I the new world where we don’t trust, but always verify before getting access to corporate data. Conditional Access is the gate we are using with Microsoft 365, when we are talking about verifying device compliance, it is not enough that we know that our company is owning the device. We also needs to look at the state of the device. Examples is if Bitlocker and SecureBoot is enabled. There is also other parameter to look after with a compliance policy in Intune.
Valid operating system builds is a parameter you can use in your compliance policy for Windows. There is also a way just to look at a minimum and a maximum version, that require that all your Windows version are on the same build version all time.
When we are looking into the real world, there can be different reason for your organisation to have different Windows version, there can be some users are using application that is not working on a specific Windows build, or when you are in a middle of a ring deployment updating your Windows build to the latest version.

In this blog post I will walk you trough creating a compliance policy that looks after different Windows build version. Looking at the OS build version is a way to ensure that Windows is updated to a patch level that your company trust.

Windows Build version

Create Windows Compliance policy:

Start Microsoft Endpoint Manager admin center : https://endpoint.microsoft.com

  1. Click Devices
  2. Click Windows
  3. Click Compliance policies
  4. Click Create Policy
  5. Select Windows 10 and later

Windows Compliance - Valid operating system builds - 01

  1. Enter Name: Windows Compliance –  Valid operating system builds

Windows Compliance - Valid operating system builds - 02

  1. Enter Valid operation system builds
Operating systems versions Minimum OS version Maximum OS version
Windows 10 1909 10.0.18363.815 10.0.18363.815
Windows 10 1903 10.0.18362.815 10.0.18362.815
Windows 10 1809 10.0.17763.1192 10.0.17763.1192
Windows 10 1803 10.0.17134.1456 10.0.17134.1456
Windows 10 1709 10.0.16299.1806 10.0.16299.1806

Windows Compliance - Valid operating system builds - 03

You can also configure

  • Action for noncompliance (Default = Mark device noncompliant : Immediately)
  • Scope tags
  • Assignments (A user group you want to test it on)

Windows Compliance - Valid operating system builds - 04

Compliance policy are only used for reporting inside Microsoft Intune, until you create a conditional access policy where you have a control that looks for “Require device to be marked as compliant”

End user experience:

The end user can go into Company Portal and and see the device compliance status on the device.

In this case the end user get a message that the device is not complaint and on witch build version the device needs to be on with a minimum and a maximum build version.
In this case it it just on build version we are looking for the latest build number from the day where the compliance policy was created.

CP not compliant

The end user need to go into the settings apps / Update & Security – Windows Update
Then install the missing updates.

Compliance WU

Happy testing.

Read more:

Windows 10 and later settings to mark devices as compliant or not compliant using Intune
Windows 10 release information