How to create custom compliance policy in Intune

In this post I will show you how to create custom compliance policy. Using this feature, we can get the compliance status of a device related to specific configuration. This configuration could be looking for minimum disk space, BitLocker encryption status, TPM status, specific application version, specific Make or Model of the device. There is endless limit to explore and get the compliance of the device. There are few built-in compliance policy settings available which is easy to configure. However, if you are looking for specific compliance policy which is not there in Intune, we can create the custom one which consists of PowerShell script and JSON file.

Why there is a need of custom compliance policy.

Rather than waiting for Intune to add a specific compliance setting, we can create the custom compliance policy based upon our requirement. Microsoft is continuously investing in Intune to get more and more features added, however if the specific setting is missing, you can utilize the creation of Device compliance policy using custom compliance settings.

What is custom compliance policy

Custom Compliance policy consists of 2 files. One is PowerShell Script which is also known as detection script, while another one is JSON file which contains the rules (or answers). Let’s look into these 2 types of files:

1. Detection script:  This is a PowerShell script. The purpose of this script is to generate the output based upon the query you have used. For example, you can use specific Model/Manufacturer to be generated as output.
2. JSON File: This file contains the value which will used to mark the device compliant. In another words, we can say JSON file is our answer file, which will compare the result output from detection script, if the answer matches with what is mentioned in JSON file, device will be marked as compliant.

While creating the policy, we must first upload the detection script under Device > Compliance policies > Scripts section of Intune portal.

Detection script can be used to generate one or more output. If there are multiple outputs, then there should be multiple rules in JSON file as well.

Create Detection Script (PowerShell Script)

For demonstration purpose, we will use the example of specific device model. Think of a scenario where organization wants specific model to be marked as compliant, anything else should be marked as non-compliant. Keeping in mind I created a small script which can be used for this specific purpose:

$SupportedModels=
"Precision 7750",
"Surface Laptop Studio",
"Virtual Machine"
$WMI_ComputerSystem = Get-WMIObject -class Win32_ComputerSystem
$Model = $WMI_ComputerSystem.Model
IF ($Model -in $SupportedModels)
{
Write-Host "$Model is supported Model" -ForegroundColor Green
$ModelSupport = @{ModelSupport = "Supported"}
return $ModelSupport | ConvertTo-Json -Compress
}
Else {
Write-Host "$Model is not supported Model" -ForegroundColor Red
}

In the above-mentioned script, I am using the logic of mentioning 3 models as supported model. The output will be generated with variable ModelSupport which must be converted to JSON using ConvertTo-Json -Compress switch. The output will be generated as ModelSupport as Supported.

Create JSON File

If you haven’t used JSON file before, creation of this file might be confusing for you. However, it is very easy to understand if you understand the rules of this file. JSON file should be properly formatted and uses the following value and Info:

• SettingName: This is the name used to mark the device compliant. ModelSupport is value name in our case which got generated from detection script.
• Operator: This is used to compare the rule using one of the values such as IsEquals, NotEquals, GreatherThan, GreaterEquals, LessThan, LessEquals. In our case the value is IsEquals.
• DataType: The output generated from detection script will have a specific data type such as Boolean, Int64, Double, String, DateTime, Version. In our case it is String.
• Operand: This is the actual value which gets generated from detection script. Or we can say the answer we are looking for. In our case the value is Supported.
• MoreInfoURL: This is a URL shown to the user under Compliance section (Company Portal) to get more info on the compliance.
• RemediationStrings: Remediation string consists of Langue, Title, Description which will be visible under Company Portal application when the device will be marked as non-compliant. The message can be customized so as to provide enough information to the user related to non-compliance status and what action they need to take.

Following is JSON file which we can use for Supported Model:

{
"Rules":[ 

    { 
       "SettingName":"ModelSupport",
       "Operator":"IsEquals",
       "DataType":"String",
       "Operand":"Supported",
       "MoreInfoUrl":"https://manishbangia.com",
       "RemediationStrings":[ 
          {
             "Language": "en_US",
             "Title": "This is not a supported model",
             "Description": "Unsupported Model will be marked as non-compliant"
          }
       ]

    }
 ]
}

You can download the above-mentioned PowerShell script and JSON file from Github repository

For verification of JSON file, you may use online JSON viewer which represents the rule in a correct format and shows the error if any bracket, comma is not terminated correctly. You may use https://jsonblob.com which provides the JSON file information in a very good format and visibility.

Create Custom compliance policy

• Login to the Microsoft Intune admin center.
• Navigate to Devices > Compliance policies > Scripts. Click on Add > Windows 10 and later as shown below:

• Provide the name as Check Model and click Next
• Copy Paste the script which we previously shared under Detection script with following settings:
  Run this script using the logged on credentials: No
  Enforce script signature check: No
  Run script in 64 bit PowerShell Host: Yes

• Complete rest of the wizard which will upload the script to Intune Tenant.

• Navigate to Devices > Compliance policies > Policies and create policy by selecting Platform as Windows 10 and later and Profile type Windows 10/11 compliance policy.

• Specify the name as Check Model and click Next.
• Under Compliance settings page, expand Custom Compliance and select it as Require.
• Specify discovery script by browsing and selecting the previously uploaded script.
• Upload JSON file which will display the Setting name, operator and Value.

• Complete the wizard by targeting the policy on few devices.

Once the device receives the policy, the custom script will run and will make the device compliant / non-compliant based upon the rules.

For troubleshooting, you can check HealthScripts.log and AgentExecutor.log which contains the information related to custom compliance scripts. Log files are located under C:\programdata\Microsoft\IntuneManagementExtension\Logs.

For reporting, navigate to custom policy we created and click on Monitor > View report. This will show you the device status. You may navigate to Per-setting status to get the granular level detail if you have targeted the detection script with multiple values as output.

I will provide the troubleshooting steps and the information captured in the log files in my next post.

Important links

https://learn.microsoft.com/en-us/mem/intune/protect/compliance-use-custom-settings

https://learn.microsoft.com/en-us/mem/intune/protect/compliance-custom-json

https://learn.microsoft.com/en-us/mem/intune/protect/compliance-custom-script