Did you know that you can leverage custom PowerShell scripts in Intune to determine if a device should be considered as compliant or not? You can use custom compliance scripts to check for a lot of cool things, like is your company vpn software actually installed and running, or block access of devices that have deny-listed applications installed.
Custom compliance in Intune consists out of two components, a PowerShell script that runs on the client to verify the individual settings and a json definition file that is used to determine the desired state and the user instructions on what happened and why a device is not compliant. Check out the official docs for more info: https://learn.microsoft.com/mem/intune/protect/compliance-use-custom-settings?WT.mc_id=MVP_317638
JSON Definition File
Let’s start with the creation of our definition file, where we configure what are our desired settings. I have created a sample definition file which checks if Wireguard VPN is installed and if a non-approved application is found on the device. You obviously can configure whatever you need. You can find my sample file on GitHub: Scripts/Compliance/JSON.json at main · mmeierm/Scripts
PowerShell script
Now that we have our definition file created, we can focus on the actual PowerShell script. For the Wireguard VPN, I decided to check for the main executable and the Uninstall key in the registry:
For the unapproved app, I just check the uninstall hive in the registry for the current user and in system context. You can find this sample script on GitHub: Scripts/Compliance/PowerShell.ps1 at main · mmeierm/Scripts
Intune
PowerShell Script
Finally, we can upload our file to Intune to create our custom compliance policy. To do that, we just need to go to the compliance page settings in the scripts tab and create a new script for Windows 10 and later:
Give it a name:
And upload the PowerShell script. I chose to let it run in user context, since we want to query HKLM keys:
Review the settings and create the script:
Compliance policy
Last but not least, we can create the actual compliance policy:
Again, give it a name:
And select the custom compliance script that we created before:
And finally upload our json definition file:
Review and create the policy:
User experience
If the device does not match the requirements, the user can see the pre-defined messages of our json file in the company portal:
We can also see the result in Intune:
Leave a Reply