Can Intune automatically email users when their device is non-compliant?

Yes. Intune supports automated email notifications as an action for non-compliance. You configure a notification template and set a schedule in days after non-compliance is detected. The email is sent from Intune to the device owner.

How do I send a non-compliance alert to the IT helpdesk?

Create a mail-enabled security group containing your helpdesk team, then add a Send email action in the compliance policy targeting that group. Set the schedule to 7 or more days so IT is only alerted when the user has not resolved the issue themselves.

What variables can I use in Intune notification emails?

Intune supports variables including {{DeviceName}}, {{DeviceId}}, {{UserName}}, {{UserPrincipalName}}, and {{OwnerEmail}} in notification templates. These are replaced with actual device and user values when the email is sent.

Intune Compliance

How to Set Up Email Alerts for Non-Compliant Devices in Intune

Published 17 March 2026

Intune can automatically send email notifications when a device becomes non-compliant - to the user, to the helpdesk, or to both. This guide covers setting up notification templates, configuring actions for non-compliance, and building a simple escalation workflow that warns the user first and alerts IT after a grace period.

Contents

How compliance notifications work in Intune
Create a notification template
Configure actions for non-compliance
Setting up an escalation workflow
Test the notification
Monitor non-compliance

How compliance notifications work in Intune

When a device fails a compliance check, Intune can trigger one or more actions based on how long the device has been non-compliant:

Mark device non-compliant - happens immediately. Blocks access via Conditional Access if a compliant device CA policy is in place.
Send email to end user - notifies the user directly from Intune.
Remotely lock - locks the device screen. Mainly used for mobile devices.
Retire - removes corporate data from the device after an extended period of non-compliance.

The email notification action is the most useful for most organisations - it tells the user their device is out of policy before IT has to intervene manually.

Create a notification template

Intune Admin Centre → Devices → Compliance → Notifications

Go to Devices → Compliance → Notifications → + Create notification
Give it a name, e.g. Non-Compliant Device - User Alert
Under Email notification templates, fill in:
- From name - e.g. IT Support
- Subject - e.g. Action required: your device needs attention
- Message header - your company name or logo
Add the email body. Here is a ready-to-use template:

Subject: Action required: your work device needs attention

Hi {{DeviceName}} user,

Your device {{DeviceName}} is no longer meeting our security requirements and has been marked as non-compliant.

This may affect your access to company resources including email and Microsoft 365 apps.

Common reasons your device may be non-compliant:

Windows updates are pending - please restart your device
Your device PIN or password does not meet the minimum requirements
BitLocker encryption is not enabled

Please restart your device and ensure Windows updates are installed. If you continue to see this message, contact the IT helpdesk.

This is an automated message from the IT team.

💡

Use Intune variables in the template

Intune supports template variables like {{DeviceName}}, {{DeviceId}}, and {{UserName}}. These are replaced with real values when the email is sent. Check the Intune documentation for the full list of supported variables.

Configure actions for non-compliance

Actions are configured inside the compliance policy itself, not in the notification template.

Intune Admin Centre → Devices → Compliance → Policies → [Your policy] → Properties → Actions for noncompliance

Open your compliance policy and go to Actions for noncompliance
The default action is Mark device noncompliant at 0 days - keep this
Click + Add action and select Send email to end user
Set the schedule (days after non-compliance is detected) and select your notification template

🔔

Recommended action schedule

[]

Day 0Immediate. Triggers Conditional Access block if CA policy is in place.

Mark device non-compliant

Day 1First warning. Gives user time to fix the issue before IT is involved.

Send email to end user

Day 3Second warning if device is still non-compliant after 3 days.

Send email to end user (reminder)

Day 7Alert IT that a device has been non-compliant for a week.

Send email to helpdesk group

⚠️

Set up a helpdesk mail-enabled group

To send alerts to IT, create a mail-enabled security group in Microsoft 365 Admin Centre and add it as the recipient for the Day 7 helpdesk notification. You can then add or remove helpdesk staff from the group without changing the Intune policy.

Setting up an escalation workflow

A good escalation workflow protects the user experience while keeping IT informed. The goal is to give users enough time to fix the issue themselves before the helpdesk gets involved - reducing unnecessary tickets.

The schedule above (Day 1 user, Day 3 reminder, Day 7 IT) works well for most organisations. Adjust the timings based on how strict your security requirements are and how long users typically take to action notifications.

If you are using Conditional Access with a compliant device requirement, consider setting a grace period of 3-7 days in the CA policy using the Sign-in frequency setting. This prevents immediate access loss while the user resolves the issue.

Test the notification

The quickest way to test is to temporarily change a compliance policy setting to something you know a test device will fail - for example set the minimum OS version higher than what the test device is running. The device will immediately show as non-compliant and the Day 0 action fires. Day 1 email fires after 24 hours, so wait a day or change the schedule to 0 days temporarily for testing.

Alternatively, use the Send test email button in the notification template to send a preview to yourself.

Monitor non-compliance

After setting up notifications, monitor the compliance state of your fleet regularly:

Intune Admin Centre → Devices → Monitor → Device compliance

The compliance report shows compliant vs non-compliant counts by policy and platform. For a detailed view of which specific settings are failing on which devices, go to Devices → Monitor → Setting compliance.

✅

Set up a weekly compliance review

Schedule a 10-minute weekly check of the Device compliance report. If non-compliance is consistently above 5% of your estate, investigate the common failing settings and adjust the compliance policy or communicate with users about the most common issues.

// need this done for your business?

Fixed-price Intune setup for UK businesses

I set up Intune for UK small businesses at a fixed price - compliance policies, app deployment, Conditional Access, and full documentation handed over at the end.

View Packages

#intune #compliance #endpoint-security #device-management #mdm