Intune Custom Compliance Policy

Device compliance policies are a key feature when using Intune to protect your organization’s resources. In Intune, you can create rules and settings that devices must meet to be considered compliant, such as a minimum OS version.  Before you can use custom settings for compliance with Intune, you must define a PowerShell script for discovery of custom compliance settings on devices.

The discovery script:

Is added to Intune before you create a compliance policy. After its added, it will be available to select when you create a compliance policy with custom settings.
Runs on a device that receives the compliance policy. The script evaluates the conditions of the JSON file you upload to the same policy.
Identifies one or more settings, as defined in the JSON, and returns a list of discovered values for those settings. A single script can be assigned to each policy, and supports discovery of multiple settings.
Must be compressed to output results in one line.

For example:

$hash = @{ ModelName = “Dell”; BiosVersion = “1.24”; TPMChipPresent = $true}
Must include the following line at the end of the script: return $hash | ConvertTo-Json -Compress

The following is a sample PowerShell script

$hash = @{ ModelName = "Dell"; BiosVersion = "1.24"; TPMChipPresent = $true}
return $hash | ConvertTo-Json -Compress
PS C:\Users\apervaiz\Documents> .\sample.ps1
{"ModelName":  "Dell","BiosVersion":  1.24,"TPMChipPresent":  true}

To support custom settings for compliance, you create a JSON file that identifies the settings and value pairs that you want to use for custom compliance. The JSON defines what a PowerShell discovery script will evaluate for compliance on the device.

Preparation of a discovery script for Cortex XDR installation


Function Check-Cortex {
$hash = Get-WmiObject -Class Win32_Product | where name -Like "Cortex*" | select Name -Last 1
#$hash = @{CortexPresent = $return}

if ($hash) {
return @{Name = $true} | ConvertTo-Json -Compress
#return $hash | ConvertTo-Json -Compress
} else {
Return @{Name = $false} | ConvertTo-Json -Compress

#return $hash | ConvertTo-Json -Compress


Upload the script in Devices->Compliance policies -> Scripts

Create the policy

Sign in to the Microsoft Endpoint Manager admin center.
Select Devices > Compliance policies > Policies > Create Policy.
Select a Platform for this policy
On the Basics tab, specify a Name

On the Compliance settings tab, choose Custom compliance and select discovery script

Select the Setting name, Operator and Value from the loaded script

And make sure Setting name, Operator and Value validated properly

Select the Actions for noncompliance and Assignments

Overview of Custom compliance in Intune dashboard