Intune Custom Compliance Policy
Device compliance policies are a key feature when using Intune to protect your organization’s resources. In Intune, you can create rules and settings that devices must meet to be considered compliant, such as a minimum OS version. Before you can use custom settings for compliance with Intune, you must define a PowerShell script for discovery of custom compliance settings on devices.
The discovery script:
Is added to Intune before you create a compliance policy. After its added, it will be available to select when you create a compliance policy with custom settings.
Runs on a device that receives the compliance policy. The script evaluates the conditions of the JSON file you upload to the same policy.
Identifies one or more settings, as defined in the JSON, and returns a list of discovered values for those settings. A single script can be assigned to each policy, and supports discovery of multiple settings.
Must be compressed to output results in one line.
For example:
$hash = @{ ModelName = “Dell”; BiosVersion = “1.24”; TPMChipPresent = $true}
Must include the following line at the end of the script: return $hash | ConvertTo-Json -Compress
The following is a sample PowerShell script
$hash = @{ ModelName = "Dell"; BiosVersion = "1.24"; TPMChipPresent = $true}
return $hash | ConvertTo-Json -Compress
PS C:\Users\apervaiz\Documents> .\sample.ps1
{"ModelName": "Dell","BiosVersion": 1.24,"TPMChipPresent": true}
To support custom settings for compliance, you create a JSON file that identifies the settings and value pairs that you want to use for custom compliance. The JSON defines what a PowerShell discovery script will evaluate for compliance on the device.
https://docs.microsoft.com/en-us/mem/intune/protect/compliance-custom-json
Preparation of a discovery script for Cortex XDR installation
checkxdr.ps1
Function Check-Cortex {
$hash = Get-WmiObject -Class Win32_Product | where name -Like "Cortex*" | select Name -Last 1
#$hash = @{CortexPresent = $return}
if ($hash) {
return @{Name = $true} | ConvertTo-Json -Compress
#return $hash | ConvertTo-Json -Compress
} else {
Return @{Name = $false} | ConvertTo-Json -Compress
}
#return $hash | ConvertTo-Json -Compress
}
Check-Cortex
Upload the script in Devices->Compliance policies -> Scripts
Create the policy
Sign in to the Microsoft Endpoint Manager admin center.
Select Devices > Compliance policies > Policies > Create Policy.
Select a Platform for this policy
On the Basics tab, specify a Name
On the Compliance settings tab, choose Custom compliance and select discovery script
Select the Setting name, Operator and Value from the loaded script
And make sure Setting name, Operator and Value validated properly
Select the Actions for noncompliance and Assignments
Overview of Custom compliance in Intune dashboard