📚🪟💻Compliance - Device Properties - Minimal OS Version
What this policy is about 🔍
Microsoft ships Windows updates constantly. Security patches, bug fixes, new features.
But here's the problem:
Users delay updates. Devices skip them. And suddenly your "managed fleet" is running 8 different Windows versions—some of them months out of date.
This is a Device Properties Compliance Policy that ensures devices run at least a minimum OS version.
If a device is too far behind?
It's non-compliant.
Why this matters 🤔
Running outdated Windows versions isn't just inconvenient—it's risky:
- Security vulnerabilities — Old versions lack critical patches
- Missing features — Newer security capabilities aren't available
- Compatibility issues — Apps and policies expect newer builds
- Support nightmares — Troubleshooting is harder when every device is on a different patch level
By enforcing a minimum OS version, you ensure:
- Consistent security posture across all devices
- Predictable behavior when deploying policies or apps
- Easier support when everyone's on a known-good baseline
Think of it as version control for Windows itself.
How it works 🛠️
Intune checks the device's OS build number during every compliance check.
If the version is below the minimum you specified, the device is marked non-compliant.
Then you can:
- Send a notification to the user
- Block access via Conditional Access
- Force the device to update before regaining access
Simple. Automated. Effective.
🛠️ Compliance Settings
Platform
- Windows 10 and later
Profile Type
- Windows 10/11 compliance policy
Device Properties
| Setting | Value | What it means |
|---|---|---|
| Minimum OS version | 10.0.26100.2161 | Devices must run at least this build number to be compliant |
What's this build number?
The format is: Major.Minor.Build.Revision
10.0= Windows 10/11 (both share this)26100= The actual OS build (e.g., 24H2)2161= The specific patch level
You can find the latest build numbers here: Windows release health
Pro tip:
You can use Supervision Tags or a centralized configuration tool to dynamically update this value across all your customer tenants from one place.
That way, when a new security baseline comes out, you update one value—and it rolls out to all your managed customers.
⚙️ Actions for Non-Compliance
| Action | Schedule | Message Template | Additional Recipients |
|---|---|---|---|
| Send push notification to end user | Immediately | (default) | None selected |
| Mark device non-compliant | After 7 days | (none) | None selected |
What this means:
- User gets immediate notification when their device doesn't meet the minimum OS version
- Device is marked non-compliant after 7 days
- This gives devices time to install updates via your update rings
Why 7 days?
Here's the critical insight:
If you have a Semi-Annual update ring (slow rollout) but simultaneously enforce a newer OS version via compliance, you create a conflict:
- Your update ring says: "Wait, we're rolling this out carefully"
- Your compliance policy says: "Update NOW or you're blocked"
That's a problem.
The 7-day grace period gives your update rings time to do their job before enforcement kicks in.
Critical: Align compliance with update rings
Your compliance policy should enforce what your update rings have already delivered.
Don't set the minimum OS version higher than what your slowest update ring can realistically deploy within the grace period.
👥 Group Assignments
✅ Included groups:
All Devices
❌ Excluded groups:
Why exclude these?
- IoT devices (kiosks, digital signage) often run specialized images that are updated on a different cadence
- W365 Boot devices are cloud PCs—Microsoft handles OS updates for those
Applying strict version requirements to those device types would cause unnecessary friction.
Final Thoughts 🧘
Security is a moving target.
What was "compliant" six months ago might be full of exploits today.
That's why minimum OS versions matter.
They ensure your devices don't just meet yesterday's baseline—they meet today's.
And when a new critical patch drops?
You can enforce it. Fast.
Deploy this policy. Monitor it. Keep your baseline current.
And the next time someone asks, "Are all our devices up to date?"
You'll know the answer. And you'll have Intune enforce it.
Standardize like a pro. Configure with intent. And remember: compliance isn't just about meeting the baseline—it's about staying there.