What is Built-in device compliance policy in Intune

Intune, Microsoft’s mobile device management (MDM) solution, has a compliance policy that enables corporate administrators to enforce specific requirements regarding the types of devices that can be enrolled in Intune. This policy can be used to ensure that only approved devices are enrolled in Intune and that the user’s data is protected.

Whenever we enroll any device in intune, no matter whether it’s Android, Ios, macOS and Windows, they will receive this Built-in compliance Policy automatically.

Now, the question is why? and today we are also going to discuss two inter-related topics which are given below;

Error 65001 is not applicable in intune
Built-in Device Compliance Policy system error

Let’s discuss its importance first. As mentioned above, compliance policies allow the admin to define some values that devices must meet to access company resources, and conditional access policy allows blocking those machines if they do not meet the values defined by the admin,

For example, an admin creates a compliance policy that machines should have Bitlocker enabled and creates a Conditional access policy that only allows users to access resources such as office 365 applications whose device is compliant. So if the user’s device is the complaint (which means they have BitLocker enabled) they will be able able to access all cloud applications. Otherwise, If the user device is not compliant they won’t be able to access the company’s data.

Here you can read our post about Best practice for implementing complaince polciies on windows platform

Now Buil-in device compliance policy is the default policy that comes the moment you enroll any device. Built-in Compliance policy has three properties inside;

Enrolled user exists
Has a compliance policy assigned
Is active

1. Enrolled user exists

This ensures that sure the user who enrolled the device does exist in your tenant? or has a valid Intune license. If yes this will show as compliant

2. Has a compliance policy assigned

This setting validate if you have a complaint policy assigned to the device that you created in the Intune portal

3. Is active

This setting checks, if the device is in regular sync with Intune. You can change the regular sync value from Devices > Compliance policy > Compliance policy setting

I never saw Option 1 and option 3 giving an error. As option 1 verifies if a user is enrolled in Intune or not and has Intune license assigned and 3rd option is verifying if the device is checking in with Intune or not. However, I have seen Option 2 giving a couple of errors and because of this, the Built-in complaint policy will show as Not complaint. This happens when we did not assign any custom compliance policy to the device/user yet. If you have one complaint policy created, assign the policy to use or devices that shows not complaint. Otherwise, follow my next steps.

Built-In compliance policy shows “Not Compliant” 65001 not applicable intune – [Resolved]

In order to remove this error we have to assign a compliance policy to the user/device.

Login to Intune portal
Go to Devices > Compliance Policy
Click on Create Policy
Select Windows 10 and later as a platform. Then click Create

built in device compliance policy in Intune

Name the policy. For this example, I am going to name this as “Minimum OS requirement” and click Next
Now click on Device properties
Under minimum OS version enter “18363.1854”

This is the Build version of 1909. This requirement will check if devices have minimum or greater than this OS version or not. If yes this will mark it as a complaint, otherwise it won’t.

Minimum OS version complaince policy intune

Now click next
Now on this page, you can send a custom notification to the user once their device becomes non-compliant. Click Next
Now assign the group that contains either user or device that we want to target
Click select and click Next and finally Click on Create

Once it’s created manually sync the device otherwise make sure the device is connected to the internet and is working and you can sync from Intune as well

Soon, the compliance policy we create will get assigned to the machine and the Built-In compliance policy will show as a complaint as well

The second issue that I came across is that the Built-in compliance policy will show a second entry for the system account. However, it shows a complaint on the user account. Well, let’s get into this.

Built-in Device Compliance Policy system error in Intune

This normally happens when devices have one local account other than the user is connected from. The compliance policy that we are pushing is only targeting the user who is enrolling with his/her account. But intune detects the local account and shows an error for the system account.

This error won’t create any issue whatsoever. You can assign conditional access or any policy from Intune; this won’t create any conflict. But if you want to remove this you can try targeting one compliance policy to the device. This may or may not work but apart from this, I have not come to any other resolution. If you do, feel free to notify me in the comments and I will update this post accordingly.

That’s it, my folks! Have a good day!