Mobile-First Cloud-First

New compliance settings for Windows 10 when using Conditional Access

Microsoft is constantly improving the features in the Intune Service – this applies also for the Conditional Access part, with the latest update for Intune in March 2018 we got some new compliance settings that we can check for. This settings will apply both for AzureAD joined devices that are MDM managed with Intune – but also with Windows 10 devices that are hybrid AzureAD joined with SCCM co-management.

If you have not already planed, tested or deployed Co-management now is the time, one of the first workload I’m moving away from SCCM is Compliance Policy to benefit from the easy way of making Conditional Access in Azure, like the new policy covered in this blog post. The only two things you need to get this working with co-management is enable co-management and move the workload Compliance Policies to Intune.

 

 


The new settings are in the Windows 10 compliance policy with two new sections under System Security – Device Security and Defender

The new device compliance policy settings allows us to more check on more security related settings on a Windows 10 devices.

Device Security

Defender

Note: When using “Windows Defender Antimalware signature up-to date” remember that the signature is updated multiple times a day!


Another new setting in Intune is what compliance state a devices without compliance policy has

Under Device Compliance – Compliance policy settings

There are a new setting for compliance status!!

These settings configure the way the compliance service threats devices


What is the user experience with a non compliant device ??

In the Company Portal on Windows 10 the end user can “Check Access” to see if it allowed to access company resources that are protected by Conditional Access.

With the new firewall settings in the Compliance policy that I showed earlier in the blogpost – if the end user is disabling the firewall

Runs a new compliance check in Company Portal the device is now marked as non-compliant

So when trying to access company resource like Office 365 the end user will get a message

The IT admin can always see the compliance state in Intune

When you start testing the new compliance policy for Windows 10 – try it on for a pilot group before going company wide with this new features, if you by a mistake mark a end users devices as non compliant they will not be able to get access to company data!