A team builds Proactive Remediations to enforce compliance. Script runs. Fixes the issue. Dashboard shows compliant. Everything looks good. Until security asks: what happens if a device is out of compliance right now?
Answer: you don't know.
Proactive Remediation = silent fix. Custom Compliance = enforcement signal.
Only Custom Compliance marks devices non-compliant, triggers Conditional Access, blocks access when thresholds aren't met.
If Edge is outdated — Remediation quietly upgrades it. Compliance blocks access until it's fixed.
Most environments use one where they need the other. That's how you end up with 95% compliant dashboards and zero confidence in what that number means.
— Hal
If you're dealing with something like this, reply with ASSESS — I'll tell you if it's fixable.
Want more patterns like this?
Get the full 6-part guide — what Intune doesn't tell you, but you'll hit in production.