S04E08 - Custom Compliance policies (I.T)

Рет қаралды 8,764

Intune Training

Күн бұрын

Пікірлер: 21

@clivenorthey9052 10 ай бұрын

Very helpful. Thank you Awesome job guys!

@oliversolman Жыл бұрын

You are awesome!!! Thank you for sharing.

@dbfsound8269 Жыл бұрын

I have a question about the first part where you are talking about the device health attestation server. I have bitlocker required and secure boot required in a compliance policy and have done for 2/3 years now. We dont have a device attestation server in our environment and it successfully picks up if a device is encrypted or not through this compliance policy. Are you sure that's correct?

@topcatuk2000 Жыл бұрын

I was also confused my this as the compliance policy does also work in my environment, and alerts the end user that the device needs to be encrypted

@dbfsound8269 Жыл бұрын

@@topcatuk2000 I have a silent bitlocker encryption policy setup so all our devices get silently encrypted when they join Intune. I have the compliance policy in place if for whatever reason a device doesnt silently encrypt it will catch it and make it non compliant. The user then cant get to their 365 services and log a ticket with us and we will jump on and manually encrypt it for them.

@jonlyons3601 Жыл бұрын

Works for me too, that's how I find non encrypted devices.

@dbfsound8269 Жыл бұрын

@@jonlyons3601 I think they’ve made a mistake here by specifying a health attestation server is required for this to work. Seems a few people are using this policy with success without an attestation server.

@IntuneTraining Жыл бұрын

Looks like this is one for Steve. I was just following along 😂 -Adam

@drrich1755 Жыл бұрын

Why oh why does it take so long to re-assess compliance? Meanwhile a user has lost half a day of productivity :(

@tacom6 11 ай бұрын

Right? We need more competion in the Enteprise space this behemoth is unlikely to change any time soon.

@Hans-gb4mv Жыл бұрын

Interesting, in my company we not only require your drive to be encrypted, but our CISO also wants us to unlock with a PIN, this way, we could check that the PIN has actually been set and if not mark it as non-compliant. I did notice in your policies that you have one with Jamf and it makes me wonder what you guys think about managing macOS. Is intune mature enough to handle the platform, or do you still recommend to integrate with third party providers like Jamf? One of the smaller departments in our company has pushed for macbooks and we are struggling getting those devices to place nice in an otherwise all Microsoft software stack. And to prove I made it to the end, no MMS for me. I doubt my company would allow me to go, being on a different continent and all ;)

@IntuneTraining Жыл бұрын

Wow. A made it to the end viewer!! Congrats!! We have a video coming soon for Mac Update management in Intune but there’s not a whole lot in the space yet. I’m responsible for hardware standards and device management at my org and we have successfully pushed back against Mac for 20yrs. We have yet to find a legitimate business case that can’t be handled by a PC or a case that justifies the added cost of the support burden that another platform brings to the table. You now have to maintain an extra skill set and additional tools to support another platform not to mention feature/app consistency for the users. I’m sure many people who have to support EDU or other creative orgs may need to manage Macs, but in general, business is done on Windows. This is all one persons perspective so take it how you want :-) Good luck! -Adam

@tacom6 11 ай бұрын

As far as I know Posh logging doesn't dump cleartext credentials if you aren't trying to dump them in clear text yourself. Also you DO want verbose collection to the SIEM if possible, how else would you know what happened? lol

@tacom6 11 ай бұрын

Regardless, good content and it appears I am not alone in the love and hate relationship with Microsoft, many things are such a PITA from the Administration perspective.

@alistairfreedom2456 Жыл бұрын

This just looks annoying. Msft needs to make it more simple. This kind of config is just torture

@IntuneTraining Жыл бұрын

Agreed! Send them feedback on the console. Send a frown. -Adam

@danimalx23 Жыл бұрын

This is terrible. The overall process seems completely unintuitive. Maybe if you could show an example of creating a script and JSON file from scratch, instead of using the example, it would make more sense.

@IntuneTraining Жыл бұрын

We totally agree and have given the same feedback to MS. The complexity creates a high bar and barrier to entry. Here’s a tool that should help: aka.ms/custom-compliance-JSON

@tacom6 11 ай бұрын

for me the script and JSON made sense, complicated yes, but once you have seen the examples it's not too bad. The worst part is complete lack of visibility and apparently no interest in getting this to run faster from MSFT. In my own testing I had to reboot the computer for the compliance script to be finally evaluated and report back green like Steve mentioned that Reboot causes full re-eval or something.