As you probably know already, Microsoft Intune helps you protect the devices you manage and the data stored on those devices through configuration policies. Device compliance policies let you evaluate, (and in some cases remediate), devices that aren't compliant with rules that you specify. So, this covers everything from jailbroken iOS devices; which devices are encrypted or not; and the overall health of your Windows 10 devices.
Great. All the devices have been on-boarded into deployed compliance policies. Now you’ve established a baseline, you may need to improve; or be asked to amend the policy. This question might be obvious for any new users or devices you add in the future, but…
WHAT ABOUT EXISTING USERS?
Here’s the issue…Having worked on a number of customer Intune tenants recently, I have discovered that if you change an existing, deployed, compliance policy, it doesn’t then re-evaluate against existing users with the new settings.
Why is it a problem…We’d all assume that by making the changes, Intune would automatically refresh the new settings against existing users and flag potential issues. Think about the number of users and devices that could be sitting outside the new policy settings, and the impact this could have on your desktop estate.
I looked at resolving the issue from a number of different ways. Unfortunately, even removing the assignment for the existing policy and then assigning it back to the previous or different target group, does not force Intune to re-evaluate users against the changes made.
The fix….In the short term, I have had to create a new compliance policy with the required settings, (with the amendments requested by the customer), and redeployed it to the target user group. Now the policy will evaluate against devices.
Have you checked your compliance policies too for the same issue? The problem with compliance rules that don’t get applied to existing users, is that it undermines trust in the whole process.
The fact that new compliance settings will not be checked, and removed compliance settings will continue to be operational, has a serious effect on the quality of your reporting- just imagine the scenario of devices inaccurately reporting ‘in compliance’ or ‘not compliant’ - what impact this will have on your business?
You’ll also start to see an increase in workload with more and more device problems and security concerns emerging, as compliance policies may block devices as 'non-compliant' and more worryingly, allow devices as 'compliant' when they are not!
Watch this space for a long-term solution, as this issue has been raised and confirmed by Microsoft support, who are raising this with the product group.