rules/findings/m365/microsoft_intune/ms-intune-devices-without-compliance-policy-not-compliance.json

{
    "args": [
         
    ],
    "provider": "Microsoft365",
    "serviceType": "Intune",
    "serviceName": "Microsoft 365",
    "displayName": "Ensure devices without a compliance policy are marked \u0027not compliant\u0027",
    "description": "Compliance policies are sets of rules and conditions that are used to evaluate the configuration of managed devices. These policies can help secure organizational data and resources from devices that don\u0027t meet those configuration requirements. Managed devices must satisfy the conditions you set in your policies to be considered compliant by Intune. When combined with conditional access, this allows more control over how non-compliant devices are treated.\n\nThe recommended state is `Mark devices with no compliance policy assigned as as Not compliant`.",
    "rationale": "Implementing this setting is a first step in adopting compliance policies for devices. When used in together with Conditional Access policies the attack surface can be reduced by forcing an action to be taken for non-compliant devices.\n\n**Note** This section does not focus on which compliance policies to use, only that an organization should adopt and enforce them to their needs.",
    "impact": "Any devices without a compliance policy will be marked not compliant. Care should be taken to first deploy any new compliance policies with a Conditional Access (CA) policy that is in the Report-only state. After the environment\u0027s device compliance is better understood it is then appropriate to finally align with `Mark devices with no compliance policy assigned as` and enable any CA policies that enforce actions based on device compliance.\n\nIf a mature environment already has an existing device compliance CA policy and a large number of devices without an assigned compliance policy, this could cause disruption as those devices would then be suddenly considered not compliant.",
    "remediation": {
        "text": "\r\n\t\t\t###### To remediate using the UI: \r\n\t\t\t1. Navigate to Microsoft Intune admin center https://intune.microsoft.com/ \r\n\t\t\t2. Select Devices and then under Manage devices click Compliance \r\n\t\t\t3. Click Compliance settings. \r\n\t\t\t4. Set Mark devices with no compliance policy assigned as to Not compliant. \r\n\t",
        "code": {
            "powerShell": null,
            "iac": null,
            "terraform": null,
            "other": null
        }
    },
    "recommendation": null,
    "references": [
        "https://learn.microsoft.com/en-us/intune/intune-service/protect/device-compliance-get-started"
    ],
    "compliance": [
        {
            "name": "CIS Microsoft 365 Foundations Benchmark",
            "version": "6.1.0",
            "reference": "4.1",
            "profile": [
                "E3 Level 2",
                "E5 Level 2"
            ]
        }
    ],
    "level": "high",
    "tags": [
         
    ],
    "rule": {
        "path": "intune_device_management_settings",
        "subPath": null,
        "selectCondition":[],
        "query": [
            {
                "filter": [
                    {
                        "conditions": [
                            [
                                "secureByDefault",
                                "eq",
                                "False"
                            ]
                        ]
                    }
                ]
            }
        ],
        "shouldExist": null,
        "returnObject": null,
        "removeIfNotExists": null
    },
    "output": {
        "html": {
            "data": {
                "properties": {
                    "@odata.context": "Type",
                    "deviceComplianceCheckinThresholdDays": "Device Compliance Threshold Days",
                    "secureByDefault": "Secure By Default"
                },
                "expandObject": null
            },
            "table": "default",
            "decorate": [
                 
            ],
            "emphasis": [
                 
            ],
            "actions": {
                "objectData": {
                    "properties": [
                         
                    ],
                    "expandObject": null,
                    "limit": null
                },
                "showGoToButton": "True",
                "showModalButton": "True",
                "directLink": null
            }
        },
        "text": {
            "data": {
                "properties": {
                    "@odata.context": "Type",
                    "deviceComplianceCheckinThresholdDays": "Device Compliance Threshold Days",
                    "secureByDefault": "Secure By Default"
                },
                "expandObject": null
            },
            "status": {
                "keyName": [
                ],
                "message": "Ensure devices without a compliance policy are marked \u0027not compliant\u0027",
                "defaultMessage": "Ensure devices without a compliance policy are marked \u0027not compliant\u0027"
            },
            "properties": {
                "resourceName": "deviceManagementSetting",
                "resourceId": null,
                "resourceType": "IntuneDeviceManagementSetting"
            },
            "onlyStatus": false
        }
    },
    "idSuffix": "intune_devices_lacks_non_compliance_policy",
    "notes": [
         
    ],
    "categories": [
         
    ],
    "immutable_properties": [
        "@odata.context"
    ],
    "id": "microsoft365_2158"
}