What Does Compliance policy Mean?
On This Page
What do you want to do?
Quick Definition
A compliance policy is like a checklist that devices and users must pass to prove they are safe and follow the company's security rules. It checks things like whether the device has a password, is running updated software, or is encrypted. If a device fails the check, it might be blocked from accessing company email or data until it is fixed. These policies help organizations meet legal requirements and protect sensitive information.
Common Commands & Configuration
New-MgDeviceManagementCompliancePolicy -DisplayName 'Windows Compliance Baseline' -Platform 'Windows10AndLater' -ScheduledActionsForRule @(@{RuleName='Password'; ActionType='Block'; GracePeriodHours=48})Creates a new compliance policy in Microsoft Graph for Windows devices with a rule for password requirements and a block action after 48 hours grace period.
This tests your ability to use PowerShell cmdlets for compliance policy creation, which appears in MS-102 and MD-102. Understanding the parameters for grace periods and action types is critical.
Get-MgDeviceManagementCompliancePolicy -CompliancePolicyId '12345' | Select-Object -ExpandProperty ScheduledActionsForRuleRetrieves the scheduled actions (non-compliance actions) for a specific compliance policy, showing action type and grace period.
In SC-900 and MS-900, candidates must be able to retrieve and interpret compliance policy details to troubleshoot non-compliance issues.
Update-MgDeviceManagementCompliancePolicy -CompliancePolicyId '67890' -ScheduledActionsForRule @(@{RuleName='Encryption'; ActionType='Retire'; GracePeriodHours=72})Updates an existing compliance policy to retire corporate data from non-compliant devices after 72 hours of non-compliance due to missing encryption.
This command is highly relevant for MD-102 where you need to apply remediation actions. Retire is a non-negotiable action for data protection.
New-MgDeviceManagementComplianceSettingState -CompliancePolicyId 'abc' -DeviceId 'device123' -State 'compliant' -UserId 'user@contoso.com'Manually sets a device's compliance state for testing or troubleshooting, bypassing the evaluation engine.
Appears in troubleshooting scenarios for MS-102 and MD-102. Know that this overrides actual policy evaluation and is for admin use only.
Get-MgDeviceManagementCompliancePolicyAssignment -CompliancePolicyId 'xyz' | Format-ListLists all assignments (user or device groups) for a given compliance policy, showing which groups are targeted.
Essential for MS-900 and SC-900; understanding assignment scoping helps in exam questions about exclusion or inclusion of groups.
New-MgDeviceManagementCompliancePolicyAssignment -CompliancePolicyId 'def' -GroupId 'group-001' -AssignmentType 'include'Assigns a compliance policy to a specific Azure AD group using Microsoft Graph.
In AZ-104 and MS-102, you may need to configure policy assignments via PowerShell or Azure CLI.
Set-MgDeviceManagementComplianceSettingState -ComplianceSettingStateId 'setting1' -State 'noncompliant' -SettingName 'RequireEncryption' -DeviceId 'dev123'Updates a specific compliance setting state for a device, useful for reporting or testing custom compliance conditions.
Tests your knowledge of individual setting state modification, which is a common point in CySA+ and Security+ for continuous compliance monitoring.
Invoke-MgDeviceManagementCompliancePolicyNonComplianceDataRequest -CompliancePolicyId 'ghi' -DeviceIds @('dev1','dev2') -Action 'block'Triggers an immediate block action for specified devices under a compliance policy, bypassing grace periods.
This high-privilege command appears in incident response scenarios for CISSP and MS-102. Use only when immediate enforcement is required.
Compliance policy appears directly in 103exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →
Must Know for Exams
Compliance policy is a critical concept across multiple IT certification exams, particularly those focused on security, device management, and cloud administration. For the CompTIA Security+ exam, compliance policies appear under domain 3.0 (Implementation) and domain 5.0 (Governance, Risk, and Compliance). You might be asked to identify the correct policy settings to meet a compliance requirement or to troubleshoot why a device is not compliant. Knowing the difference between compliance policies and conditional access policies is a common exam point.
For the Microsoft exams such as MD-102 (Endpoint Administrator), MS-102 (Microsoft 365 Administrator), MS-900 (Microsoft 365 Fundamentals), SC-900 (Security, Compliance, and Identity Fundamentals), and AZ-104 (Azure Administrator), compliance policies are a major topic. In MD-102, you will configure compliance policies in Intune, assign them to device groups, and understand how they integrate with Conditional Access. In MS-102, you will manage compliance policies as part of the broader Microsoft 365 compliance center. In SC-900, you will need to explain the purpose of compliance policies in the context of data protection. In AZ-104, you may encounter compliance policies in the context of Azure Policy, which is similar in concept but applied to Azure resources rather than devices.
For the AWS Solutions Architect (AWS-SAA) exam, compliance policies are less about devices and more about resource-level compliance using AWS Config rules and service control policies (SCPs). You might be asked to design a solution that ensures EC2 instances are compliant with an organization's security policy, such as requiring encryption at rest or certain tags. The concept of compliance is similar, but the implementation is different.
For the ISC2 CISSP exam, compliance policies are part of the Security and Risk Management domain. You will need to understand how policies are developed, enforced, and audited. Questions might ask about the difference between a policy, a standard, a baseline, and a guideline, and how compliance policies fit into the governance framework.
For the CompTIA CySA+ exam, compliance policies appear in the context of compliance scanning and vulnerability management. You may need to interpret compliance scan results or recommend policy changes to address non-compliant systems.
Common question types include scenario-based questions where you must choose the correct compliance policy setting to mitigate a described risk, compare different policy approaches, or troubleshoot a situation where a user cannot access resources because their device is out of compliance. Understanding the differences between compliance policies for different device platforms (Windows, macOS, iOS, Android) is also tested.
To succeed in these exams, you should not only memorize definition terms but also be able to apply the concept in practical scenarios. Practice configuring policies in a lab environment and review the documentation for the specific exam you are targeting.
Simple Meaning
Imagine you work in a building that has a security guard at the entrance. Before anyone can enter, the guard checks that they have a valid ID badge, that the badge is not expired, and that they are wearing the correct uniform. If someone fails any of these checks, they are not allowed in until they fix the issue. A compliance policy does the same thing, but for digital devices like laptops, phones, and tablets.
In the world of IT, a compliance policy is a set of rules that an organization creates to make sure that every device trying to connect to its network or access its data is secure and properly managed. These rules can cover many things: the device must have a password or PIN, it must not be jailbroken or rooted, it must have antivirus software running, it must have the latest security updates installed, and it must not be missing any required configuration settings.
Why is this needed? Think about a hospital. If a doctor uses a personal tablet to access patient records, that tablet must be secure so that private health information is not stolen or leaked. A compliance policy ensures that the tablet has encryption turned on, that the operating system is up to date, and that the device is not infected with malware. If the tablet fails any of these checks, the policy can automatically block it from accessing patient data or even wipe the device if it is lost.
Another way to think of a compliance policy is like a bouncer at a club. The bouncer has a list of rules: no one under 21, no one wearing gang colors, no one with a weapon. Everyone who wants to enter must show their ID and pass the checks. If someone fails, they are turned away. Compliance policies are like that digital bouncer, checking every device and user against a list of security requirements before granting access.
In a business setting, compliance policies are essential for meeting legal standards like HIPAA for healthcare, GDPR for data privacy, or PCI-DSS for credit card handling. If a company does not enforce compliance policies, it could face fines, lawsuits, or loss of customer trust. The policies help automate security checks so that IT teams do not have to manually inspect every device.
For IT certification students, understanding compliance policies is important because they are a core part of device management, identity management, and security frameworks. Whether you are studying for CompTIA Security+, Microsoft MD-102, or AWS SAA, you will see questions about how compliance policies are configured, enforced, and used to protect organizational resources. The key idea is that compliance policies are proactive: they prevent insecure devices from causing harm rather than reacting after a problem occurs.
Full Technical Definition
A compliance policy is a declarative rule set defined within an identity and access management (IAM) or mobile device management (MDM) platform that evaluates the security posture of endpoints, users, and applications against a baseline of required conditions. The policy is enforced at the point of access to corporate resources, typically during authentication or device enrollment, and continuously thereafter. Common platforms that implement compliance policies include Microsoft Intune, Microsoft Endpoint Manager, Azure AD Conditional Access, AWS IAM with SCPs, and third-party MDM solutions like VMware Workspace ONE or Jamf.
The core components of a compliance policy include conditions, actions, and notifications. Conditions are the evaluative criteria that a device or user must satisfy. These conditions can be based on device attributes such as operating system version, patch level, encryption status, jailbreak or root detection, threat score from integrated mobile threat defense (MTD) solutions, and the presence of required applications. Conditions can also be user-based, such as multi-factor authentication (MFA) registration status, password strength, and compliance with terms of use. For applications, conditions may include app version, app protection policies, and data leakage prevention controls.
Once the conditions are defined, the policy assigns an action based on the evaluation result. If the device or user is compliant, access to resources is granted. If non-compliant, the policy can take several actions: block access entirely, grant limited access (such as only to email but not to sensitive documents), require the user to remediate the issue before access is allowed, or trigger a remote wipe of corporate data from the device. In some systems, non-compliant devices can be placed in a quarantine network with restricted access until they are remediated.
The mechanism of compliance evaluation relies on a client agent or a built-in operating system component that reports telemetry to the MDM or IAM server. For example, in Microsoft Endpoint Manager, the Intune Management Extension and the Company Portal app collect compliance data from Windows, macOS, iOS, iPadOS, and Android devices. This data is sent to the Intune service, which evaluates the device against the assigned compliance policies. The result is stored in Azure AD as a compliance claim, which can then be used by Azure AD Conditional Access policies to enforce access controls.
Compliance policies operate at different layers. At the device level, they ensure that endpoints meet a baseline security configuration. At the identity level, they ensure that user accounts have the required authentication strength and have completed enrollment. At the application level, they enforce that apps have the necessary data protection settings. In large enterprises, compliance policies are often tiered, with different levels of strictness depending on the sensitivity of the data being accessed. For instance, accessing financial records might require a device that is fully managed, encrypted, and running the latest patch, while accessing company news might only require an enrolled device with a passcode.
From a protocol standpoint, compliance policies rely on standards like OAuth 2.0, OpenID Connect, and SAML for authentication and authorization. The MDM protocol, such as the Apple MDM protocol or the Android Management API, is used for device enrollment and compliance reporting. In Microsoft environments, the Graph API is used to query compliance status and apply policies programmatically.
In practice, compliance policies are part of a larger zero-trust security model, where trust is never assumed and verification is required before every access request. They work hand-in-hand with conditional access policies, which are the decision engines that use compliance status along with other signals like user location, risk score, and device state to allow or deny access.
For IT professionals, creating effective compliance policies requires understanding the organization's security requirements, regulatory obligations, and user workflow. Overly strict policies can frustrate users and reduce productivity, while overly lax policies can introduce risk. The balance is achieved by implementing policies that are just strict enough to meet compliance goals without causing unnecessary friction. Monitoring compliance policy reports and adjusting rules based on real-world results is a continuous improvement process.
Real-Life Example
Think of a compliance policy like the security rules at a university library's computer lab. The library wants to make sure that anyone using the computers follows certain rules to keep the computers safe and working well for everyone. The lab has a sign at the entrance with the rules: you must log in with your student ID, you must not download any software, you must not change the computer's settings, and you must log out when you leave. If you try to use a computer without logging in or if you try to change the desktop background, the computer locks you out.
Now imagine that each computer has a built-in security system that automatically checks if you are following the rules. When you sit down and log in, the computer checks your student ID against a list of active students. It also checks if the computer itself has the latest antivirus updates and if any security settings have been changed since the last check. If everything is fine, you get full access to the internet and the library's research databases. But if your student ID is expired or if the computer is missing a critical update, the computer either restricts your access to only the internet or completely blocks you from using it.
This is exactly how a compliance policy works in IT. The computer lab rules are the policy conditions. The student ID check is like verifying that the user's account is compliant with MFA or password requirements. The computer's antivirus and update checks are like device compliance conditions. The action of blocking access or limiting what you can do is the enforcement action.
Another real-life example is the security checkpoints at an airport. Before you can board a plane, you must show your boarding pass and ID, your bags must be screened, and you must walk through a metal detector. Each of these checks is a condition of a compliance policy. If you don't have a valid boarding pass, you cannot pass through. If your bag contains a prohibited item, you are stopped and required to remove it. The airport's security system is designed to prevent threats from reaching the aircraft. Similarly, an IT compliance policy prevents insecure devices from accessing corporate data and systems.
For a company that uses Microsoft Intune, the compliance policy acts like an automated security checkpoint. When a user tries to access company email from their phone, the phone is checked for compliance conditions: Is it encrypted? Does it have a passcode? Is it jailbroken or rooted? Is it running an up-to-date OS? If all conditions are met, access is granted. If not, the user is shown a message explaining what needs to be fixed and how to do it. This is similar to being pulled aside at airport security and told to remove your laptop from its bag for separate screening.
The key takeaway is that compliance policies automate security checks that would otherwise have to be done manually by IT staff. They ensure that every device accessing a network is held to the same standard, reducing the risk of a breach caused by a single insecure endpoint.
Why This Term Matters
Compliance policies matter because they are the front line of defense in a world where employees use many different devices to access corporate resources. The shift to remote work and bring-your-own-device (BYOD) policies has made it impossible for IT teams to physically inspect every laptop and phone. Compliance policies automate the security checks that keep data safe.
Without compliance policies, an organization might allow a device with outdated antivirus software or a missing security patch to connect to the corporate network. That device could be infected with malware that spreads to other systems, potentially causing data breaches, ransomware attacks, or regulatory fines. For example, if a healthcare organization does not enforce device encryption, a lost laptop containing patient records could result in a HIPAA violation and millions of dollars in penalties.
Compliance policies also help IT teams manage security at scale. Instead of manually checking each device, they can define a policy once and have it applied to thousands of devices automatically. When a device falls out of compliance, the policy can notify the user, block access to sensitive data, or even take corrective actions like enforcing a passcode update. This reduces the workload on IT support and ensures consistent enforcement.
From a business perspective, compliance policies demonstrate due diligence to auditors and regulators. They provide a clear record that the organization has taken reasonable steps to secure its data. In the event of an audit, being able to show that compliance policies are in place and enforced can reduce liability and prove that security controls are active.
For IT professionals, understanding compliance policies is essential for designing, implementing, and troubleshooting device management solutions. Whether you are working with Microsoft Intune, AWS IAM, or third-party MDM tools, the ability to create effective compliance policies is a core skill that directly impacts the security posture of the organization.
How It Appears in Exam Questions
Exam questions about compliance policies typically fall into several categories: scenario-based, configuration-based, troubleshooting, and comparison.
Scenario-based questions present a situation where a company needs to ensure that only secure devices access its cloud applications. For example, a question might describe a hospital that requires all mobile devices accessing patient records to have device encryption and a screen lock passcode. You might be asked which compliance policy settings to enable or which tool to use to enforce these requirements. Another common scenario involves a company that recently experienced a malware outbreak, and you need to recommend a compliance policy that prevents unapproved apps from running.
Configuration-based questions ask you to select the correct settings for a compliance policy. For instance, on the Microsoft MD-102 exam, you might be given a list of policy settings and asked which ones apply to iOS devices. You might need to know that you can require a minimum OS version, require a passcode, and block jailbroken devices. For Android, you might have additional options like requiring Google Play Protect or disabling USB debugging.
Troubleshooting questions present a scenario where a user cannot access a resource, and you must determine why. For example, a user reports that they cannot access Office 365 from their Android phone. You check the compliance policy and see that the device is marked as non-compliant due to a missing encryption requirement. You need to identify that the device does not have encryption enabled and guide the user to enable it. Another troubleshooting scenario might involve a device that was compliant yesterday but is now non-compliant because it missed a security update. You would need to understand that compliance policies are evaluated continuously, not just at initial enrollment.
Comparison questions ask you to differentiate compliance policies from other similar concepts. For example, you might be asked how a compliance policy differs from a configuration policy. The correct answer is that compliance policies are used to enforce security requirements and block access if those requirements are not met, while configuration policies push settings to devices but do not block access based on them. Another comparison is between compliance policies and conditional access policies: compliance policies evaluate device state, whereas conditional access policies use that evaluation along with other signals (like user location and risk) to grant or deny access.
In some exams, you might see questions about the order of operations. For example, when a device enrolls in Intune, the compliance policy is evaluated after the device configuration policy is applied. Understanding that compliance evaluation can be triggered by changes in device state, user action, or a scheduled check is important for troubleshooting.
For AWS-related exams, questions might involve creating AWS Config rules that check for compliance with internal policies, such as requiring that S3 buckets are not publicly accessible. You would need to select the appropriate rule type and remediation action.
To prepare, practice with practice exams and be able to explain the purpose and mechanics of compliance policies in your own words. Familiarize yourself with the specific policy settings available in the exam's relevant platform (Intune, Azure AD, AWS Config, etc.).
Practise Compliance policy Questions
Test your understanding with exam-style practice questions.
Example Scenario
A medium-sized company called GreenTech Solutions has 500 employees who use both company-owned laptops and personal mobile devices to access corporate email and files. The IT manager is concerned about the risk of data leakage from devices that are not properly secured. She decides to implement compliance policies using Microsoft Intune.
First, she creates a compliance policy for Windows laptops. The policy requires that each laptop has BitLocker encryption enabled, that Windows Defender Antivirus is running and up to date, and that the operating system is at least Windows 10 version 22H2. The policy also requires that the device has a password or PIN for login.
Next, she creates a compliance policy for iOS and Android mobile devices. For iOS, the policy requires a passcode of at least six digits, device encryption, and that the device is not jailbroken. For Android, the policy requires a passcode, device encryption, and that Google Play Protect is enabled.
She assigns the compliance policies to all users in the company. The next day, an employee named Maria tries to access her work email from her personal Android phone. The phone has a passcode, but it is only four digits and device encryption is not enabled. When Maria opens the Outlook mobile app, she is prompted to fix the compliance issues. The app tells her that her device is not compliant because encryption is missing. Maria goes into her phone settings and enables encryption, which takes a few minutes. Once encryption is complete, her device is automatically re-evaluated and becomes compliant. She can now access her email.
Another employee, John, is using a company laptop that he has not updated in several months. When he tries to connect to the corporate VPN, the VPN client checks with Intune and finds that the laptop is missing critical security updates. The VPN connection is blocked, and John sees a message saying that his device does not meet security requirements. He is instructed to install the latest Windows updates. After he does so, his laptop is re-evaluated and becomes compliant. He can then connect to the VPN.
The IT manager also sets up automatic actions for non-compliant devices. If a device remains non-compliant for more than 30 days, the policy triggers a remote wipe of all corporate data from the device. This ensures that if a device is lost or stolen, the data is protected.
This scenario shows how compliance policies work in a real organization. They automate security checks, inform users of issues, and enforce access controls without requiring manual intervention from the IT team.
Common Mistakes
Thinking that compliance policies and conditional access policies are the same thing.
Compliance policies evaluate a device's security state (e.g., is it encrypted, updated, jailbroken?). Conditional access policies use the compliance result along with other signals (like user location, risk level) to make an access decision. They are different layers that work together.
Remember: Compliance policy checks the device. Conditional access uses that check plus other data to allow or block access. They are complementary, not identical.
Assuming compliance policies are only for mobile devices.
Compliance policies can apply to many device types: Windows, macOS, iOS, Android, and even Linux. They also apply to applications and user accounts. The concept is broader than just phones and tablets.
Always check which platforms the policy supports. A compliance policy for Windows laptops is just as common as one for iOS phones.
Believing that once a device is compliant, it stays compliant permanently.
Devices can fall out of compliance if they miss a security update, disable a required feature, become jailbroken, or if the policy is updated. Compliance is continuously re-evaluated.
Think of compliance as a continuous state, not a one-time event. Policies check for changes regularly.
Setting too many or overly strict compliance conditions without considering user impact.
If every minor setting triggers non-compliance, users will be frustrated and productivity may drop. It can also cause many false positives in audit reports.
Prioritize conditions that address actual risk. Start with critical requirements like encryption, passcode, and OS updates. Only add advanced conditions if necessary.
Not configuring a remediation action or grace period for non-compliant devices.
Without a grace period, a device that loses compliance due to a minor update delay will be immediately blocked, causing disruption. Without a remediation action, users may not know how to fix issues.
Always set a notification to the user with instructions on how to become compliant, and implement a grace period (e.g., 24 hours) before blocking access.
Applying a compliance policy without testing it on a pilot group first.
An untested policy might accidentally block critical devices or cause unintended consequences, such as wiping a device too aggressively.
Deploy the policy to a small test group first. Monitor compliance reports and adjust settings before rolling out broadly.
Confusing compliance policies with configuration policies (profiles).
Configuration policies push settings to devices (e.g., Wi-Fi network, email account). Compliance policies evaluate whether the device meets criteria. A device can have a configuration policy applied but still be non-compliant if it fails a separate compliance policy check.
Understand the difference: configuration sets up the device; compliance checks the device's security state.
Exam Trap — Don't Get Fooled
{"trap":"On an exam, you might be asked: 'Which policy should you use to ensure that a device has a passcode before it can access company resources?' The options might include 'Compliance policy', 'Configuration policy', 'Device restriction policy', and 'App protection policy'. Many learners pick 'Configuration policy' because they think it sets the passcode, but the correct answer is 'Compliance policy' because it is the one that blocks access if the passcode is missing."
,"why_learners_choose_it":"Learners often confuse the action of setting a passcode (which is a configuration policy) with the action of requiring that a passcode exists before granting access (which is a compliance policy). They think that since a configuration policy can enforce a passcode, it also handles the access control, but enforcement of access based on compliance is a separate layer.","how_to_avoid_it":"Remember that compliance policies are gatekeepers.
They check if a condition is met and block or allow access accordingly. Configuration policies apply settings but do not block access. If a question asks about ensuring a device *has* something before access is granted, it is compliance.
If it asks about *setting* something on the device, it is configuration."
Commonly Confused With
A compliance policy checks if a device meets security rules, while a conditional access policy uses that compliance status along with other conditions (like user location or risk) to decide whether to allow access. The compliance policy provides one signal, and conditional access uses it to make an authorization decision.
A compliance policy checks if your phone is encrypted. A conditional access policy then says: 'If the phone is encrypted and the user is in the office, allow access to email.'
A configuration policy pushes settings to a device, such as setting a passcode or configuring Wi-Fi. A compliance policy does not push settings; it evaluates whether the device already has those settings. The two work together: the configuration policy sets the passcode, and the compliance policy checks that it is actually set.
A configuration policy sets the email account on your phone. A compliance policy checks that you have a passcode before allowing that email to sync.
App protection policies protect data within apps without requiring device management. They can prevent copy-paste or require a PIN to open an app. Compliance policies, on the other hand, require the device itself to be enrolled and managed. App protection policies can be used even on unmanaged devices, while compliance policies require device enrollment.
An app protection policy could block you from copying data from a work app to a personal app on an unmanaged phone. A compliance policy would require the phone to be enrolled and encrypted before you can even open the work app.
Azure Policy is a service in Azure that evaluates Azure resources (like VMs, storage accounts) for compliance with organizational rules. It is similar in concept but applies to cloud resources, not user devices. Compliance policies in Intune apply to endpoints, while Azure Policy applies to Azure subscriptions and resource configurations.
An Azure Policy might require that all storage accounts have encryption enabled. An Intune compliance policy requires that laptops have encryption enabled.
A security baseline is a predefined set of configuration settings that are considered secure for a specific platform (e.g., Windows 10 security baseline). A compliance policy can reference a security baseline as part of its conditions, but the baseline itself is a template, not an enforceable policy. Compliance policies enforce the baselines by checking devices against them.
A Windows security baseline includes settings like disabling guest accounts and enabling firewall. A compliance policy can use that baseline and mark a device as non-compliant if the firewall is off.
Step-by-Step Breakdown
Define Compliance Requirements
The first step is to identify what security and regulatory requirements apply to your organization. These could be internal policies, industry standards (like HIPAA, PCI-DSS), or legal mandates (GDPR). For each requirement, you determine what conditions a device or user must satisfy to be considered compliant.
Choose a Management Platform
Select the tool that will create and enforce compliance policies. Common platforms include Microsoft Intune for device management, Azure AD for identity, AWS Config for cloud resources, and third-party MDM solutions. The platform must support the device types and conditions you need to evaluate.
Create the Compliance Policy
In the management console, you create a new compliance policy. You specify the target platform (Windows, iOS, Android, macOS). Then you define the conditions: required OS version, encryption status, jailbreak detection, antivirus status, passcode requirements, and more. Each condition has a severity and a remediation message.
Assign the Policy to Groups
The policy must be assigned to user groups or device groups. For example, you might assign a strict policy to finance department devices and a less strict policy to marketing devices. You can also use dynamic groups based on device attributes. Assignment determines who is evaluated by the policy.
Device Enrollment and Evaluation
When a device enrolls into the management platform, the client agent reports device attributes to the server. The server evaluates these attributes against the assigned compliance policy conditions. The result is computed: compliant or non-compliant. This evaluation also happens periodically and when device state changes.
Take Action Based on Compliance Result
If the device is compliant, no further action is needed and the device can access resources. If non-compliant, the policy triggers actions such as blocking access, sending a notification to the user, or requiring remediation. Some policies include a grace period before enforcement.
Integrate with Conditional Access (Optional)
For more granular access control, the compliance result is sent to a conditional access system (like Azure AD Conditional Access). The conditional access policy then uses this signal along with other factors (user location, risk, app sensitivity) to allow or deny access to specific resources.
Monitor and Report Compliance Status
IT administrators monitor compliance reports to see how many devices are compliant, which conditions are failing most often, and which users need help. Reports help in auditing and identifying trends, such as a high number of devices missing updates.
Remediate and Update Policies
Based on monitoring data, administrators may adjust the compliance policy. For example, if too many devices fail because of a specific update requirement that is not yet available, the policy might be relaxed. Conversely, if a new threat emerges, stricter conditions may be added. The policy is a living document.
Practical Mini-Lesson
In practice, implementing compliance policies is a core responsibility for endpoint administrators, security analysts, and cloud architects. Let's walk through a typical scenario using Microsoft Intune, as it is one of the most widely used platforms in enterprise environments.
First, you need access to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com). Navigate to Endpoint security > Device compliance. Here you will see a list of existing policies. To create a new policy, click Create policy. You will be asked to select a platform: Windows 10 and later, macOS, iOS/iPadOS, Android device administrator, or Android Enterprise. Each platform has its own set of possible conditions. For this example, choose Windows 10 and later.
On the Basics page, give the policy a name like 'Windows Corporate Compliance' and optionally a description. Click Next to go to Compliance settings. Here you can configure conditions under categories such as Device Health, Device Properties, and System Security. For Device Health, you might require BitLocker to be enabled on the system drive. For Device Properties, you might require a minimum OS version such as 10.0.19044.0 (Windows 10 21H2). For System Security, you might require a password of at least eight characters and enable the 'Require password complexity' setting.
After configuring the conditions, you move to the Actions for noncompliance page. By default, there is an action to mark the device as noncompliant. You can add additional actions, such as sending a push notification to the user, sending an email, or remotely retiring the device (which removes corporate data). You can also set a schedule for these actions, for example, send a notification immediately, then block access after 7 days, then wipe after 30 days.
Next, you assign the policy to user groups. You can choose a group like 'All Users' or specific security groups. It is important to test with a pilot group first. After assignment, the policy is active.
Now, what can go wrong? Common issues include policy not being evaluated because the device is not properly enrolled, or the device reporting inaccurate data due to a missing agent. Another problem is that a condition might be incorrectly configured. For instance, if you require a minimum OS version of 10.0.19044.0 but the latest stable version for some devices is lower, all those devices will be non-compliant. Always verify the actual OS version numbers before setting them.
Professionals also need to understand the difference between compliance policies and compliance baselines. In Intune, there are also compliance baselines, which are pre-defined sets of rules from Microsoft. You can use them directly or customize them. They are more comprehensive than a basic compliance policy and include many settings from security baselines.
Another practical tip: combine compliance policies with conditional access. In Azure AD, you can create a conditional access policy that requires a device to be marked as compliant before accessing a cloud app. This is where the real power comes in, not only does the device need to pass the compliance check, but the access decision is also influenced by user risk, location, and app sensitivity.
For troubleshooting, always start by checking the compliance report in Intune. It shows the status of each device and which conditions are failing. You can also look at the local device's Company Portal app to see the compliance status from the user's perspective. If a device shows as 'Not evaluated', check that the user is licensed for Intune and that the device is enrolled.
Finally, remember that compliance policies are part of a larger security framework. They should be reviewed and updated regularly as new threats emerge and as the organization's needs change. Document your policies and keep an audit trail for compliance purposes.
Core Foundations of Compliance Policy in Device and Endpoint Management
A compliance policy is a set of rules and conditions that devices, applications, and identities must meet to be considered compliant within an organization's IT environment. In the context of device management, endpoint management, and identity management, compliance policies enforce security baselines, regulatory requirements, and organizational standards. These policies are typically defined in centralized management platforms such as Microsoft Intune, Azure Active Directory (now Microsoft Entra ID), and third-party mobile device management (MDM) solutions.
Compliance policies evaluate factors like operating system version, encryption status, jailbreak or root detection, antivirus and antimalware status, firewall configuration, password policies, and patch update compliance. When a device fails to meet compliance requirements, access to corporate resources can be blocked, restricted, or flagged for remediation. This conditional access approach ensures that only trusted and secure endpoints can access sensitive data and applications.
Compliance policies are fundamental to zero-trust security models, where trust is never assumed and must be continuously verified. For exams like SC-900, MS-900, MS-102, and MD-102, understanding how compliance policies integrate with conditional access, identity protection, and device compliance is critical. Compliance policies can be assigned to users, devices, or groups, and can trigger automated actions such as sending notifications, retiring non-compliant devices, or blocking access to Exchange Online and SharePoint.
The policies are evaluated at each sign-in or device check-in, and the results are exposed as compliance states that can be used in conditional access policies. Compliance policy also supports risk-based compliance through integration with Microsoft Defender for Endpoint, where device risk scores are factored into compliance decisions. This layered approach ensures that even if a device meets basic compliance rules, it may still be considered non-compliant if it exhibits high-risk behavior.
Compliance policies are not static; they can be updated and enforced in real-time through policy refresh cycles. Admins can set grace periods for non-compliant devices to allow users time to remediate before access is blocked. Reporting and compliance dashboards provide visibility into overall compliance posture, helping IT teams identify trends and address widespread issues.
Compliance policy is a cornerstone of modern endpoint and identity security, and mastery of this topic is essential for certifications such as AWS SAA (in the context of device compliance with AWS WorkSpaces), ISC2 CISSP (security governance and compliance), CompTIA Security+ (compliance frameworks), and CySA+ (continuous monitoring and compliance).
Enforcement Mechanisms and Conditional Access Integration
Compliance policies do not operate in isolation; they are tightly integrated with conditional access and identity protection mechanisms. In Microsoft Entra ID (formerly Azure AD), compliance policy evaluation results are treated as signals that conditional access policies can consume. For example, a conditional access policy can be configured to grant access to corporate applications only if the device is marked as compliant.
This is a key concept in exams such as SC-900 and MS-102, where the synergy between compliance and conditional access is heavily tested. The enforcement chain begins when a user attempts to authenticate. The device's compliance status is evaluated based on the most recent check-in with the MDM or MAM service.
If the device has not checked in recently, it may be marked as unknown, which defaults to non-compliant. Conditional access policies then check the compliance state, and if the device is non-compliant, the user may be prompted to enroll, remediate issues, or be blocked entirely. In Microsoft Intune, compliance policies can define actions for non-compliance, including marking the device as non-compliant, sending a notification to the user, remotely locking the device, retiring corporate data, or blocking the device from accessing Exchange and SharePoint.
These actions are executed based on the non-compliance severity and can be applied immediately or after a grace period. For administrators, managing enforcement includes understanding how to configure grace period settings to avoid disruption while maintaining security. Compliance policies can be combined with device configuration profiles to ensure that devices automatically remediate issues like missing updates or disabled encryption.
In the context of identity and endpoint security, compliance policy enforcement is also relevant for mobile application management (MAM) scenarios, where the policy applies to apps rather than the entire device. This allows organizations to protect corporate data on personally owned devices without requiring full device enrollment. Exams like MD-102 and MS-900 focus on the deployment and management of these policies, including how to create policy groups, assign policies, and monitor compliance reports.
Another critical enforcement mechanism is the integration with Microsoft Defender for Endpoint, where device risk scores (low, medium, high) can be used as a compliance condition. This is known as risk-based compliance and is a newer feature that ties together endpoint detection and response (EDR) with compliance enforcement. Understanding how to configure these signals and interpret compliance states is essential for real-world administration and for passing certification exams.
Conditional access integration also extends to third-party MDM solutions via standards like Microsoft Graph API, allowing custom compliance checks for non-Microsoft devices. Overall, compliance policy enforcement is a multi-layered process that requires careful planning, testing, and monitoring. Admins must understand the dependency on device enrollment, user identity, and network connectivity.
For exam success, candidates should practice configuring conditional access policies that use compliance states and understand the order of policy evaluation.
Reporting, Monitoring, and Compliance State Analysis
Effective management of compliance policies requires robust reporting and monitoring capabilities to track device compliance status, identify trends, and respond to non-compliance events. In Microsoft Intune, the compliance status of each device is displayed in the device details pane and in compliance overview dashboards. These dashboards show the number of compliant, non-compliant, and unknown devices, and allow filtering by policy, platform, and user.
For exam preparation, especially for MS-102 and MD-102, understanding how to read these reports is crucial. Compliance policies generate logs and alerts that can be exported to Azure Monitor or ingested into SIEM tools like Microsoft Sentinel. This enables security operations centers (SOCs) to correlate compliance events with other security signals.
For instance, if a device suddenly becomes non-compliant due to antivirus being disabled, that might indicate a potential compromise. Compliance state analysis also involves understanding the difference between local compliance (device-level checks) and service compliance (AAD/Entra ID state). A device might be locally compliant but still show as non-compliant in the cloud if it has not checked in within the required grace period.
This is a common troubleshooting point in exams and in practice. Admins can also generate compliance reports for specific users or departments, export data to CSV, and use Graph API to build custom dashboards. For AWS SAA candidates, compliance monitoring of devices connecting to AWS WorkSpaces can be managed through AWS SSO and device compliance policies, though the reporting is less granular than Intune.
For CISSP and Security+ exam takers, compliance monitoring ties into broader governance and risk management concepts, including continuous compliance auditing and reporting to meet regulatory requirements like HIPAA, GDPR, and PCI DSS. Compliance policy reporting also includes notifications and alerts. Admins can configure email notifications when devices become non-compliant or when compliance policy changes.
These notifications can be sent to IT admins or to end users to prompt remediation. Automated remediation scripts can be triggered based on compliance state, such as forcing a device to install updates or enable encryption. Understanding the lifecycle of a compliance policy is also essential: creating, assigning, reporting, remediating, and retiring.
For high-stakes exam questions, candidates should be familiar with compliance policy templates, built-in compliance settings, and how to create custom compliance policies for unique requirements like custom encryption standards or specific OS versions. Compliance policy reporting integrates with Microsoft Endpoint Manager admin center, where you can view the compliance status per policy per device. This hierarchical view helps in root cause analysis when a device does not show as compliant.
Also, compliance policies can be duplicated and edited for different platforms (iOS, Android, Windows, macOS) with platform-specific settings. The reporting module also shows the last check-in time, which is critical for troubleshooting connectivity issues. Mastering compliance policy reporting and monitoring is not just for exams but is a daily task for IT administrators.
For candidates pursuing MD-102, MS-102, SC-900, or CySA+, focus on the reporting interfaces, the data available, and how to interpret compliance states to troubleshoot and enforce security.
Grace Periods, Remediation Actions, and User Communication
Compliance policies often include grace periods and remediation actions to balance security enforcement with user productivity. A grace period is the time given to a user after a device is flagged as non-compliant before the system enforces a blocking action. For example, a policy might give users 24 hours to update their antivirus definitions before they lose access to corporate email.
Grace periods are configurable per compliance policy and per platform. In exams like MS-900 and MD-102, understanding how to set appropriate grace periods is tested to avoid overwhelming users while maintaining security. Grace periods can be set for actions such as marking the device as non-compliant, sending notifications, blocking access, or retiring data.
It is essential to configure grace periods so that users receive timely notifications about pending actions. These notifications can be customized with brand messages and instructions for remediation. Another key concept is the non-compliance action order.
Intune allows admins to define a sequence of actions: first, send a notification; after a few days, block access; after a longer period, retire corporate data. This graduated approach is critical for user experience and is a common exam topic. Remediation actions are automatic or manual steps taken to bring a device back into compliance.
For instance, if a device is non-compliant because it lacks a required update, Intune can trigger a device configuration policy to force the update installation. For devices that need user interaction, such as enabling encryption or changing a PIN, the policy can direct the user to the Company Portal app where they can see the specific issues and steps to resolve them. The Company Portal also provides compliance status information and links to IT support.
This user-facing mechanism is often covered in MS-102 exams. For devices enrolled in Microsoft Entra ID, compliance remediation can also be tied to Microsoft Authenticator app or self-service password reset (SSPR) scenarios. In advanced scenarios, compliance policies can be integrated with Microsoft Defender for Endpoint risk signals.
If a device is high-risk, the compliance policy can be set to block access immediately without a grace period. Candidates should be able to differentiate between risk-based compliance and standard compliance policies. For AWS SAA, compliance remediation in the context of AWS WorkSpaces might involve automated termination or re-provisioning of non-compliant workspaces.
Remediation also includes manual intervention when automated actions fail. Admins need to know how to reset compliance state, force a device check-in, or manually mark a device as compliant for testing. This is a frequent troubleshooting area in exams.
Finally, user communication is paramount. Best practices include clear, multilingual notifications and step-by-step guides. Compliance policy self-remediation instructions should be concise and accessible via mobile devices.
For CISSP and Security+ exam prep, understanding the balance between security and usability is a key theme. Grace periods and remediation actions are practical manifestations of that balance. Mastering grace periods, remediation actions, and user communication ensures that compliance enforcement is effective without crippling daily operations.
For exam success, memorize the default grace periods, the order of non-compliance actions, and the specific remediation options available per platform.
Troubleshooting Clues
Device shows as non-compliant despite meeting all policy requirements
Symptom: Device settings are correct (encryption on, password set, updates installed) but Intune still marks it as non-compliant.
The device may have missed its check-in deadline (typically every 8 hours). If the last check-in is older than the check-in grace period (default 30 days), Intune marks it as unknown or non-compliant. Also, the compliance policy may have a different evaluation frequency than the device sync cadence.
Exam clue: Exam questions often describe a device that meets all rules but is non-compliant; the solution is to force a device check-in or adjust the check-in frequency policy.
Compliance policy does not apply to a specific user or device
Symptom: User reports that their device is not being evaluated for compliance, and the compliance policy shows no results for that device.
The compliance policy may not be assigned to the user's device group, or the user's device is not enrolled in Intune / MDM. Also, the policy may target only specific platforms (e.g., Windows) but the device runs macOS. Check assignment groups and platform filters.
Exam clue: In MS-102 and MD-102, this is a classic scenario: verify enrollment, group membership, and platform scope before assuming a policy issue.
Conditional access policy blocks access even though device is compliant
Symptom: User's device shows 'Compliant' in Intune, but they cannot access corporate email or SharePoint, getting a 'device not compliant' error.
The conditional access policy may be using a different compliance condition, such as 'Device compliance state from Intune' combined with 'Require managed device'. Alternatively, the conditional access policy may be evaluating a different device (e.g., browser-based access vs. device enrollment). Also, the conditional access policy might have multiple conditions including location or risk, which could cause the block.
Exam clue: Common exam trap: the device is compliant but conditional access denies access due to additional conditions not related to compliance state. Always check the full conditional access policy.
Device is stuck in 'Pending' compliance state
Symptom: After a device check-in, the compliance status shows 'Pending' for an extended period (hours or days).
The compliance evaluation may be waiting for a service side operation like a risk score update from Microsoft Defender for Endpoint, or there may be a synchronization delay between the MDM and Azure AD. Also, the device might be enrolled as a userless device (e.g., kiosk mode) where compliance evaluation is different.
Exam clue: Exam questions about 'Pending' state often require you to check Microsoft Defender for Endpoint risk integration or verify that the device is in the proper enrollment mode (user vs. device).
Compliance policy not enforcing encryption requirement on macOS devices
Symptom: macOS devices show FileVault encryption disabled but the compliance policy requires full-disk encryption, yet the device remains compliant.
Compliance policies for macOS encryption may require additional configuration profiles (e.g., FileVault policy) to actually enable encryption. The compliance policy only evaluates the encryption state; if the device does not have a corresponding configuration profile to enforce encryption, it may report as compliant because the policy is not linked to enforcement.
Exam clue: MD-102 often tests that compliance policies and configuration profiles must be used together for features like encryption. A compliance policy alone cannot enable encryption.
Compliance policy fails to evaluate due to expired device certificate
Symptom: Device shows enrollment status as 'OK' but compliance evaluation fails with 'Certificate error' or 'Device not reached'.
MDM compliance evaluation relies on certificate-based authentication. If the device certificate used for MDM communication has expired or has been revoked, the compliance service cannot communicate with the device. This is common in environments with automated certificate renewal failures.
Exam clue: Troubleshooting certificate errors is a skill tested in MS-102 and AZ-104, where you might need to renew certificates via NDES or SCEP.
Compliance policy for mobile devices incorrectly flags jailbroken devices as compliant
Symptom: Jailbroken iOS devices are allowed access despite a compliance policy that should block them.
The compliance policy may not have the 'Device is not jailbroken' setting enabled, or the policy is not assigned to the device's group. Some jailbreaks can bypass MDM detection by modifying system files. The detection relies on MDM agent integrity.
Exam clue: Security+ and CySA+ exam questions often test that jailbreak detection must be explicitly enabled in compliance policies and that it may not be foolproof.
Compliance policy grace period does not trigger notifications
Symptom: Non-compliant devices are blocked immediately without any prior notification, even though a grace period is configured.
The grace period is set in the 'ScheduledActionsForRule' but the notification action must be configured as a separate action in the sequence. If the notification action is missing or set after the block action, the block will occur without warning. Also, the user may not have the Company Portal app installed to receive notifications.
Exam clue: MS-900 and MS-102 test the order of non-compliance actions: notification must come before block. Understanding action sequencing is critical.
Memory Tip
Compliance policy = The gatekeeper that checks if your device has the right armor (encryption, updates, passcode) before letting it into the castle (corporate network).
Learn This Topic Fully
This glossary page explains what Compliance policy means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CISSPCISSP →CS0-003CompTIA CySA+ →MD-102MD-102 →MS-102MS-102 →MS-900MS-900 →AZ-104AZ-104 →SC-900SC-900 →SY0-701CompTIA Security+ →SAA-C03SAA-C03 →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
A/B testing is a controlled experiment that compares two versions of a single variable to determine which one performs better against a predefined metric.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
A 2-in-1 laptop is a portable computer that can switch between a traditional laptop form and a tablet form, usually by detaching or rotating the keyboard.
The 24-pin motherboard connector is the main power cable that connects the computer's power supply unit (PSU) to the motherboard, supplying electricity to the motherboard and its components.
Quick Knowledge Check
1.An administrator configures a compliance policy that requires device encryption and password protection. The policy includes a 'Mark device non-compliant' action with a 24-hour grace period. A user's device is compliant with all rules but is showing as non-compliant. What is the most likely cause?
2.In Microsoft Intune, you create a compliance policy for Windows devices that includes a rule for antivirus status. Which action sequence ensures users receive a notification before access is blocked?
3.A compliance policy uses risk-based compliance integrated with Microsoft Defender for Endpoint. A device has a low-risk score but is still blocked by conditional access. What could cause this?
4.An iOS device is enrolled in Intune but does not show any compliance evaluation results. The admin confirms the device is in the correct group. What is the most likely reason?
5.An organization wants to enforce a compliance policy that blocks non-compliant Windows devices from accessing SharePoint Online. What must be configured besides the compliance policy?
Summary
A compliance policy is a critical security tool that enforces a baseline of health and security on every device that connects to an organization's resources. It works by defining rules, such as requiring encryption, updated OS, and active antivirus, and then automatically checking devices against those rules. If a device fails, the policy triggers actions like blocking access to corporate data until the issue is fixed. This concept is central to modern zero-trust security architectures and is tested heavily across certifications including Microsoft AZ-104, MS-102, MD-102, SC-900, CompTIA Security+, CySA+, and ISC2 CISSP.
The reason compliance policies matter is that they provide an automated, consistent, and auditable way to reduce the attack surface from endpoints. Without them, organizations must rely on user diligence alone, which is insufficient. In exams, you will need to distinguish compliance policies from configuration profiles, understand their integration with Conditional Access, and know the appropriate consequences for non-compliant devices.
Key takeaway: a compliance policy does not configure the device; it checks the device. It does not wipe the device automatically; it blocks access. It is not a one-time setup; it is a continuous evaluation. Understanding these nuances will help you answer exam questions correctly and design better security in real environments.