I the new world where we don’t trust, but always verify before getting access to corporate data. Conditional Access is the gate we are using with Microsoft 365, when we are talking about verifying device compliance, it is not enough that we know that our company is owning the device. We also needs to look at the state of the device. Examples is if Bitlocker and SecureBoot is enabled. There is also other parameter to look after with a compliance policy in Intune.
Valid operating system builds is a parameter you can use in your compliance policy for Windows. There is also a way just to look at a minimum and a maximum version, that require that all your Windows version are on the same build version all time.
When we are looking into the real world, there can be different reason for your organisation to have different Windows version, there can be some users are using application that is not working on a specific Windows build, or when you are in a middle of a ring deployment updating your Windows build to the latest version.

In this blog post I will walk you trough creating a compliance policy that looks after different Windows build version. Looking at the OS build version is a way to ensure that Windows is updated to a patch level that your company trust.

Create Windows Compliance policy:

Start Microsoft Endpoint Manager admin center : https://endpoint.microsoft.com

1. Click Devices
2. Click Windows
3. Click Compliance policies
4. Click Create Policy
5. Select Windows 10 and later

1. Enter Name: Windows Compliance –  Valid operating system builds

1. Enter Valid operation system builds

Operating systems versions	Minimum OS version	Maximum OS version
Windows 10 1909	10.0.18363.815	10.0.18363.815
Windows 10 1903	10.0.18362.815	10.0.18362.815
Windows 10 1809	10.0.17763.1192	10.0.17763.1192
Windows 10 1803	10.0.17134.1456	10.0.17134.1456
Windows 10 1709	10.0.16299.1806	10.0.16299.1806

You can also configure

• Action for noncompliance (Default = Mark device noncompliant : Immediately)
• Scope tags
• Assignments (A user group you want to test it on)

Compliance policy are only used for reporting inside Microsoft Intune, until you create a conditional access policy where you have a control that looks for “Require device to be marked as compliant”

End user experience:

The end user can go into Company Portal and and see the device compliance status on the device.

In this case the end user get a message that the device is not complaint and on witch build version the device needs to be on with a minimum and a maximum build version.
In this case it it just on build version we are looking for the latest build number from the day where the compliance policy was created.

The end user need to go into the settings apps / Update & Security – Windows Update
Then install the missing updates.

Happy testing.

Read more:

Windows 10 and later settings to mark devices as compliant or not compliant using Intune
Windows 10 release information