📚🪟💻Compliance - Custom - Detect RMM
What this policy is about 🔍
Microsoft says a device is compliant when it meets their baseline security requirements.
But is that enough?
Not when you're an MSP relying on remote management tools to do your job.
This is a Custom Compliance Policy that ensures your RMM (Remote Monitoring & Management) agent is:
- Installed on the device
- Actually running (not just sitting there doing nothing)
Because what good is remote management if the agent isn't managing anything?
Why this matters 🤔
Users sometimes uninstall the RMM agent. Or the service crashes. Or a Windows update breaks it.
And when that happens:
- You lose visibility — Can't see what's happening on that device
- You lose control — Can't deploy patches, scripts, or fixes remotely
- You lose compliance — If you can't manage it, is it really managed?
This policy makes sure that doesn't happen.
If the RMM agent isn't installed and running, the device is flagged as non-compliant in Intune.
Then you can:
- Send the user a notification
- Block access to corporate resources via Conditional Access
- Actually know when your RMM coverage drops
Simple. Automated. Effective.
How it works 🛠️
This is a Custom Compliance Policy using a PowerShell detection script.
- Script runs on the device — See 📚🪟💻📜CCScript - Windows - Detect RMM for full details
- Script detects the RMM tool — Checks processes, services, registry, file paths
- Script outputs JSON — Simple boolean values:
presentandactive - Intune evaluates the rules — Both must be
truefor compliance - Device marked compliant or non-compliant — Based on the results
The script auto-detects all major RMM platforms. No configuration needed. It just works.
🛠️ Compliance Settings
Platform
- Windows 10 and later
Profile Type
- Windows 10/11 compliance policy
Custom Compliance
Detection Script:
Custom Settings:
| Setting name | Operator | Data Type | Value | Why |
|---|---|---|---|---|
present | isEquals | Boolean | true | RMM must be installed |
active | isEquals | Boolean | true | RMM must be running |
Both checks must pass for the device to be compliant.
📜 Rules JSON
{
"Rules": [
{
"SettingName": "present",
"Operator": "IsEquals",
"DataType": "Boolean",
"Operand": true,
"MoreInfoUrl": "https://contoso.example/rmm-compliance",
"RemediationStrings": [
{
"Language": "en_US",
"Title": "At least one approved RMM must be installed.",
"Description": "Install or repair your organization's remote management agent. Contact IT if unsure."
},
{
"Language": "nl_NL",
"Title": "Minstens één goedgekeurde RMM moet geïnstalleerd zijn.",
"Description": "Installeer of repareer de remote management agent. Neem contact op met IT bij twijfel."
}
]
},
{
"SettingName": "active",
"Operator": "IsEquals",
"DataType": "Boolean",
"Operand": true,
"MoreInfoUrl": "https://contoso.example/rmm-compliance",
"RemediationStrings": [
{
"Language": "en_US",
"Title": "The RMM agent must be running.",
"Description": "Start the service or reboot the device. If the issue persists, contact IT."
},
{
"Language": "nl_NL",
"Title": "De RMM-agent moet actief zijn.",
"Description": "Start de service of herstart het apparaat. Neem contact op met IT als het probleem blijft."
}
]
}
]
}
When non-compliant, users see these messages in the Company Portal app (in English or Dutch, depending on their language).
⚙️ Actions for Non-Compliance
| Action | Schedule | Message Template | Additional Recipients |
|---|---|---|---|
| Mark device non-compliant | 0.25 Days (6 hours) | (none) | None selected |
What this means:
- Device flagged as non-compliant immediately when the check fails
- After 6 hours, enforcement kicks in (e.g., Conditional Access blocks access)
- No email or notifications configured
Want to notify users or IT proactively?
You can add additional actions:
- Send email to end user — Warns the user their RMM agent is broken
- Send email to additional recipients — Alerts your IT team or helpdesk
Best practice? That depends on your agreement with your customer.
Some MSPs prefer:
- Silent enforcement — Let Conditional Access do the talking (users only notice when they lose access)
- Proactive notifications — Email users immediately so they can fix it before lockdown
- IT alerts only — Email your helpdesk, skip the end user (less noise, faster resolution)
There's no one-size-fits-all. Configure what works for your workflow and SLA.
👥 Group Assignments
✅ Included groups:
All Devices
❌ Excluded groups:
Why?
- IoT devices (kiosks, digital signage) don't need RMM agents. They're managed differently.
- W365 Boot devices are cloud-native endpoints managed directly through the cloud.
Applying this to those device types would just cause false positives.
💡 What Makes This "Custom" Compliance?
Microsoft's built-in compliance checks are great for standard baselines:
- BitLocker enabled? ✅
- Firewall on? ✅
- Secure Boot active? ✅
But they don't check for your business-critical tools.
That's where Custom Compliance shines. With a PowerShell script, you can check anything:
- Is antivirus running?
- Is the VPN client installed?
- Is the RMM agent alive and well?
It's like giving Intune X-ray vision. Suddenly it can see what Microsoft never thought to check.
🧠 Pro Tips
Pair with Conditional Access
Combine this with a Conditional Access policy:
"Only allow access to Microsoft 365 from compliant devices"
Now if the RMM agent breaks, the device is non-compliant — and the user loses access to email, SharePoint, Teams, everything.
Suddenly, fixing the RMM agent becomes a top priority.
Monitor the Dashboard
Check your Intune compliance reports regularly.
If you see a lot of devices failing:
- Maybe there's a bug in the RMM agent
- Maybe a Windows update broke something
- Maybe it's time to update the detection script
Don't just set it and forget it. Monitor. Adjust. Optimize.
Test First
Before enforcing compliance, test the detection script on a few devices to make sure it detects your RMM correctly.
See the full script documentation: 📚🪟💻📜CCScript - Windows - Detect RMM
Final Thoughts 🧘
Microsoft's compliance checks are necessary, but not sufficient.
"Compliant" isn't just what Microsoft says it is.
It's what you say it is.
And if you say a device needs an RMM agent to be compliant?
Then it needs an RMM agent.
Deploy this policy. Monitor it. Enforce it.
And the next time someone's RMM agent goes missing?
You'll know about it before they do.
Standardize like a pro. Configure with intent. And remember: if you can't manage it remotely, is it really managed at all?