Configuration and Compliance with Best Practices

To have your Intune enrollment up and running is a nice thing. Now we start the next chapter – Configuration and Compliance within Microsoft Intune. There are almost endless possibilities of configuring devices enrolled with Intune and Windows Autopilot. In this post I explain every category and show you some of my best practices.




Administrative templates


Delivery optimization

Device firmware configuration interface

Device restrictions

Domain join

Edition upgrade and mode switch 


Endpoint protection

Identity protection 

Imported Administrative templates (Preview)


Microsoft Defender for Endpoint

Network boundary


Secure assessment (Education)

Shared multi-user device



Windows health monitoring

Wired network


Settings Catalog



You can set whatever you want, but it’s necessary to check the devices if they really applied all the settings. Intune uses Compliance-Reports for that. Every device will get checked if it applied all the things you set in your compliance policy. If that’s not the case, devices will fall into a grace period. It’s possible to set a specific time for grace period (default is 30 days). Event messages to the user to fix the problem could be sent. After this period device will be non-compliant. With a default Intune-setup nothing happens so far.
But why is it necessary then you might ask? For basic Intune environments it’s a good tool to see device health and update behavior. The interesting part starts with Conditional Access. You can block Non-Compliant devices for specific ressources or the whole company network / data.

More about that in a future post. Stay tuned!


Default Template

Custom Scripts


That’s it

Now you know everything about every type of configuration profile and about compliance policies. Your devices are configured and checked now. But wait, do you need to deploy applications as well? No worries, in the next post of the “Get started Series” you’ll find a detailled guide about packaging.