Microsoft is constantly improving the features in the Intune Service – this applies also for the Conditional Access part, with the latest update for Intune in March 2018 we got some new compliance settings that we can check for. This settings will apply both for AzureAD joined devices that are MDM managed with Intune – but also with Windows 10 devices that are hybrid AzureAD joined with SCCM co-management.

If you have not already planed, tested or deployed Co-management now is the time, one of the first workload I’m moving away from SCCM is Compliance Policy to benefit from the easy way of making Conditional Access in Azure, like the new policy covered in this blog post. The only two things you need to get this working with co-management is enable co-management and move the workload Compliance Policies to Intune.

The new settings are in the Windows 10 compliance policy with two new sections under System Security – Device Security and Defender

The new device compliance policy settings allows us to more check on more security related settings on a Windows 10 devices.

Device Security

• Firewall : Require Firewall to be on and monitoring.
• User Account Control (UAC) : Require User Account Control to help prevent potientially harmful programs from making changes on to the device.

Defender

• Windows Defender Antimalware : Require the Windows Defender service to be enabled. (This compliance check is supported for devices with Windows 10 Desktop)
• Windows Defender Antimalware minimum version: Minimum version of Windows Defender (e.g. 4.11.0.0)(This compliance check is supported for devices with Windows 10 Desktop)
• Windows Defender Antimalware signature up-to date: Require Windows Defender Signature to be up-to-date. (This compliance check is supported for devices with Windows 10 Desktop)
• Real-time protection: Require real-time protection prompts for known malware detection. (This compliance check is supported for devices with Windows 10 Desktop)

Note: When using “Windows Defender Antimalware signature up-to date” remember that the signature is updated multiple times a day!

Another new setting in Intune is what compliance state a devices without compliance policy has

Under Device Compliance – Compliance policy settings

There are a new setting for compliance status!!

These settings configure the way the compliance service threats devices

• Mark devices with no compliance policy assigned as: Depending on the number of devices and users in your organization, this change may take some time to take effect.
• Enhanced jailbreak detection: Enhanced detection uses the device’s Location Services to trigger device check-in and jailbreak evaluation with Intune more frequently. User location data is not stored by intune. This may impact battery life.
• Compliance status validity period (days): Specify the time period in witch devices must report the status for all received compliance policies. Devices that do not return status within this time period are treated as noncompliant. The default value is 30 days.

What is the user experience with a non compliant device ??

In the Company Portal on Windows 10 the end user can “Check Access” to see if it allowed to access company resources that are protected by Conditional Access.

With the new firewall settings in the Compliance policy that I showed earlier in the blogpost – if the end user is disabling the firewall

Runs a new compliance check in Company Portal the device is now marked as non-compliant

So when trying to access company resource like Office 365 the end user will get a message

The IT admin can always see the compliance state in Intune

When you start testing the new compliance policy for Windows 10 – try it on for a pilot group before going company wide with this new features, if you by a mistake mark a end users devices as non compliant they will not be able to get access to company data!