Enforce compliance for Microsoft Defender for Endpoint with Conditional Access for Windows 365 Cloud PC in MEM

-

Recently, I had published a blog on enforcing MFA using Conditional Access policy for Windows 365 Cloud PCs. Now, in an effort to further improve the security of Cloud PCs, I am now covering the process of enforcing compliance for Microsoft Defender for Endpoint with Conditional Access, based on risk levels for Windows 365 Cloud PCs.

Why enforce compliance for MDE in the first place?

Short answer is - Why not? Not so short answer is that if you are licensed for MDE and have your endpoints onboarded in MDE and managed for MDE policies using Intune, then you can apply device compliance policies and use Conditional Access to identify threats. Once in place, these policies can help in identifying non-compliant devices which in turn can help in setting restrictions around access of corporate resources. Until the device risk level has fallen under the allowed level in the compliance policy, the restrictions will continue to stay in place. Let's look at the steps for putting the configuration together.

Establish a service connection between Intune and Microsoft Defender for Endpoint 

This connection lets Microsoft Defender for Endpoint to collect data about machine risk from supported devices you manage with Intune. Following are the steps:

1. On Microsoft 365 Defender Portal navigate to Settings > Endpoints > General > Advanced features > Microsoft Intune connection.
2. Toggle the Microsoft Intune setting to On.
3. Click Save preferences.



5. Select Tenant Administration > Connectors and Tokens > Microsoft Defender for Endpoint and toggle on compliance policy for Windows.


Onboard devices with Microsoft Defender for Endpoint 

Onboarded devices can communicate with Microsoft Defender for Endpoint and provide data for risk assessment. To onboard using MEM, one can use device configuration profile or an EDR policy. I personally use EDR because it eliminates the overhead configuring other settings found in device configuration profiles. When you configure EDR policy after connecting Intune and Microsoft Defender for Endpoint, Intune automatically gets the onboarding package (blob) from the Defender for Endpoint deployment, replacing the need to manually configure an Onboard package. Following are the steps:

2. Select Endpoint security > Endpoint detection and response > Create Policy.
3. Select Platform Windows as Windows 10 and later.
4. Select Profile as Endpoint detection and response.
5. Provide a Name and Description.
6. Use the following settings.


7. Assign to your Cloud PCs. Refer to this blog post on how to create AAD groups.

Set a device compliance policy to set the level of risk you want to allow

Risk levels are reported by Microsoft Defender for Endpoint. Devices that exceed the allowed risk level are identified as non-compliant. Because how the Cloud PCs are setup, not all usual compliance policy settings apply to them. For example, Bitlocker is not supported on Windows 365 Cloud PCs as disks are already encrypted at rest using Azure Storage server side encryption.

2. Select Devices > Windows > Compliance policies > Create Policy
3. Select Platform Windows as Windows 10 and later.
4. Provide a Name and Description.
6. Use the following settings.


Threat level classifications determined by Microsoft Defender for Endpoint are as follows -

Clear: This level is the most secure. The device can't have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant. (Microsoft Defender for Endpoint uses the value Secure.)

Low: The device is compliant if only low-level threats exist. Devices with medium or high threat levels aren't compliant.

Medium: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.

High: This level is the least secure and allows all threat levels. Devices with high, medium, or low threat levels are considered compliant.

7. Set the action for non-compliance to Mark device non-compliant - Immediately.
8. Assign to your Cloud PCs. Refer to this blog post on how to create AAD groups.

Use a conditional access policy to block users from accessing corporate resources from devices that are non-compliant.

Conditional access policies can use data from Microsoft Defender for Endpoint to block access to resources for devices that exceed the threat level you set. You can block access from the device to corporate resources, such as SharePoint or Exchange Online.

2. Select Endpoint Security > Conditional Access > New Policy.
3. Provide a Name.
4. Under Users and groups, choose Specific users included and select the users or groups that you want to target.


5. Under Cloud apps select the apps against which corporate data is to be protected:


6. Under Conditions, select Windows as Device platform.


7. Under Client apps, select all the modern authentication apps. If you are still using legacy authentication apps, then select them as well. In this example, I am selecting all.


8. Configure the Filter for devices to ensure the CA policy only applies on Cloud PCs.


9. Under Grant, select Grant access as Require device to be marked as compliant.



10. Select Create to finish creating the policy. Note: It is recommended to test the policy in Report-only mode first before enabling it. 

End user & admin experience

When the Cloud PC is found to be higher than the MDE risk level set in Compliance setting, the device will fall out of the compliance and will start reporting as non-compliant in Intune.


At this stage, the CA policy will kick in and access to cloud apps targeted in the CA policy will be blocked.

Access blocked against Office Online

Access blocked against Desktop Application Word

Access blocked against Desktop Application Word

Access blocked against Teams

Access blocked against Outlook

Company Portal will show MDE as the reason for non-compliance

If you don't have company portal installed, then the same status will be displayed in the browser when you click on Open.




You can head over to MDE portal to check the details on risk and alerts.




Sign-in logs can be referred to verify for the enforcement of the CA policy.




Once the alert has been remediated and the risk level comes below or has become equal to the permitted level as per MEM compliance setting, then the Cloud PC will become compliant again and user will regain access to the corporate apps targeted by the CA policy.


Conclusion

In addition to enforcing compliance for MDE with CA using risk level as a compliance parameter, it is recommended to enforce MFA, configure a security baseline for Windows 365 Cloud PCs and setup an Update ring, all part of the security guidelines for Windows 365 Cloud PCs. I have covered some of it if not all in my previous post which you can refer to over here.

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more