Forcing a device to become non-compliant based on one or more device configurations status
For example, if I configured a device configuration policy to block USB, and from some reason this setting couldn't execute to the device or returned with an error, the device become noncompliant and therefore will get blocked via "Require device to be marked as compliant" conditional access rule.
The idea is to have a check box next to each device configuration policy, which lets IT admin to enable or disable this policy as a mandatory requirement for the device to be compliant.
Alternatively it could be a good idea to let IT admin configure a custom compliance condition, such as specific certificate, file, or registry key which must exist on the device for it be compliant.
Seems a good idea to me. Seems a bit harsh to make a whole device non-compliant based on just one setting.
Alex Fields commented
This is a fantastic idea
That's a good one, I will look into this. Thanks for sharing.