How to Create and Deploy Custom Compliance Policies in Microsoft Intune

Start by building a PowerShell script that checks your custom compliance requirements. This script must output JSON key-value pairs that Intune can evaluate against your compliance rules.

Create a new PowerShell file (e.g., CustomRegistryCheck.ps1) with the following structure:

# Custom compliance script for registry check
try {
    $RegPath = "HKLM:\SOFTWARE\MyCompany\SecurityAgent"
    $VersionValue = Get-ItemProperty -Path $RegPath -Name "Version" -ErrorAction SilentlyContinue
    $LastUpdateValue = Get-ItemProperty -Path $RegPath -Name "LastUpdate" -ErrorAction SilentlyContinue
    
    # Check if antivirus service is running
    $ServiceStatus = Get-Service -Name "MySecurityService" -ErrorAction SilentlyContinue
    
    # Build result object
    $result = @{
        "SecurityAgentVersion" = if ($VersionValue) { $VersionValue.Version } else { "NotInstalled" }
        "LastUpdateDays" = if ($LastUpdateValue) { 
            (Get-Date).Subtract([DateTime]$LastUpdateValue.LastUpdate).Days 
        } else { 999 }
        "ServiceRunning" = if ($ServiceStatus -and $ServiceStatus.Status -eq "Running") { "True" } else { "False" }
    }
    
    # Output as compressed JSON
    $result | ConvertTo-Json -Compress
}
catch {
    # Return error state
    @{"Error" = $_.Exception.Message} | ConvertTo-Json -Compress
}

Before creating the compliance policy, you must upload your PowerShell script to Intune's script repository. This is a mandatory prerequisite step.

Navigate to the Microsoft Intune admin center and follow these steps:

1. Sign in to Microsoft Intune admin center at https://intune.microsoft.com
2. Go to Devices > Scripts and remediations > Platform scripts
3. Click Add > Windows 10 and later
4. In the Basics tab:
   • Name: Custom Security Agent Compliance Check
   • Description: Checks security agent version, update status, and service state
5. In the Script settings tab:
   • Upload your CustomRegistryCheck.ps1 file
   • Run this script using the logged on credentials: No
   • Enforce script signature check: No (unless you have signed scripts)
   • Run script in 64 bit PowerShell Host: Yes
6. In the Assignments tab: Assign to a test group initially
7. Click Review + Add then Add

The JSON validation file defines the compliance rules that Intune applies to your script's output. Each setting must match the keys returned by your PowerShell script exactly.

Create a file named SecurityAgentCompliance.json with the following structure:

{
  "Settings": [
    {
      "Name": "SecurityAgentVersion",
      "Type": "String",
      "Operator": "IsEquals",
      "CompliantValue": "3.2.1",
      "RemediationStrings": {
        "Language": "en_US",
        "Title": "Security Agent Update Required",
        "Message": "Your security agent version is outdated. Please update to version 3.2.1 or later from the company portal or contact IT support."
      }
    },
    {
      "Name": "LastUpdateDays",
      "Type": "Integer",
      "Operator": "LessThan",
      "CompliantValue": 30,
      "RemediationStrings": {
        "Language": "en_US",
        "Title": "Security Agent Definitions Outdated",
        "Message": "Security definitions are more than 30 days old. Connect to the corporate network or VPN to update automatically."
      }
    },
    {
      "Name": "ServiceRunning",
      "Type": "String",
      "Operator": "IsEquals",
      "CompliantValue": "True",
      "RemediationStrings": {
        "Language": "en_US",
        "Title": "Security Service Not Running",
        "Message": "The security service is not running. Restart your computer or contact IT support if the issue persists."
      }
    }
  ]
}

Available operators include: IsEquals, NotEquals, GreaterThan, LessThan, GreaterThanOrEqual, LessThanOrEqual.

Now create the compliance policy that uses your uploaded script and JSON validation file to evaluate device compliance.

In the Microsoft Intune admin center:

1. Navigate to Devices > Compliance policies > Policies
2. Click Create policy
3. Select Platform: Windows 10 and later
4. In the Basics tab:
   • Name: Custom Security Agent Compliance
   • Description: Validates security agent installation, version, and service status using custom PowerShell checks
5. In the Compliance settings tab:
   • Expand Custom Compliance
   • Set Custom Compliance to Require
   • Click Select your discovery script
   • Choose Custom Security Agent Compliance Check from the dropdown
   • Upload your SecurityAgentCompliance.json file
6. Configure other compliance settings as needed (Device Health, System Security, etc.)
7. Click Next

Define what happens when devices fail your custom compliance checks. Set up grace periods and escalation actions to give users time to remediate issues.

In the Actions for noncompliance tab:

1. The default action "Mark device noncompliant" is set to Immediately (0 days)
2. Add additional actions by clicking Add:
   • Send email to end user - Schedule: 1 day after noncompliance
   • Send push notification to end user - Schedule: 1 day
   • Remotely lock the noncompliant device - Schedule: 7 days (optional, for high-security environments)
3. Configure email templates with specific remediation guidance
4. Set up additional notification schedules (e.g., 3 days, 5 days) for persistent non-compliance

Example escalation timeline:

Day 0: Mark noncompliant (immediate)
Day 1: Email + push notification to user
Day 3: Second email reminder
Day 7: Final warning email
Day 14: Device lock (optional)

Target your custom compliance policy to specific device groups. Start with a pilot group before rolling out organization-wide.

In the Assignments tab:

1. Under Included groups, click Add groups
2. Select your target groups:
   • Start with a pilot group: IT-Pilot-Devices
   • For production: All Windows Devices or specific department groups
3. Under Excluded groups, add:
   • Compliance-Exempt-Devices (for kiosks, shared devices)
   • VIP-Executive-Devices (if different policies apply)
4. Use dynamic groups for automatic assignment based on device properties

Example dynamic group query for Windows 10/11 devices:

(device.deviceOSType -eq "Windows") and (device.deviceOSVersion -startsWith "10.0")

Complete the policy creation and monitor its deployment across your targeted devices.

1. In the Review + create tab:
   • Review all settings, assignments, and actions
   • Verify the JSON validation file is correctly uploaded
   • Confirm the discovery script is properly selected
2. Click Create to deploy the policy
3. Monitor deployment progress:
   • Go to Devices > Compliance policies > Policies
   • Click on your policy name to view details
   • Check the Device status tab for compliance results

Policy evaluation occurs during device check-ins (typically every 8 hours for Windows devices). Force immediate evaluation by:

# On target devices, run as administrator:
Get-ScheduledTask | Where-Object {$_.TaskName -like "*Intune*"} | Start-ScheduledTask

# Or trigger sync from Company Portal app
# Settings > Sync

Address common deployment issues and optimize your custom compliance policy for reliable operation.

Common Issues and Solutions:

Script Not Found Error:

# Check script upload status
# In Intune admin center: Devices > Scripts and remediations > Platform scripts
# Verify script shows "Assigned" status
# If missing, re-upload script before policy deployment

JSON Schema Validation Errors:

// Ensure exact key matching between script output and JSON
// Script outputs: "SecurityAgentVersion"
// JSON must use: "Name": "SecurityAgentVersion"
// Case-sensitive matching required

Script Execution Failures:

# Test script locally with same permissions
PowerShell.exe -ExecutionPolicy Bypass -File CustomRegistryCheck.ps1

# Check Windows Event Logs on target devices
# Event Viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider

Performance Optimization:

• Keep scripts under 200KB for faster execution
• Use -ErrorAction SilentlyContinue for non-critical checks
• Implement timeout handling for external service checks
• Cache results locally to avoid repeated expensive operations