Home About Tools Projects Guides & Blog ⚡ Hire Me ✦ Websites Contact →
← IT Tools/Intune Compliance Builder
🔐

Intune Compliance Policy Builder

Build Windows 10/11 compliance policies with full control over every setting. Each option explained. Pre-built templates included. Export valid JSON for Microsoft Intune or Graph API.

📋 Client-side only · No data sent · JSON exports for Intune
← All Tools
Not sure if your M365 setup is secure? I offer a fixed-price M365 security audit for UK small businesses – £349. View audit →
1
Choose a template
Pick a starting point , you can adjust every setting below
CUSTOM✏️
Blank / Custom
All settings off. Build from scratch.
COMP-001🛡️
Basic Compliance
Antimalware · Real-time protection · Windows 10 21H2+
COMP-002
Cyber Essentials Ready
BitLocker · Secure Boot · Code Integrity · TPM · Antimalware · RTP · Signatures · Win 10 21H2+
Recommended
COMP-003🔒
High Security
COMP-002 + Win 11 22H2+ · TPM 2.0 · Defender for Endpoint · 12-char password
2
Policy details
Name your policy and add group IDs
Policy Name
The display name in Intune. Use a consistent naming convention, e.g. CA-001 Require MFA for All Users.
Description (optional)
Helps other admins understand the purpose of this policy.
Group IDs , embedded in downloaded JSON

Find Object IDs in Entra ID › Groups › [group] › Overview. Leave blank to use placeholder text.

Assign to Group
The device group this policy is assigned to.
Exclude Group (Break-glass)
Always exclude break-glass accounts to prevent lockouts.
3
Security settings
Configure each section , click a header to expand
🛡️ Device Health CE Required
Require BitLocker CE
Encrypts the drive. Data is unreadable if the device is lost or stolen. Cyber Essentials requires encryption on all devices.
Require Secure Boot CE
Validates firmware and bootloader against known-good signatures on startup. Prevents bootloader malware. Required for Cyber Essentials and Windows Hello for Business.
Require Code Integrity
HVCI ensures only trusted signed code runs in the kernel. Blocks rootkits and low-level malware. Test on older hardware before enforcing.
TPM Required
TPM stores cryptographic keys and is required for BitLocker and Windows Hello. Most modern devices have TPM 2.0.
💻 Operating System Version CE Required
Minimum OS Version CE
Devices running an older OS are marked non-compliant. Cyber Essentials requires a supported OS. Set this to the oldest version you intend to support.
Maximum OS Version
Rarely used. Marks devices non-compliant if they are on a newer OS than specified. Useful in tightly managed environments.
🦠 Defender / Antivirus CE Required
Require Antimalware CE
Verifies an active antimalware solution is running. Covers Defender and third-party AV.
Require Real-time Protection CE
Ensures real-time monitoring is enabled, not just installed. Cyber Essentials requires active protection.
Require Antispyware
Covered by Defender automatically. Only relevant when using a third-party product that separates AV and antispyware engines.
Block Outdated Signatures CE
Marks non-compliant if definitions are stale. Cyber Essentials expects definitions updated within 24 hours of release.
Defender for Endpoint , Threat Level
Requires Defender for Endpoint (P1 or P2). Leave as Not configured if you do not have M365 Business Premium or higher.
🔑 Password / PIN Policy Optional
Require Password to Unlock
Device must require a password, PIN, or biometric to unlock.
Password Type
Alphanumeric requires letters and numbers. Numeric allows PIN only.
Minimum Length
NCSC recommends at least 8 characters for passwords.
Minutes Inactive Before Lock
Screen locks after this many minutes of inactivity.
Password Expiry (days)
NCSC recommends against mandatory rotation. Set to 0 to disable expiry.
Failed Attempts Before Wipe
Wipes the device after this many consecutive failed logins. Use with caution.
Non-compliance Actions
Mark non-compliant after
How quickly a device is flagged non-compliant. Set to immediately so Conditional Access can block access right away.
Notify user
Sends an email to the user explaining they are non-compliant.
Retire device after
Removes corporate data after this many days of non-compliance. This is a selective wipe, not a full device wipe.
4
Review & export
CE coverage updates as you change settings
Cyber Essentials Coverage
BitLocker encryption enabled
Secure Boot required
Antimalware active
Real-time protection on
Signature currency enforced
Minimum OS version set
Policy JSON

Updates live. Remove _assignments and _metadata before importing via Graph API.

How to import
1
Download the .json file above.
2
In Intune: Devices → Compliance → Create Policy, select Windows 10/11.
3
Or POST via Graph API: https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies
4
Assign to All Devices or a pilot group. Test before rolling out.
5
Conditional Access Policy Downloads
9-policy CA framework , group IDs from Step 2 are embedded automatically
Bonus

The complete CA framework from the Conditional Access Framework project. Each file is Graph API-ready. Deploy in Report-Only mode for 7 days before enabling.

⚠️

Always exclude break-glass accounts from all policies before enabling. Test in Report-Only for 7 days.

6
Pre-deployment Checklist
Run through this before switching any policy to Enabled

Tick each item before enabling policies. These are the most common reasons CA rollouts cause lockouts or fail silently.

7
Recommended Deployment Order
Enable policies in this sequence to minimise risk of lockouts

Always run in Report-Only for 7 days before enabling. Review Sign-in logs for each policy before moving to the next phase.

8
Named Locations Builder
Build trusted IP ranges for use in Conditional Access policies

Named Locations mark office IP ranges as trusted. Used in CA-001 to reduce MFA prompts for office users. POST to https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations

Location Name
IP Ranges (one per line, CIDR notation)
Enter each IP range on its own line, e.g. 203.0.113.0/24
Named Location JSON
9
Mobile Compliance Policies
iOS and Android compliance policy JSON , ready to import

Pre-built mobile compliance policies aligned to the same security standard as COMP-002. Adjust the platform tab, fill in a policy name, then download.

Policy Name
Require passcode
Device must have a passcode set to unlock.
Minimum passcode length
Minimum number of characters required.
Block jailbroken devices CE
Marks jailbroken devices non-compliant. Required for Cyber Essentials.
Require device encryption CE
iOS devices encrypt by default when a passcode is set, but this enforces the requirement explicitly.
Minimum OS version CE
Cyber Essentials requires a supported OS. iOS 16+ is the recommended minimum.
Mobile Policy JSON
10
PowerShell Import Script
Generate a .ps1 to import all policies via Microsoft Graph

Generates a ready-to-run PowerShell script using the Microsoft.Graph module to import all CA policies and your compliance policy in one go. Group IDs from Step 2 are included automatically.

⚠️Run in Report-Only mode first. Review Sign-in logs for 7 days before setting any policy to Enabled. Test on a pilot group.
Generated PowerShell
11
Download Everything
All policies, compliance JSON, Named Locations, and PowerShell script in one ZIP
// need help with intune or m365?
Fixed-price Intune setup for UK businesses

I offer fixed-price Intune and M365 consulting for UK small businesses - no day rate, no scope creep. Get a fully configured, documented setup handed back to you.

Intune setup Conditional Access BitLocker & LAPS M365 hardening
View Consulting Packages →