This blog post is about creating a custom compliance policy in Intune to check the ZScaler status. A customer of mine uses ZScaler for all their Windows endpoints. They want to ensure ZScaler is running because we want to protect those endpoints. I thought of the custom compliance feature in Microsoft Intune.

The customer already used a compliance policy. So, I copied the production policy and added the custom compliance configuration to check ZScaler.

The custom compliance configuration checks whether the ZScaler application/service is running. Furthermore, it checks whether your Internet connection runs through the ZScaler Internet Service.


Firstly, let’s explain how you can check whether your internet connection runs through ZScaler. A colleague of mine already had a script that you can use. This is the script:

$url = Invoke-WebRequest

$checkzscaler = ($URL.ParsedHtml.getElementsByTagName('div') | Where-Object{ $_.className -eq 'headline' }).innertext

This is the result when your internet connection does not run through ZScaler:

And this is the result when your internet connection does run through ZScaler:

So, how do we make Intune check for the ZScaler? Unfortunately, we can’t just add the script to Intune and make the compliance check whether there is a 0 or 1 exit code. (This would make this a bit easier)

We need to create a detection script (Powershell) that outputs a JSON value and compares that to a JSON file with the same values.

This is the detection script that outputs the JSON value:

$url = Invoke-WebRequest

$checkzscaler = ($URL.ParsedHtml.getElementsByTagName('div') | Where-Object{ $_.className -eq 'headline' }).innertext

$ZScalerStatus = @{"ZScalerStatus" = $checkzscaler}
return $ZScalerStatus | ConvertTo-Json -Compress

Output: (This was run on a PC that doesn’t run ZScaler)

This is the JSON file for comparison:

           "Operand":"The request received from you didn't come from a Zscaler IP therefore you are not going through the Zscaler proxy service.",
                 "Title":"ZScaler Internet Access must be running.",
                 "Description": "Please make sure that the ZScaler Internet Access is running."

As you can see, I do a reverse check. When the ZScaler status is not equal to the “Operand” value, you are compliant.

This is the information that the JSON file must hold (Copied from Peter van der Woude):

  • SettingName – The name of the custom compliance setting, as returned by the PowerShell script
  • Operator – The operator (IsEqualsNotEqualsGreaterThanGreaterEqualsLessThanLessEquals) that specifies the action that is used for the compliance rule
  • DataType – The type of data (BooleanInt64DoubleStringDateTimeVersion) that specifies the data, as returned by the PowerShell script
  • Operand – The operand represents the values that the operator works on
  • MoreInfoURL – The URL that provides more information about the custom compliance setting
  • RemediationStrings – The information that provides information about the non-compliance

Intune Custom Compliance Policy

Lastly, we add the configuration to the Intune compliance policy. Login to Microsoft Intune, go to the compliance blade, and click on scripts:

After that, add the detection script:

Name the policy and click on next:

Paste the detection script in the script area and leave the rest as-is:

Click on create in the review and create section.

Next, go to the compliance policy where you want to add the ZScaler check and edit the compliance settings. After that edit the custom compliance area, and fill in all the variables:

That makes your custom compliance policy check the ZScaler status in Intune! This is the result:


Custom Compliance by Peter van der Woude

Other posts:
Windows Autopatch: Notes from the field
Use Winget with Intune

Leave a Reply

Your email address will not be published. Required fields are marked *