ANAVEM
EnglishFrancais
ANAVEM
Languagefr
How to Create and Deploy Custom Compliance Policies in Microsoft Intune

How to Create and Deploy Custom Compliance Policies in Microsoft Intune

Build advanced compliance policies using PowerShell discovery scripts and JSON validation files to check custom conditions like registry keys, files, and third-party services beyond Intune's default capabilities.

March 21, 2026 18 min 7
hardintune 8 steps 18 min

Why Use Custom Compliance Policies in Microsoft Intune?

Microsoft Intune's built-in compliance policies cover standard security requirements like device encryption, OS versions, and basic security settings. However, enterprise environments often need to validate custom conditions that go beyond these defaults — third-party security software versions, specific registry configurations, custom application installations, or proprietary security agent status.

Custom compliance policies bridge this gap by allowing you to create PowerShell discovery scripts that check any condition on Windows devices, paired with JSON validation files that define compliant states and user remediation messages. This approach enables granular control over device compliance while maintaining centralized management through Intune.

What Makes Custom Compliance Policies Powerful?

Unlike traditional compliance policies that rely on predefined settings, custom policies execute your PowerShell scripts during device check-ins and evaluate the results against your defined criteria. This means you can check registry keys for security software configurations, validate file versions of critical applications, verify custom certificates, or even query external APIs to confirm licensing status.

The JSON validation component provides structured compliance rules with user-friendly remediation messages. When devices fail compliance checks, users receive specific guidance on how to resolve issues, reducing helpdesk burden and improving security posture across your organization.

Related: Configure Program Pinning to Taskbar Using Microsoft Intune

Related: How to Disable Windows News and Interests Using Microsoft

Implementation Guide

Full Procedure

01

Create the PowerShell Discovery Script

Start by building a PowerShell script that checks your custom compliance requirements. This script must output JSON key-value pairs that Intune can evaluate against your compliance rules.

Create a new PowerShell file (e.g., CustomRegistryCheck.ps1) with the following structure:

# Custom compliance script for registry check
try {
    $RegPath = "HKLM:\SOFTWARE\MyCompany\SecurityAgent"
    $VersionValue = Get-ItemProperty -Path $RegPath -Name "Version" -ErrorAction SilentlyContinue
    $LastUpdateValue = Get-ItemProperty -Path $RegPath -Name "LastUpdate" -ErrorAction SilentlyContinue
    
    # Check if antivirus service is running
    $ServiceStatus = Get-Service -Name "MySecurityService" -ErrorAction SilentlyContinue
    
    # Build result object
    $result = @{
        "SecurityAgentVersion" = if ($VersionValue) { $VersionValue.Version } else { "NotInstalled" }
        "LastUpdateDays" = if ($LastUpdateValue) { 
            (Get-Date).Subtract([DateTime]$LastUpdateValue.LastUpdate).Days 
        } else { 999 }
        "ServiceRunning" = if ($ServiceStatus -and $ServiceStatus.Status -eq "Running") { "True" } else { "False" }
    }
    
    # Output as compressed JSON
    $result | ConvertTo-Json -Compress
}
catch {
    # Return error state
    @{"Error" = $_.Exception.Message} | ConvertTo-Json -Compress
}

Verification: Test your script locally by running PowerShell.exe -ExecutionPolicy Bypass -File CustomRegistryCheck.ps1 to ensure it outputs valid JSON.

Pro tip: Always include error handling in your discovery scripts. If the script fails, Intune marks the device as "Error" status, which has the highest severity and overrides other compliance states.
02

Upload the Discovery Script to Intune

Before creating the compliance policy, you must upload your PowerShell script to Intune's script repository. This is a mandatory prerequisite step.

Navigate to the Microsoft Intune admin center and follow these steps:

  1. Sign in to Microsoft Intune admin center at https://intune.microsoft.com
  2. Go to Devices > Scripts and remediations > Platform scripts
  3. Click Add > Windows 10 and later
  4. In the Basics tab:
    • Name: Custom Security Agent Compliance Check
    • Description: Checks security agent version, update status, and service state
  5. In the Script settings tab:
    • Upload your CustomRegistryCheck.ps1 file
    • Run this script using the logged on credentials: No
    • Enforce script signature check: No (unless you have signed scripts)
    • Run script in 64 bit PowerShell Host: Yes
  6. In the Assignments tab: Assign to a test group initially
  7. Click Review + Add then Add

Verification: Check that your script appears in the Platform scripts list with status "Assigned" after a few minutes.

Warning: The script name in Intune cannot be changed after upload. If you need to modify the name, you must delete and re-upload the script, then update any compliance policies that reference it.
03

Create the JSON Validation File

The JSON validation file defines the compliance rules that Intune applies to your script's output. Each setting must match the keys returned by your PowerShell script exactly.

Create a file named SecurityAgentCompliance.json with the following structure:

{
  "Settings": [
    {
      "Name": "SecurityAgentVersion",
      "Type": "String",
      "Operator": "IsEquals",
      "CompliantValue": "3.2.1",
      "RemediationStrings": {
        "Language": "en_US",
        "Title": "Security Agent Update Required",
        "Message": "Your security agent version is outdated. Please update to version 3.2.1 or later from the company portal or contact IT support."
      }
    },
    {
      "Name": "LastUpdateDays",
      "Type": "Integer",
      "Operator": "LessThan",
      "CompliantValue": 30,
      "RemediationStrings": {
        "Language": "en_US",
        "Title": "Security Agent Definitions Outdated",
        "Message": "Security definitions are more than 30 days old. Connect to the corporate network or VPN to update automatically."
      }
    },
    {
      "Name": "ServiceRunning",
      "Type": "String",
      "Operator": "IsEquals",
      "CompliantValue": "True",
      "RemediationStrings": {
        "Language": "en_US",
        "Title": "Security Service Not Running",
        "Message": "The security service is not running. Restart your computer or contact IT support if the issue persists."
      }
    }
  ]
}

Available operators include: IsEquals, NotEquals, GreaterThan, LessThan, GreaterThanOrEqual, LessThanOrEqual.

Verification: Validate your JSON syntax using an online JSON validator or PowerShell: Get-Content SecurityAgentCompliance.json | ConvertFrom-Json

Pro tip: Use descriptive remediation messages that guide users to specific actions. Include links to internal portals or contact information where appropriate.
04

Create the Custom Compliance Policy

Now create the compliance policy that uses your uploaded script and JSON validation file to evaluate device compliance.

In the Microsoft Intune admin center:

  1. Navigate to Devices > Compliance policies > Policies
  2. Click Create policy
  3. Select Platform: Windows 10 and later
  4. In the Basics tab:
    • Name: Custom Security Agent Compliance
    • Description: Validates security agent installation, version, and service status using custom PowerShell checks
  5. In the Compliance settings tab:
    • Expand Custom Compliance
    • Set Custom Compliance to Require
    • Click Select your discovery script
    • Choose Custom Security Agent Compliance Check from the dropdown
    • Upload your SecurityAgentCompliance.json file
  6. Configure other compliance settings as needed (Device Health, System Security, etc.)
  7. Click Next

Verification: Ensure the JSON file uploads successfully and shows "Uploaded successfully" message. The policy preview should display your custom compliance requirements.

05

Configure Actions for Non-Compliance

Define what happens when devices fail your custom compliance checks. Set up grace periods and escalation actions to give users time to remediate issues.

In the Actions for noncompliance tab:

  1. The default action "Mark device noncompliant" is set to Immediately (0 days)
  2. Add additional actions by clicking Add:
    • Send email to end user - Schedule: 1 day after noncompliance
    • Send push notification to end user - Schedule: 1 day
    • Remotely lock the noncompliant device - Schedule: 7 days (optional, for high-security environments)
  3. Configure email templates with specific remediation guidance
  4. Set up additional notification schedules (e.g., 3 days, 5 days) for persistent non-compliance

Example escalation timeline:

Day 0: Mark noncompliant (immediate)
Day 1: Email + push notification to user
Day 3: Second email reminder
Day 7: Final warning email
Day 14: Device lock (optional)

Verification: Review the actions timeline to ensure appropriate grace periods for your organization's remediation processes.

Warning: Device lock actions are irreversible through the compliance policy. Ensure you have proper helpdesk procedures to unlock devices when users remediate compliance issues.
06

Assign the Policy to Device Groups

Target your custom compliance policy to specific device groups. Start with a pilot group before rolling out organization-wide.

In the Assignments tab:

  1. Under Included groups, click Add groups
  2. Select your target groups:
    • Start with a pilot group: IT-Pilot-Devices
    • For production: All Windows Devices or specific department groups
  3. Under Excluded groups, add:
    • Compliance-Exempt-Devices (for kiosks, shared devices)
    • VIP-Executive-Devices (if different policies apply)
  4. Use dynamic groups for automatic assignment based on device properties

Example dynamic group query for Windows 10/11 devices:

(device.deviceOSType -eq "Windows") and (device.deviceOSVersion -startsWith "10.0")

Verification: Check group membership by navigating to Groups and reviewing the selected groups' device count and membership rules.

Pro tip: Use Azure AD dynamic groups with device attributes to automatically assign policies based on department, location, or device type. This reduces administrative overhead as your environment grows.
07

Deploy and Monitor the Policy

Complete the policy creation and monitor its deployment across your targeted devices.

  1. In the Review + create tab:
    • Review all settings, assignments, and actions
    • Verify the JSON validation file is correctly uploaded
    • Confirm the discovery script is properly selected
  2. Click Create to deploy the policy
  3. Monitor deployment progress:
    • Go to Devices > Compliance policies > Policies
    • Click on your policy name to view details
    • Check the Device status tab for compliance results

Policy evaluation occurs during device check-ins (typically every 8 hours for Windows devices). Force immediate evaluation by:

# On target devices, run as administrator:
Get-ScheduledTask | Where-Object {$_.TaskName -like "*Intune*"} | Start-ScheduledTask

# Or trigger sync from Company Portal app
# Settings > Sync

Verification: Within 24 hours, check the compliance dashboard at Reports > Device compliance to see policy evaluation results.

08

Troubleshoot Common Issues and Optimize Performance

Address common deployment issues and optimize your custom compliance policy for reliable operation.

Common Issues and Solutions:

Script Not Found Error:

# Check script upload status
# In Intune admin center: Devices > Scripts and remediations > Platform scripts
# Verify script shows "Assigned" status
# If missing, re-upload script before policy deployment

JSON Schema Validation Errors:

// Ensure exact key matching between script output and JSON
// Script outputs: "SecurityAgentVersion"
// JSON must use: "Name": "SecurityAgentVersion"
// Case-sensitive matching required

Script Execution Failures:

# Test script locally with same permissions
PowerShell.exe -ExecutionPolicy Bypass -File CustomRegistryCheck.ps1

# Check Windows Event Logs on target devices
# Event Viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider

Performance Optimization:

  • Keep scripts under 200KB for faster execution
  • Use -ErrorAction SilentlyContinue for non-critical checks
  • Implement timeout handling for external service checks
  • Cache results locally to avoid repeated expensive operations

Verification: Monitor the Device compliance report for error patterns and use Intune diagnostic logs to identify script execution issues.

Pro tip: Create a test compliance policy with verbose logging enabled during development. Use Write-Host statements in your script for debugging, then remove them for production deployment.

Frequently Asked Questions

What platforms support Microsoft Intune custom compliance policies?+
Custom compliance policies are supported on Windows 10 and later versions, as well as Linux Ubuntu Desktop 20.04 LTS and 22.04 LTS. For Windows devices, you use PowerShell discovery scripts, while Linux devices use equivalent shell scripts. The feature is not available for iOS, Android, or macOS platforms as of 2026.
How often do custom compliance policies evaluate on enrolled devices?+
Custom compliance policies evaluate during regular Intune device check-ins, which occur approximately every 8 hours for Windows devices by default. You can force immediate evaluation by triggering a manual sync through the Company Portal app or by running scheduled tasks on the device. The evaluation frequency cannot be customized and follows Intune's standard check-in schedule.
What happens if my PowerShell discovery script fails to execute?+
If the PowerShell script fails to execute or returns an error, Intune marks the device with an "Error" compliance status. This status has the highest severity level and overrides other compliance states like "NonCompliant" or "InGracePeriod". The device will be considered non-compliant until the script executes successfully. Always include proper error handling in your scripts to avoid unexpected compliance failures.
Can I use custom compliance policies to check third-party antivirus software status?+
Yes, custom compliance policies are ideal for checking third-party security software. You can create PowerShell scripts that query registry keys for antivirus version information, check if security services are running, verify definition update dates, or even query WMI classes for security product status. The JSON validation file then defines compliant versions and provides remediation messages to users when updates are needed.
What are the size and complexity limits for custom compliance scripts?+
Microsoft recommends keeping PowerShell discovery scripts under 200KB for optimal performance and faster execution during device check-ins. Scripts should complete execution within a reasonable timeframe to avoid timeout issues. There's no hard limit on JSON validation file size, but keep remediation messages concise and actionable. Complex scripts with multiple external dependencies or long-running operations may cause compliance evaluation delays.
Tags
#intune#compliance#powershell

Further Intelligence

Deepen your knowledge with related resources

How to Enable JavaScript and Cookies in Chrome, Firefox, Safari & Edge
tutorial
Web Development

How to Enable JavaScript and Cookies in Chrome, Firefox, Safari & Edge

Deep Dive
How to Configure Google Chrome SSO with Azure AD Using Microsoft Intune
tutorial
Cloud Computing

How to Configure Google Chrome SSO with Azure AD Using Microsoft Intune

Deep Dive
How to Automate Disk Cleanup for Windows 11 Upgrades Using Intune Remediation
tutorial
DevOps

How to Automate Disk Cleanup for Windows 11 Upgrades Using Intune Remediation

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account