This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 8%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
Hi All,
Question 1: How to set up this policy: "Automated alerts / reports to be sent to operations team for devices that have not reported back for a defined period of time"
Question 2: How to set up this policy: "Crowdstrike deployment has to be on the latest production version to grant access to corporate resources"
Question 3: How to set up this policy: "Windows version and patch deployment status have to be up to date to grant access to corporate resources"
Question 4: How to set up this policy: "Only up to date OS versions (list to be defined) are allowed to access corporate resources"
Question 4A: Can above policy "Only up to date OS versions (list to be defined) are allowed to access corporate resources "be assigned to BYOD devices?
Question 5: How to set up this policy: "Disable all local administrator accounts (except default Administrator)"
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@James Chan_110, Thanks for posting in Q&A. For your questions, here are my answers:
Question 1: How to set up this policy: "Automated alerts / reports to be sent to operations team for devices that have not reported back for a defined period of time"
Answer 1: I have answered it in the following link. You can refer to it:
https://learn.microsoft.com/en-us/answers/questions/1474284/intune-functions
Question 2: How to set up this policy: "Crowdstrike deployment has to be on the latest production version to grant access to corporate resources"
Answer 2: You can check if any registry key or other can detect the Crowdstrike with latest version. If yes, you can configure custom compliance policy to mark the device without the latest version as not compliant and then set conditional access policy to block cloud resource access for non-compliant devices.
https://learn.microsoft.com/en-us/mem/intune/protect/compliance-use-custom-settings
Question 3: How to set up this policy: "Windows version and patch deployment status have to be up to date to grant access to corporate resources"
Answer 3: Compliance policy has setting to set the Minimum OS version and Maximum OS version to defend the OS version range you want to consider as compliant device. For patch, you can check if any PowerShell or registry key can detect the patch and then consider custom compliance policy to detect it.
After that, create the conditional access policy like the above.
Question 4: How to set up this policy: "Only up to date OS versions (list to be defined) are allowed to access corporate resources"
Answer 4: Compliance policy has a setting "Minimum OS version" to set the Minimum OS version on the device you want. After that, create the conditional access policy like the above.
Question 4A: Can above policy "Only up to date OS versions (list to be defined) are allowed to access corporate resources "be assigned to BYOD devices?
Answer 4A : Yes, you can try the similar setting which we mentioned in Question 3, 4 to set the OS version you want, create a dynamic group with all the BYOD devices with a rule like device.deviceOwnership -eq "Personal", After that, create the conditional access policy like the above.
https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership
Question 5: How to set up this policy: "Disable all local administrator accounts (except default Administrator)"
Answer 5: We can create "Local user group membership (preview)" profile and configure the local administrators group with Add (Replace) action to only add built administer as the member of the administrators group.
As I know, the role like global administrator will be added into the local administrators group for the device by default which is Microsoft Entra joined. Please be sure it will not cause any issue before you remove these users.
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@James Chan_110, How's everything going. If there's anything else we can help, feel free to let us know.