enables BitLocker and a compliance policy that requires BitLocker are separate controls. The configuration profile deploys the setting. The compliance policy verifies it is actually active. If a user disables BitLocker manually after the configuration profile has been applied, the device becomes non-compliant and Conditional Access blocks M365 access — creating a self-correcting enforcement loop.
Key Compliance Settings to Configure
| Setting | Recommended Value | Why It Matters |
|---|---|---|
| BitLocker required | Yes | Prevents data access from stolen/lost devices |
| Microsoft Defender Antivirus required | Active and up-to-date | Blocks devices with disabled endpoint protection |
| Minimum OS version | Windows 11 22H2 / iOS 16 / Android 11 | Prevents access from unpatched vulnerable OS |
| Secure Boot enabled | Required | Protects against bootkit and rootkit persistence |
| Firewall enabled | Required | Network-level protection baseline |
| Device compliance grace period | 3–7 days | Gives users time to remediate before blocking |
| Microsoft Defender threat level | Secured or Low | Blocks devices with active Defender alerts |
Connecting Compliance to Conditional Access
A compliance policy alone does nothing to restrict access — it only evaluates and reports status. The enforcement happens in Conditional Access. Configure a Conditional Access policy targeting All users, All cloud apps, with the Grant condition set to “Require device to be marked as compliant.” This creates the enforcement chain: device checks in with Intune, receives a compliant or non-compliant status, and Conditional Access allows or blocks the authentication accordingly.
Rollout recommendation: use Report-only mode in Conditional Access first. This logs what would have been blocked without actually blocking anything — allowing you to identify devices that would fail compliance and remediate them before turning on enforcement. A sudden block of non-compliant devices without a grace period generates immediate support requests.
Handling Non-Compliant Device Notifications
Configure Intune to send notification emails to users when their device becomes non-compliant. The notification should include: what requirement is not met (plain language, not technical codes), what the user needs to do to remediate, and when the grace period expires. Without a clear notification workflow, non-compliant device blocks appear to users as random access failures — generating support tickets rather than device remediation.
BYOD Compliance: Handling Personally Owned Devices
Compliance policies apply to enrolled devices. For BYOD (personally owned) devices not enrolled in Intune MDM, use App Protection Policies (MAM) as the parallel control — they protect company data within apps without requiring full device enrollment or compliance evaluation. For devices that are partially enrolled (Android personally owned work profile), compliance policies apply only to the work profile partition, not the personal partition. This is the privacy-appropriate architecture for German BYOD scenarios.
IT Experts Berlin — Device Compliance and Endpoint Security
We configure Intune Compliance Policies and Conditional Access enforcement for your entire device fleet — Windows, iOS, Android — with user notification workflows and a phased rollout that avoids disruption. Book a consultation.