Intune is active not compliant


  • Vmware Workspace One Compliance Partnership with Intune and Azure AD Conditional Access
  • Protect your data with Microsoft Intune – Part I
  • Deploy: Native Exchange ActiveSync with Conditional Access and Intune while blocking legacy auth?
  • Call4Cloud
  • A case of the unexplained: Intune password policy and forced local account password changes
  • Default device compliance status
  • Vmware Workspace One Compliance Partnership with Intune and Azure AD Conditional Access

    This change will roll out in November and could impact any customer that has enrolled devices that have no compliance policy assigned to them. The current behaviour of Intune towards enrolled devices that do not have a compliance policy assigned to them is to treat the devices as compliant devices.

    Devices should be considered non-compliant or untrusted until proven otherwise. When the change is rolled out by Microsoft, any customers who are using conditional access policies based on device compliance may suddenly find that previously compliant devices are now unable to connect to Office services.

    To prove compliance, the device must meet the standards of your device compliance policy. Therefore, if you are using conditional access rules based on device compliance, then you must have at least one device compliance policy in place for the devices to be assessed against. In fact, you will need to have one device per platform that your users are enrolling from, because device compliance policies are platform-specific.

    However, the change does have the potential to impact users who may suddenly be required to change a configuration on their device to remain compliant, such as by adding a PIN code for unlocking the device, or by enabling Bitlocker to encrypt their local hard drives.

    For any compliance settings that you decide should be enforced, it would be wise to communicate the new requirements clearly to your end users, and be prepared to support them with anything that they might need as the new compliance policies are rolled out in your organization. This change is scheduled to roll out to Intune customers around mid-November. To ease the transition Microsoft is planning to add a report to Intune to help you identify the devices in your organization that have no device compliance policy assigned to them.

    This report is yet to appear in my own tenants almost a week after the announcement on Message Center.

    Protect your data with Microsoft Intune – Part I

    Figure 9. Configure the Intune Company Portal branding. To make applications available in the Company Portal, the Microsoft Store for Business needs to be configured and activated.

    Figure Activate the Intune Company Portal. Adding client apps to the Intune Company Portal. Synchronize the Microsoft Store for Business apps. Overview of the available apps. Configuration and compliance settings Configure enrollment restrictions In the enrollment restrictions configuration, it can be indicated which platforms will be supported from Intune by allowing or blocking them.

    It is also possible to indicate from which OS version a device can be enrolled. For the fictional scenario, these settings were kept at default. Configure the enrollment restrictions. Enrollment restrictions — select platforms. Enrollment restrictions — configure platforms. In the device limit restrictions settings, it is possible to configure a maximum number of devices a employee can enroll.

    In this fictional scenario this setting is kept on 5 devices. Device limit restrictions. Specify the maximum number of devices a user can enroll.

    Setup device compliance policy settings Before starting with the device compliancy policy, first the compliance policy settings need to be setup. Configuring these settings allows to create a Built-in Device Compliance Policy that monitors a device according to the settings displayed in figure Device Compliance policy settings.

    Configure device compliance Policy — Windows 10 Device compliance policies are used to ensure that the device which is used to access company data is compliant to the company security policy. If the device does not comply to this policy, access to company data can be prevented.

    On the Windows devices the policy is configured in such a way that access from a non-bit locker device is not allowed. Several security settings can be configured, such as secure boot, require a user to enable the firewall, antivirus and antimalware. Please keep in mind that there is a possibility that not all the security settings are applicable to the employees.

    Create Device Compliance Policy. In the Device Health configuration, configure the settings as shown in figure Device Compliance Policy — Device Health. This does not mean that these functionalities cannot be of value to use, these settings are very dependent on the company and require Advanced Threat Protection ATP licenses.

    Device Compliance Policy — System Security. Create Notification Template In the next step, the notifications that will be sent to the employee are setup. However, first the notification templates need to be created. Create notification template. The notification message can be customized with the company logo etc. Create notification message.

    Choose the message template and the recipients. This provides the employee the possibility to make the device compliant figure Attach notification template for noncompliance. Actions for sending notifications for noncompliance. Next, the device compliance policy needs to be assigned to the correct Azure AD Group figure Assign device compliance policy to Azure AD Group.

    Add conditional access policy Conditional access policies will be used to control if devices and apps are granted access to company data such as email.

    In the fictional scenario a device must be compliant to the conditional access policy before granting access to company data. In the Device compliance policy, a few settings are configured to which the device must comply before access to company resources is provided.

    An example of a setting to which the device should comply is that the device must have Bitlocker enabled. In the conditional access policy, it is indicated that the device may access company data, but only if it meets the device compliance configuration. Create new conditional access policy. In this case no groups are excluded figure Conditional access policy — select users and groups. In this scenario all cloud applications are included. In addition, no exclusions were configured.

    Conditional access policy — Select cloud apps. This conditional access policy will be applied to a specific platform namely Windows. In this case no Locations and Device state are configured. Under the Client apps select the client apps to which the policy should apply to as shown in figure Conditional access policy — conditions — client apps.

    This means that the device must be Intune compliant. If the device is non-compliant, the user will be prompted to make the device compliant. Save the configuration and do not forget to enable the policy! Conditional access policy — grant — grant access. Join Azure AD The configuration is done and now it is almost time to test the result.

    However, first the Windows 10 client needs to be joined to Azure AD. The preferred method to connect the device to Azure AD is to perform a reset of the device. The alternative approach does not require to reset the PC. Joining the device to Azure AD can be done by simply registering the device with the company email address. After performing one of the two approaches described above to connect the device to Azure AD, the result as shown in figure 34 will be obtained. Now the device is Azure AD joined and manageable from Intune.

    Join Windows 10 device to Azure AD. In addition, it is now possible to check whether the Company Portal is appearing in the Start menu.

    Doing so, it can be determined if the device is correctly managed by the company and the available apps are displayed as shown in figure Company Portal and apps status overview. The result: accessing company data In short, a lot of different configuration has been done. First, Intune was setup in Azure. Subsequently, the correct licenses were added, and the company portal was activated.

    Moreover, the configuration of the following has been done: enrollment restrictions, device compliance, device compliance policies, conditional access policies for Windows 10, joined Windows 10 device to Azure AD. All these configuration steps will ultimately result in denying or granting access to company data when an employee is trying to get hold of these data by using, respectively, a non-compliant or compliant device.

    Figure 36 shows the message one will receive when opening Outlook on a Windows 10 device that does not meet the conditional access policy.

    When opening the company portal, the employee will see that the respective device is not allowed to access company resources because Bitlocker is not enabled on the device. Message when accessing Outlook on a non-compliant Windows 10 device. After enabling Bitlocker the employee will be able to access company data.

    When checking the Company Portal, it can be seen that the device is compliant to the conditional access policy. Moreover, access to company resources such as Outlook is permitted.

    To see the difference between the message for a non-compliant and compliant Windows 10 device, please refer to figure Message when accessing data on a non-compliant Windows 10 device left and on a compliant Windows 10 device right.

    As indicated in the beginning of this blog, in the next two blog posts I will describe the steps required for the configuration of Intune on Apple and Android devices, including conditional access. Share this:.

    Deploy: Native Exchange ActiveSync with Conditional Access and Intune while blocking legacy auth?

    Compliance policies created in the new portal in Azure override the policies in the old portal, but since no new compliance policy was created for Windows 10, the old policy was still in effect and was causing this issue. Later I came across this again when rolling out the Windows 10 security baseline in Intune, which by default has a password policy. I noticed that our password rotation solution was failing on recently deployed Azure AD-joined devices, after we enabled the baseline.

    Call4Cloud

    So why does this happen? Under the hood, this is using the Exchange Active Sync policy engine to set the password policies, which was created back in the Windows 8 era to enforce some security policies on devices that sync with Exchange.

    Reading through the documentation, you come across this little nugget: When password length and complexity rules are applied, all the control user and administrator accounts are marked to change the password at the next sign in to ensure complexity requirements are met. All you have to do is enable a password policy and some default values will get set for password length and complexity, and these polices will require that a local administrator account change its password at next logon.

    The only way it can be sure it complies is to force you to change it, and the new password must meet the policy requirements. In this way it can truthfully report whether the device is compliant to the policy. Removing the Intune password policy, deleting the EAS registry keys — for me, nothing worked.

    A case of the unexplained: Intune password policy and forced local account password changes

    I still could not programmatically change the local admin password or remove the requirement to change the password at next logon. The only thing that worked is to satisfy the policy — ie actually log in as the local administrator and change the password when prompted, or log in as another administrator account and use Local Users and Groups to change the password. I should emphasise that this only affects local accounts, not domain, and the issue was not seen consistently on all machines where the security baseline was applied — it seemed to affect new or recently deployed machines — even those where password rotation had previously occurred successfully.

    Since having to manually and interactively change a local admin password is not a feasible option at scale, I simply cannot recommend to use Intune to set a password policy if you are using a password rotation solution. To prove compliance, the device must meet the standards of your device compliance policy.

    Default device compliance status

    Therefore, if you are using conditional access rules based on device compliance, then you must have at least one device compliance policy in place for the devices to be assessed against. In fact, you will need to have one device per platform that your users are enrolling from, because device compliance policies are platform-specific.

    However, the change does have the potential to impact users who may suddenly be required to change a configuration on their device to remain compliant, such as by adding a PIN code for unlocking the device, or by enabling Bitlocker to encrypt their local hard drives. For any compliance settings that you decide should be enforced, it would be wise to communicate the new requirements clearly to your end users, and be prepared to support them with anything that they might need as the new compliance policies are rolled out in your organization.

    This change is scheduled to roll out to Intune customers around mid-November.


    Intune is active not compliant