When it comes to configuring compliance polices, Intune provides settings out of the box that can be monitored for config drift, such as BitLocker enabled, minimum OS version, and Antivirus to name a few. However, if the setting (or state) you want to capture isn't included, Intune provides a way to use PowerShell to detect this information on an endpoint.
Since a PowerShell script is the detection method, this essentially provides us with an endless amount of ways to check for compliance on a Windows endpoint. In this post, we're going to take a look at what Intune Custom Compliance Policies are, how to create them, and evaluate how these policies are deployed and evaluated on the endpoint.
Prerequisites
- Microsoft Intune subscription
- A text editor (Visual Studio Code is great open-source editor)
What is a Custom Compliance Policy?
Creating a custom compliance policy in Intune requires a PowerShell detection script as well as a JSON file. Custom compliance polices can be used when the out of the box compliance settings don't satisfy the requirement.
Create a Custom Compliance Detection Script
Download the PowerShell detection script and JSON file used in the example below from my GitHub repo
If you want to learn more about how to write your own custom compliance detection script and JSON file, Steve Weiner has a great video on this topic that you can check out here.
All the following steps are performed in the Microsoft Intune admin center.
First we need to create the PowerShell detection script and JSON file that will be used for the custom compliance policy. The PowerShell script will check the signature of a file using WinVerifyTrust, and the JSON file will define the compliance policy configuration.
- Select Devices > Manage Devices > Compliance > Scripts > + Add > Windows 10 and later
- Under the Basics tab, provide a name and description for the script, then click Next.
- Name: WinVerifyTrust Signature Validation Required
- Under Settings configure the following:
- Detection script: If following along with the example, use the
Get-WinVerifyTrustCompliance.ps1 PowerShell script from the GitHub repo linked above.
- Run this script using the logged on credentials: No
- Enforce script signature check: No
- Run script in 64 bit PowerShell Host: Yes
- Click Next > Create
Create a Custom Compliance Policy
-
Select Devices > Manage Devices > Compliance > + Create Policy
- Platform: Windows 10 and later
- Platform type: Windows 10/11 compliance policy
-
Click Create and configure the following:
- Name: WinVerifyTrust Compliance Policy
- Compliance settings: Custom compliance
- Custom compliance: Require
- Select your discovery script: Select the
WinVerifyTrust Signature Validation Required PowerShell script
-
Configure the noncompliance action:
- Actions for noncompliance: Mark device noncompliant immediately
-
Assign the appropriate group(s) to the policy and click Create.
Deploying the Policy to the Device
Before the policy can be deployed the Intune Management Extension (IME) needs to be installed on the endpoint. The IME performs all the magic behind the scenes when it comes to bringing the custom compliance detection script down from Intune, running the script using the AgentExecutor, and updating the appropriate registry key to indicate whether the device is compliant or not.