Microsoft has released a integration between Windows Defender Advanced Threat Protection (WDATP) and Intune. This is great news, now we can use WDATP in combination with Conditional Access. We are now able to block access from a Windows 10 that has a certain threat level to company resources.

Building on the existing security defenses in Windows 10, Windows Defender ATP provides a new post-breach layer of protection to the Windows 10 security stack. With a combination of client technology built into Windows 10 and a robust cloud service, it can help detect threats that have made it past other defenses, provide enterprises with information to investigate the breach across endpoints, and offer response recommendations. Windows Defender ATP is also setting a threat level on the devices that can be used in Intune and Conditional Access.

Prerequisites
To use device compliance policies, the following are required:

Use the following subscriptions:

  • Intune
  • Azure Active Directory (AD) Premium
  • Windows Defender Advanced Threat Protection (WDATP)

Use a supported platform:

  • Windows 10

How to integrate Windows Defender Advanced Threat Protection with Intune:

Start the Intune Management portal.

  1. Click Device Compliance
  2. Click Windows Defender ATP

WDATP - Intune integration - 01

In the Configuring Windows Defender ATP – click on the link

WDATP - Intune integration - 02

Click Sign in

WDATP - Intune integration - 03

Click on the settings tab and move slider “Microsoft Intune Connection” to on

WDATP - Intune integration - 04

Go back to the Intune management portal and refresh, then the connection is up and running.

WDATP - Intune integration - 05

In the Windows 10 compliance policy you are ready to set the evaluation rules up for WDATP.

Require the device to be at or under the Device Threat Level

 

WDATP - Intune integration - 06

The options are:

Secured: This option is the most secure, as the device can’t have any threats. If the device is detected as having any level of threats, it is evaluated as noncompliant.
Low: The device is evaluated as compliant if only low-level threats are present. Anything higher puts the device in a noncompliant status.
Medium: The device is evaluated as compliant if existing threats on the device are low or medium level. If the device is detected to have high-level threats, it is determined to be noncompliant.
High: This option is the least secure, and allows all threat levels. It may be useful if you’re using this solution only for reporting purposes.


In Intune under devices you can see the Device Threat Level

  1. Click all Devices
  2. Click Columns
  3. Click Device Threat Level

WDATP - Intune integration - 07

Now you can see see the Device Threat Level in the Device overview

WDATP - Intune integration - 08

 

Read more at:

Add a device compliance policy for Windows devices in Intune
https://docs.microsoft.com/en-us/intune/compliance-policy-create-windows

Windows Defender Advanced Threat Protection
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection