This is an Intune device compliance policy targeting Windows 10/11 devices, but all security-related compliance checks are effectively turned off. Only the minimum OS version setting is enforced.

This makes it appropriate for:

environments transitioning from “report‑only” to enforcement
staging / pilot Essential Eight compliance
device discovery before applying stricter controls
pairing with Conditional Access policies that require “Compliant device” as a condition

🔍 Key Enforcement Outcomes

✔ Enforced

Setting	Value	Outcome
Minimum OS version	`10.0.26300`	Devices must be running Windows 11 25H2 or later
Compliance action	`block`	Non‑compliant devices are blocked immediately (0‑hour grace period)
Assignment	1 group (`e1183c67-f343-4751-ae3a-6b0db7301c40`)	Assigned to a specific device/user group

This means:
➡ If a device is older than Windows 11 25H2, it will be marked non‑compliant and blocked by Conditional Access.

❌ NOT Enforced (All Disabled / False)

All of the following security controls are not enabled in this compliance policy:

🔐 Disk / Firmware / Hardware Security

BitLocker (bitLockerEnabled: false)
Secure Boot (secureBootEnabled: false)
TPM required (tpmRequired: false)
Early Launch Anti‑Malware (earlyLaunchAntiMalwareDriverEnabled: false)
Virtualization‑Based Security (virtualizationBasedSecurityEnabled: false)
Kernel DMA Protection (kernelDmaProtectionEnabled: false)
Memory Integrity / HVCI (memoryIntegrityEnabled: false)
Firmware protection (firmwareProtectionEnabled: false)

🛡 Defender / AV / Threat Protection

Defender enabled (defenderEnabled: false)
Realtime protection (rtpEnabled: false)
Antivirus required (antivirusRequired: false)
Anti‑spyware required (antiSpywareRequired: false)
Signature up-to-date (signatureOutOfDate: false)
Device Threat Protection (MDATP) required (deviceThreatProtectionEnabled: false)
Threat level requirement (deviceThreatProtectionRequiredSecurityLevel: unavailable)