Manually configuring Microsoft Intune compliance policies across hundreds of devices is tedious and error-prone. By leveraging the Microsoft Graph API through PowerShell, you can define, deploy, and audit compliance policies programmatically — making your configuration consistent, repeatable, and version-controlled.
Prerequisites
Before getting started you will need the Microsoft Graph PowerShell SDK, an Entra ID app registration with DeviceManagementConfiguration.ReadWrite.All permissions, and PowerShell 7.2 or later.
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All"Retrieving Existing Compliance Policies
Start by listing all existing policies to understand your baseline before making changes.
$policies = Get-MgDeviceManagementDeviceCompliancePolicy
foreach ($policy in $policies) {
Write-Host "$($policy.DisplayName) - $($policy.Id)"
}Creating a Windows 10 Compliance Policy
The following example creates a new compliance policy that enforces BitLocker encryption, requires a minimum OS version, and blocks devices without antivirus protection.
$body = @{
"@odata.type" = "#microsoft.graph.windows10CompliancePolicy"
displayName = "Windows 10 - Security Baseline"
description = "Enforces BitLocker and AV requirements"
bitLockerEnabled = $true
secureBootEnabled = $true
osMinimumVersion = "10.0.19041"
activeFirewallRequired = $true
antivirusRequired = $true
antiSpywareRequired = $true
}
New-MgDeviceManagementDeviceCompliancePolicy -BodyParameter $bodyAssigning the Policy to a Group
Once created, assign the policy to an Entra ID security group to target specific devices or users.
$policyId = "your-policy-id"
$groupId = "your-aad-group-id"
$assignment = @{
target = @{
"@odata.type" = "#microsoft.graph.groupAssignmentTarget"
groupId = $groupId
}
}
New-MgDeviceManagementDeviceCompliancePolicyAssignment `
-DeviceCompliancePolicyId $policyId `
-BodyParameter $assignmentAuditing Non-Compliant Devices
Use Graph to export a compliance report so you can identify devices that need remediation before enforcing block access.
$nonCompliant = Get-MgDeviceManagementManagedDevice -Filter "complianceState eq 'noncompliant'"
$nonCompliant | Select-Object DeviceName, OperatingSystem, UserPrincipalName, ComplianceState
| Export-Csv -Path "NonCompliant-$((Get-Date -Format 'yyyyMMdd')).csv" -NoTypeInformationSummary
Using PowerShell and the Microsoft Graph API you can fully automate the lifecycle of Intune compliance policies — from creation and assignment to auditing and reporting. This approach is ideal for large environments where manual portal clicks cannot scale. Store your policy definitions in source control and run them through a CI/CD pipeline for full infrastructure-as-code compliance management.
