📚🪟💻Compliance - Device Health - Code Integrity
What this policy is about 🔍
Code Integrity ensures that only trusted, signed code runs on your devices.
This compliance policy checks whether Hypervisor-Protected Code Integrity (HVCI) is enabled. HVCI uses virtualization-based security to protect the kernel from running unsigned or malicious drivers.
Without it, malware can load malicious drivers that operate at kernel level—bypassing most security tools.
How it works 🛠️
This policy uses Windows Device Health Attestation to verify Code Integrity status.
- TPM chip reports status — Confirms HVCI/Code Integrity is enabled
- Windows Health Attestation Service — Microsoft verifies the report
- Intune receives the result — Compliant or non-compliant
This is hardware-backed attestation. The device cryptographically proves its security state.
🛠️ Compliance Settings
Platform
- Windows 10 and later
Profile Type
- Windows 10/11 compliance policy
Device Health
| Setting | Value |
|---|---|
| Require Code Integrity | Required |
⚙️ Actions for Non-Compliance
| Action | Schedule | Message Template | Additional Recipients |
|---|---|---|---|
| Mark device non-compliant | Immediately | (none) | None selected |
👥 Group Assignments
✅ Included groups:
All Devices