Postponed: Upcoming Security Enhancements in the Intune Service – your action is required!

Updated 2/9/18 - We've made changes to this feature, to incorporate your feedback and we've reposted about it here: Updated: Upcoming Security Enhancements in the Intune Service. We're keeping this page so we don't lose any comments you may have shared. We'll keep you updated about any changes in the new blog post and through the Message Center.

Updated 11/28/17 - Based on your feedback, we're going to postpone this change while we develop a friendlier end user experience. We will continue to keep this blog post updated on this topic and will also post a targeted communication with updated screenshots in the Office Message Center if action or changes are required.

Comments (27)

  1. Mahesh says:

    What if I only care about enrollment and don’t need compliance?

    To allow access for enrolled devices without any additional security checks, create a blank compliance policy with no settings configured and assign it to your users.

    Do I need to create policy for empty policy for all the platforms?

    1. Hi Mahesh. Yes, you do need to create one blank/empty policy for each platform.

  2. Steven says:

    I have 2 questions –
    1- We have Conditional Access setup for both Exchange and Sharepoint. For windows platforms we have windows must meet the following requirements set to device must be domain joined or compliant. Will this change affect the domain joined computers who are device registered into Azure but are managed by SCCM and are not compliant as the compliance policy is not applied to them. They are also not appearing in the output list from the query.

    2. I have a list of a number of devices that the query has produced. I have checked the devices in Azure and all the devices are shown as compliant. I can not see why these devices are in the output from the query. I believe that these users are targeted by the compliance policy and therefore should not be in the output from the query. How can I find out why they have been included in the output.

    1. Hi, Steven – since it sounds like you are hybrid we went and talked with Tyler and here’s his comments back! With the setup described above, the Windows devices will still be able to access resources under conditional access. Now, for the second part, we did test the query but if it’s not providing the correct information, we’ll likely need to figure out what’s going on in the environment. Please contact support with the device details so we can investigate the issue. Thank you!!!

  3. Lisa Pratt says:

    We are using Intune App Protection Policies only (MAM only). Does this affect us in any way? Will our users continue to be able to access email via Outlook if we do nothing?

    1. Lisa, MAM will be unaffected by this change, so you will not need to take any action. Only MDM enrolled devices are impacted.

  4. M says:

    Does this affect MAM policies or just device compliance policies?

    1. This impacts device compliance policies for MDM enrolled devices only, so MAM policies will not be affected.

  5. Joe says:

    Any further update on when this new report might be released?
    Just a little concerned that its the start of November and we don’t seem to have it yet?

    1. Hi, Joe – the October service release is not fully out yet. While typically the release is completed by the end of the month, from time to time there’s delays. If we run into any incidents, or have any unhealthy runners, we’ll hold all updates to ensure everything’s working great (and there’s no customer impact) before updating. Last we heard the change was set to start rolling out the very last week in November, but we’ll update this blog post if anything changes to that timeline. Hope this helps!

      1. Joe says:

        Thanks, that’s fair enough.
        Was just getting concerned that we would not have time to properly test and complete any changes we needed to make as a result.

  6. Owen says:

    I gather from this, if I have no Conditional Access policies, no action is needed?

    If I did want to create a blank compliance policy (per platform) and assign it to “All Users”, and I have pre-existing assigned compliance polices – would the most restrictive apply?

    1. Yes you’re right, Owen, no action is needed if you have no Conditional Access policies set up. For your second question, the most restrictive policies would indeed apply.

  7. Mahesh says:

    We have Device compliance policies through Classic Intune Portal. Will this changes affect us ? Do we need to consider to move the device compliance policies from Classic portal to Azure portal for this changes?

    1. Brad says:

      This is critical for our environment too. In the new Azure portal we are showing as 0 for devices without compliance policy just like the screenshot in this article. However all of our devices in the new Azure portal do show no compliance policy. I have confirmed the CP is still working via Silverlight however. To the original requestors point, are we still required to create a new CP in the new Azure portal? Or will we be ok with the existing that is applied in the Silverlight.

    2. Hi Mahesh, this change does affect compliance policies in the classic portal. Any users who are not assigned a compliance policy will be considered not compliant. An admin can use the Intune on Azure portal to determine which devices will become non-compliant when the enforcement rolls out. However, this only affects you if you have an Azure AD Conditional Access (CA) policy defined that requires devices to be compliant. If there are no CA policies that require device compliance, there will be no other change other than device status seen in the admin console. Hope this helps!

      1. Brad says:

        If I understand you correctly, if we never brought over our CA policy into the new Azure portal, the old CA policy in the Silverlight portal coupled with the Compliance policy will remain intact and not impact our users. If we were ever to bring the CA Policy for Exch/Sharepoint to the new Azure portal, then you are saying we would have a problem.

        So the only change we will see is all devices will be marked as non compliant however nothing will be impacted because our CA policy and Compliance policy are still in the old Silverlight Portal?

        Are you recommending we migrate the existing CA policy and Compliance to the new Azure Portal though?

        1. Existing CA policies in Intune Silverlight Portal or ‘classic policies’ should be migrated to the Azure AD Conditional Access portal as discussed in the documentation here:
          You are not required to migrate compliance policies, but you can choose to.

      2. Mahesh says:

        We have Conditional Access on Azure Portal , marked as a device to be compliant. compliances policies are picking up from the Classic Intune Portal. The report “Device without compliance policy” is null, does this change will affect us?

        1. This change affects Conditional Access that’s configured to require devices to be compliant. If all your devices have at least one compliance policy assigned to them, the report will show as null. No further action is required on your part for this change.

  8. PhilippeD says:

    I have big concern over this incomming changes as we use CA with all our IOS and Android devices, compliance policies are deployed in INTUNE, the device without compliancy report shows ALL our devices being without policies even though they are compliant while drilling down the devices, users and report.

    What part of the compliance is required, the Azure AD compliance or the device compliance?
    Can we get intouch with the product group, i would have more details to provide.

    While trying to export the devices affected the report fails generating, housands of errors:

    { “error”: { “code”: “”, “message”: “The query specified in the URI is not valid. Query option ‘SkipToken’ is not allowed. To allow it, set the ‘AllowedQueryOptions’ property on EnableQueryAttribute or QueryValidationSettings.”,

    1. ABQ_Dev says:


      Make sure that the compliance policies are assigned to dynamic user groups, not to dynamic device groups.

      The confusing thing is that you can assign a compliance policy to device groups and the policy will still be evaluated on each device, with the results displayed under each device’s ‘Device compliance’ pane in the Azure Intune portal as usual. However, if you login to the Company Portal app on any of the targeted devices, you’ll see the message displayed in the blog post stating that no compliance policies have been assigned. Also, if a device is only targeted for a compliance policy through a device group, you will see that the overall compliance status in the ‘Devices’->’All Devices’ pane and the ‘Device compliance’->’Device compliance’ pane does not include the results of said policies when calculating overall compliance status of a device. These policies also do not apply for conditional access, which is why your devices are showing up in the ‘Devices without compliance policy’ report. Basically, Intune is happy to evaluate those policies for you, but they have no effect on actual overall device compliance. Fun, right?

      That said, I would very much like to see this change, as I have scenarios where device group based targeting would make more sense. For instance, let’s take a user that has two Windows 10 machines – an old desktop without a TPM that’s in a secure office and locked to a desk and a Surface Pro that travels with the user outside of the office. I want to use conditional access with policy to enforce hardware-backed BitLocker encryption on the Surface Pro, which is not available on the old desktop PC, but any compliance policy applied to that user that requires encryption on Windows 10 devices will mark the old desktop PC as non-compliant and deny access to company resources. Therefore, I must remove the encryption requirement for all of that user’s devices, putting the data on the Surface Pro at risk. Not ideal. I also imagine this being a real headache for organizations that use a couple of device enrollment managers to enroll all of their devices with device-based licensing.

  9. RichardP says:

    Where the setting “all existing users who have a policy targeted” to be found?

    1. There is no setting currently in the O365 portal for all users who have a policy targeted. You can follow these steps to find out which users have a policy targeted:
      1. Look at each policy to see if the policy is set as “Allow access even is the device does not meet the requirements of the policy” and which group(s) the policy is targeted to.
      2. Look at membership of each of the groups identified in the step above to identify which users are impacted. You can mitigate impact for these users by following the guidance in the blog post.

  10. NARESH DOSHI says:


  11. Betsy Getreu says:

    As suggested, I created a blank compliance policy and assigned it to All Users. I do not have any CA policies. However, although I am a member of All Users, none of my devices (all compliant) have received the compliance policy. I have a license to EMS Intune and AD Premium. I can’t figure out what I am doing wrong. Any help you can provide would be appreciated.

    1. Betsy, we suggest contacting support for this. That would help to diagnose and resolve the issue.

Skip to main content