Check OS Version Compliance with Device Compliance Policy & Notify User | Microsoft Intune

Microsoft Intune Device compliance policies define the rules and settings that users and managed devices must meet to comply. The following platforms are supported for device compliance policy.

  • Android device administrator
  • Android AOSP
  • Android Enterprise
  • iOS
  • Linux – Ubuntu Desktop, version 20.04 LTS and 22.04 LTS
  • macOS
  • Windows 10/11

In this blog post, we will discuss how we can set up a device compliance policy to check the minimum required OS version. We will also understand how to send notifications to noncompliant devices.

How to Create a Notification for Device Compliance Policy

Let’s start with creating a notification which we will use later with the Intune device compliance policy when a non-compliant OS version is detected on the user’s device. This email notification template will be used to trigger an email notification to the user.

In the Microsoft Intune admin center, select Devices | Compliance policies | Notifications and click on Create notification.

Intune noncompliance notification

Provide the following details on the Basics page.

  • Name: Enter a policy name
  • Email header – include company logo – Click on the toggle button to Enable the settings
  • Email footer – Include company name – Click on the toggle button to Enable the settings
  • Email footer – Include contact information – Click on the toggle button to Enable the settings
  • Company portal Website Link: Click on Enable if you want the user to install an application from the Company portal to make the device compliant.

intune device compliance notification

In the Notification message templates, enter the required details and click on Next.

intune create device noncompliance notification

Update: Intune release 2312 introduced support for variables in noncomplaint email notifications. You can use variables in the subject line and body of the message to create a personalized email with dynamic content. The variables are replaced with the actual value when notification is sent. See the below table for supported variables.

Variable nameToken to useDescription
User name{{UserName}}Insert primary user name for the noncompliant device.
Example: Test user1
Device name{{DeviceName}}Insert the name of the noncompliant device as it’s recorded in Microsoft Intune.
Example: Test iPad1
Device ID{{DeviceId}}Insert the Intune device ID that belongs to the noncompliant device.
Example: 1234-5678-910111213
Device OS version{{OSAndVersion}}Insert the operating system and version of the noncompliant device.
Example: iPhone 17.1.2

In the Review + create tab, review the details and click on Create. This will create a user notification. You can find this under Notification blade.

Send notifications to noncompliant devices

Notes: You can create multiple email notification templates and use them in a single compliance policy. For example, you can send the first notification immediately as soon as a device is marked as non-compliant. The second and third notifications can be sent on week 2 and week 3 respectively.

How to Create an Intune Device Compliance Policy

We will now create an Intune Compliance Policy to identify the machines which OS versions are lower than Windows 10 21H1.

In the Microsoft Endpoint Manager admin center, select Devices | Compliance policies and click on Create policy.

Intune | Device compliance Policy | OS version compliance

In the Basics tab, enter the policy name and click on Next.

Intune os version compliance policy

On the Compliance settings tab, expand Device properties and enter the required details. Here we will check that the minimum OS version should be Windows 10 21H1 (OS version 10.0.19043.1237). If a device OS version is lower than Windows 10 21H1 then the device will be reported as Non-compliant.

Click on Next to move to the next tab.

Intune Device compliance Policy

Now we will configure actions for noncompliance devices in the Action for noncompliance tab, select the following actions.

  • Mark device noncompliant – set to Immediately or n number of days. This is a default action and you can’t remove this one. If you set a number other than 0 then the device is still considered as non-compliant. However, it will be in the grace period for the given number of days. The device can continue to access company resources during the grace period.
  • Send email to end user :
  • Schedule days : Immediately
  • Message template: select the notification message template that we created earlier
  • Additional recipients: Add an AAD distribution group if you want to copy additional recipients in the email sent to the user.
  • Retire the noncompliance device: 120 days

Click on Next

Note: You can add multiple “Send email to end user” action to send reminders to users. You can use the same or different email notification template.

Configure actions for noncompliant devices in Intune

In the Assignments tab, select the Azure AD Group where you want to apply this policy and click on Next.

Endpoint Manager | Device compliance Policy | Assignments

In the Review + create tab, review the settings and click on Create.

Endpoint Manager | Device compliance Policy | Review

The policy is now created. You can check the newly created Device compliance policy from Device | Compliance policies blade

Endpoint Manager | Device compliance Policy | Status

You can see the compliance status once policy has been evaluated at client end.

Endpoint Manager | Device compliance Policy | Status

End User Experience

As soon as a non-compliance device is detected, an email will be sent to user informing device non-compliance state. You can add necessary instructions for user to upgrade the device by contacting help desk or by sharing a link for self upgrade guide.

Please see the sample email below which was sent by Intune Notification Service for this testing.

Endpoint Manager | Device compliance Policy | User notification email

Related Posts

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top