Enforce compliance policy for Microsoft Defender ATP with Conditional Access in Intune to Windows 10 devices within a Hybrid environment.

In this scenario we make an compliance policy for our Windows 10 devices, with a Conditional Access policy. The output should be if the Windows 10 Azure AD Hybrid Joined devices not are compliant to the level of risk the compliance policy allows – then the devices will automatically exceed the allowed risk level and then are indentified as an non-compliant Windows 10 devices. Then our Conditional Access policy will be enforced and block the access to cloud resources (Apps) for non-compliant Windows 10 devices.

It’s a condition that only our Hybrid Azure Active Directory joined Windows 10 devices can be granted access to the Office 365 Exchange Online apps – cloud only (Azure Active Directory joined) Windows 10 devices will not be in compliance, this will be defined in our Conditional Access policy.

But again if the level of risk at the ATP compliance policy is exeeded then the hybrid joined devices also will be denied access to Office 365 Exchange online apps. These settings will be defined in our compliance and Conditional Access policies.

Prerequisites that needs to be inplace before starting configure Microsoft defender with conditional Access:

• Licensed tenant for Enterprise Mobility + Security E3 and Windows E5 (or Microsoft 365 Enterprise E5).

• Windows 10 devices are enrolled and managed from Microsoft Intune. They could be Hybrid joined devices or Azure AD joined. See Microsoft documentation for setting up Windows enrollment -> https://docs.microsoft.com/en-us/intune/windows-enroll

• Microsoft Defender ATP and access to the Microsoft Defender Security Center (ATP portal) -> https://securitycenter.windows.com

So lets start setting up our policies.

• First we need to login to Intune -> https://devicemanagement.microsoft.com
• Click on Device compliance – Configure policy settings – Select Not compliant to enabled. Meaning devices that doesn’t have an compliant policy they are marked NOT compliant as default.

• Now click on Windows defender ATP and then click Open the Micrsoft Defender ATP admin console:

• In the ATP admin portal click on Setting and Advance features then Enabled Microsoft Intune connection:

Note: This will establish a connections to Microsoft Intune for data and risk score collection so we can make a Conditional Access policy that enforces for exsample block devices that exceeds the allowed risk level for within our compliance policy.

When you established the connection to Microsoft Defender ATP, Intune received a Microsoft Defender ATP onboarding configuration package from Microsoft Defender ATP. This package is deployed automatically to Windows 10 devices with the device configuration profile added – we will make the device configuration profile later in this blog. The configuration package configures devices to communicate with Microsoft Defender ATP services to scan files, detect threats, and report the risk to Microsoft Defender ATP.

Now back to the Intune portal and Activate the “Connect Windows devices version 10.0.15063 and above to Microsoft Defender ATP” set it to ON and click Save:

Note: Intune will kindy tall us that we don’t have any Device compliance policy enabled yet. Thats all fine for now.

Lets configure our Microsoft Defender ATP compliance risk policy.

• Click on Device compliance and click Policies and then click Create.
• Now give the compliance policy a Name, Description, Platform and configure settings (Micrsoft Defender ATP) click OK and then Create Policy:

Note: In this test lab we choosing Low. This setting almost sets a zero tolerance for unsecured sources or data, files etc. detected as potential or malware, virus etc. Threat level classifications are determined by Microsoft Defender ATP:

• Clear: This level is the most secure. The device can’t have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant. (Microsoft Defender ATP users the value Secure.)
• Low: The device is compliant if only low-level threats exist. Devices with medium or high threat levels aren’t compliant.
• Medium: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
• High: This level is the least secure and allows all threat levels. So devices that with high, medium, or low threat levels are considered compliant.

• Now the compliance policy need to be assigned to All users or a group of user and click Save:

Note: Assign to all users will effect All end users that logs on a Windows 10 devices and no one is left behind. This test lab security for out end users are highly prioritized.

Create a Conditional Access policy to enforce our demands.

• Click on Conditional Access – Create Policy.
• Give it a Name – Sign it to All users or a group of users.
• Select an cloud app or apps that is desired for use (We selected Office 365 Exhange Online):

• Select conditions – Configure Client apps (Preview) click Done:

Note: The selected client apps that this policy will apply to is almost everything that app could be presented on.

• Now click on Grant under Access controls and select Grant acess and fill out the desired controls to be enforced:

Note: In this Hybrid environment only hybrid clients thats installed from our on prem environment can and will be compliant and get acccess to Office 365 Exhange online services. Devices must also be marked as compliant and the users most have to read our Terms of use before proceeding. Three control rules that must be fulfilled to proceed.

• Enable the policy and click then Create:

Now lets try to make a What if on a random user in your directory.

• Click on Conditional Access – Policies and then Click What if:

• Now we can see witch policies that hits the user – in out case the newly created compliance policy:

The onboarding procedure that will let your Windows 10 Intune managed devices onboard the ATP so the data about their risk level can be collected and used.

• The last thing we need to do is configure a device configuration profile for onboarding the Windows 10 devices to ATP.
• Click on Device Configuration – Profiles – Create profile:

• Select Enabled to Sample sharing for all files and Expite telemetry reporting frequency:

Note: Selecting Enabled to both settings under configure is a thing is highly recommendable because it will provide cool features such as Sample sharing for all files and it help Microsoft develop and preserve a high security level though important telemetry data.

• Sample sharing for all files: Enable allows samples to be collected, and shared with Microsoft Defender ATP. For example, if you see a suspicious file, you can submit it to Microsoft Defender ATP for deep analysis. Not configured doesn’t share any samples to Microsoft Defender ATP.
• Expedite telemetry reporting frequency: For devices that are at high risk, Enable this setting so it reports telemetry to the Microsoft Defender ATP service more frequently.

• Now assign the Device configureation profile (Microsoft Defender ATP Windows 10) to All devices or a group of devices:

Note: The name of the profile could also have been something like –> “Microsoft Defender ATP Windows 10 onboarding”

• When the Device Configuration Onboard Policy is applied to the Windows 10 device – its should be visible when you browse the device and choose Device configuration:

• Logon to Microsoft Defender Security Center (ATP portal) -> https://securitycenter.windows.com
• Click on Machine list to see the Windows 10 devices that has been automatically onborded:

Note: Under domain you can see if the devices are ADD joined or hybrid joined.

• Try to log onto a Windows 10 device that dosen’t meet the compliance policy:

Note: This Windows 10 devices is a cloud only device, meaning its only Azure Active directory joined and do not meet the Hybrid join criteria for beeing compliant. So we cannot access this cloud app from this device. If the Device later on do a hybrid join then we will be able to access to app Microsoft 365 Exhange online (that includes teams and Onedrive)

• Check Device compliance regarding Windows 10 devices for non or compliant status:

Note: So remember our compliance policy tell us that if the Windows defender ATP Windows 10 device detects some abnormal behavior or any kind of security breach the device will not be compliant and the Conditional Access policy will not let the users access the cloud resource / app.

Happy deployment