Enforce compliance for Microsoft Defender for Endpoint with Conditional Access for Windows 365 Cloud PC in MEM


Recently, I had published a blog on enforcing MFA using Conditional Access policy for Windows 365 Cloud PCs. Now, in an effort to further improve the security of Cloud PCs, I am now covering the process of enforcing compliance for Microsoft Defender for Endpoint with Conditional Access, based on risk levels for Windows 365 Cloud PCs.

Why enforce compliance for MDE in the first place?

Short answer is - Why not? Not so short answer is that if you are licensed for MDE and have your endpoints onboarded in MDE and managed for MDE policies using Intune, then you can apply device compliance policies and use Conditional Access to identify threats. Once in place, these policies can help in identifying non-compliant devices which in turn can help in setting restrictions around access of corporate resources. Until the device risk level has fallen under the allowed level in the compliance policy, the restrictions will continue to stay in place. Let's look at the steps for putting the configuration together.

Establish a service connection between Intune and Microsoft Defender for Endpoint 

This connection lets Microsoft Defender for Endpoint to collect data about machine risk from supported devices you manage with Intune. Following are the steps:

1. On Microsoft 365 Defender Portal navigate to Settings > Endpoints > General > Advanced features > Microsoft Intune connection.
2. Toggle the Microsoft Intune setting to On.
3. Click Save preferences.



5. Select Tenant Administration > Connectors and Tokens > Microsoft Defender for Endpoint and toggle on compliance policy for Windows.


Onboard devices with Microsoft Defender for Endpoint 

Onboarded devices can communicate with Microsoft Defender for Endpoint and provide data for risk assessment. To onboard using MEM, one can use device configuration profile or an EDR policy. I personally use EDR because it eliminates the overhead configuring other settings found in device configuration profiles. When you configure EDR policy after connecting Intune and Microsoft Defender for Endpoint, Intune automatically gets the onboarding package (blob) from the Defender for Endpoint deployment, replacing the need to manually configure an Onboard package. Following are the steps:

2. Select Endpoint security > Endpoint detection and response > Create Policy.
3. Select Platform Windows as Windows 10 and later.
4. Select Profile as Endpoint detection and response.
5. Provide a Name and Description.
6. Use the following settings.


7. Assign to your Cloud PCs. Refer to this blog post on how to create AAD groups.

Set a device compliance policy to set the level of risk you want to allow

Risk levels are reported by Microsoft Defender for Endpoint. Devices that exceed the allowed risk level are identified as non-compliant. Because how the Cloud PCs are setup, not all usual compliance policy settings apply to them. For example, Bitlocker is not supported on Windows 365 Cloud PCs as disks are already encrypted at rest using Azure Storage server side encryption.

2. Select Devices > Windows > Compliance policies > Create Policy
3. Select Platform Windows as Windows 10 and later.
4. Provide a Name and Description.
6. Use the following settings.


Threat level classifications determined by Microsoft Defender for Endpoint are as follows -

Clear: This level is the most secure. The device can't have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant. (Microsoft Defender for Endpoint uses the value Secure.)

Low: The device is compliant if only low-level threats exist. Devices with medium or high threat levels aren't compliant.

Medium: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.

High: This level is the least secure and allows all threat levels. Devices with high, medium, or low threat levels are considered compliant.

7. Set the action for non-compliance to Mark device non-compliant - Immediately.
8. Assign to your Cloud PCs. Refer to this blog post on how to create AAD groups.

Use a conditional access policy to block users from accessing corporate resources from devices that are non-compliant.

Conditional access policies can use data from Microsoft Defender for Endpoint to block access to resources for devices that exceed the threat level you set. You can block access from the device to corporate resources, such as SharePoint or Exchange Online.

2. Select Endpoint Security > Conditional Access > New Policy.
3. Provide a Name.
4. Under Users and groups, choose Specific users included and select the users or groups that you want to target.


5. Under Cloud apps select the apps against which corporate data is to be protected:


6. Under Conditions, select Windows as Device platform.


7. Under Client apps, select all the modern authentication apps. If you are still using legacy authentication apps, then select them as well. In this example, I am selecting all.


8. Configure the Filter for devices to ensure the CA policy only applies on Cloud PCs.


9. Under Grant, select Grant access as Require device to be marked as compliant.



10. Select Create to finish creating the policy. Note: It is recommended to test the policy in Report-only mode first before enabling it. 

End user & admin experience

When the Cloud PC is found to be higher than the MDE risk level set in Compliance setting, the device will fall out of the compliance and will start reporting as non-compliant in Intune.


At this stage, the CA policy will kick in and access to cloud apps targeted in the CA policy will be blocked.

Access blocked against Office Online

Access blocked against Desktop Application Word

Access blocked against Desktop Application Word

Access blocked against Teams

Access blocked against Outlook

Company Portal will show MDE as the reason for non-compliance

If you don't have company portal installed, then the same status will be displayed in the browser when you click on Open.




You can head over to MDE portal to check the details on risk and alerts.




Sign-in logs can be referred to verify for the enforcement of the CA policy.




Once the alert has been remediated and the risk level comes below or has become equal to the permitted level as per MEM compliance setting, then the Cloud PC will become compliant again and user will regain access to the corporate apps targeted by the CA policy.


Conclusion

In addition to enforcing compliance for MDE with CA using risk level as a compliance parameter, it is recommended to enforce MFA, configure a security baseline for Windows 365 Cloud PCs and setup an Update ring, all part of the security guidelines for Windows 365 Cloud PCs. I have covered some of it if not all in my previous post which you can refer to over here.

Comments

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Prevent users from running certain programs or applications on Windows endpoints using Intune

Intune: Configure Printers for Non-Administrative Users