What is Built-in device compliance policy in Intune

Hello Everyone, Today we are going to discuss the built-in device compliance policy. Whenever we enroll a Windows device, no matter whether it’s enrolled with Azure Ad join manual method, Autopilot, or Hybrid enrollment. Windows devices will receive this Built-in compliance Policy automatically.

Now, the question is why? and today we are also going to discuss on two inter related topics which are given below;

  1. Error 65001 not applicable in intune
  2. Built-in Device compliance Policy system error

Let’s discuss its importance first. Generally speaking, compliance policies allows admin to define some values that devices must meet to access company resources, and conditional access policy allows blocking those machines if they do not meet the values define by admin,

For example, an admin creates a compliance policy that machines should have Bitlocker enabled and creates a Conditional access policy that only allows users to access resources such as office 365 applications whose device is compliant. So if user device is complaint (which means they have bitlocker enabled) they will be able able to access all cloud application. Otherwise, If user device is not compliant they won’t be able to access the company’s data.

Built-in Compliance policy has three properties inside;

  1. Enrolled user exists
  2. Has a compliance policy assigned
  3. Is active

I never saw Option 1 and option 3 giving an error. As option 1 verify if user is enrolled in Intune or not and has Intune license assigned and 3rd option is verifying if device is checking in with Intune or not. However, I have seen Option 2 giving couple of error and becasue of this, Built-in complaint policy will show as Not complaint. This happens when we did not assign any custom compliance policy to the device/user yet. If you have one complaince policy created, assign the policy to user or devices that shows not complaint. Otherwise follow my next steps.

Built-In compliance policy shows “Not Compliant” 65001 not applicable intune – [Resolved]

Built-In compliance policy shows “Not Compliant” 65001 not applicable intune

In order to remove this error we have to assign a compliance policy to user/device.

  • Login to Intune portal
  • Go to Devices > Compliance Policy
  • Click on Create Policy
  • Select Windows 10 and later as a platform. Then click create
 built in device compliance policy in Intune
  • Name the policy. For this example, I am going to name this as “Minimum OS requirement” and click Next
  • Now click on Device properties
  • Under minimum OS version enter “18363.1854”

This is the Build version of 1909. This requirement will check if devices have minimum or greater than this OS version or not. If yes this will mark it as a complaint, otherwise it won’t.

Minimum OS version complaince policy intune
  • Now click next
  • Now on this page, you can send a custom notification to the user once their device becomes non-compliant. Click Next
  • Now assign the group that contains either user or device that we want to target
  • Click select and click Next and finally Click on Create

Once it’s created manually sync the device otherwise make sure the device is connected to the internet and its working and you can sync from Intune as well

Soon, the compliance policy we create will get assign to the machine and Built-In compliance policy will show as a complaint as well

The second issue that I came across is that the Built-in compliance policy will show a second entry for the system account. However, it shows a complaint on the user account. Well, let’s get into this.

Built-in Device compliance Policy system error in Intune

built compliance intune system error

This normally happens when devices have one local account other than the user is connected from. The compliance policy that we are pushing is only targeting that user who is enrolling with his/her account. But intune detects the local account and shows an error for the system account.

This error won’t create any issue whatsoever. You can assign conditional access or any policy from Intune; this won’t create any conflict. But if you want to remove this you can try targeting one compliance policy to the device. This may or may not work but apart from this, I have not come to any other resolution. If you do, feel free to notify me in the comments and I will update this post accordingly.

That’s it my folks! Have a good day!

Spread the love

Leave a Reply

Your email address will not be published.

Advertisment ad adsense adlogger