Few blog posts ago, I have written a blogpost about the integration of Windows Defender ATP with Microsoft Intune. This integration is the solution to prevent infected Windows devices into your environment.
This time it is all about Conditional access based on the compliance of the device. Because of the Windows Defender ATP compliance policy, we can trigger if the device is healthy or not. If not, block access. If healthy, grant access to the corporate sources. It is very simple but so powerful! How this works? Please, continue with reading.
What does Conditional Access do?
If the computer is being infected by a malware, Windows Defender ATP give the device a status based on the level of the malware. Conditional Access policy gives the user access based on some conditions they must met. If not, they must take some actions or they will be blocked for accessing the resources. For this part compliance policy is the bases of the Conditional Access which we will make in this blogpost later. Compliance policy will check the device on device risk. This information is send by Windows Defender ATP. So, if Windows Defender ATP is reporting that the device is being infected then will Intune change the compliance state of that specific device to Not Compliant. Conditional Access check only if the device is compliant or not compliant. Based on that, the Conditional Access gives the user access or not.
I assume you have already integrate Windows Defender ATP with Microsoft Intune and you have tested the integration? The computer gets a risk level state from ATP, right? If not, then you must fix this first. Read this blogpost: Part 10 – Configure Microsoft Intune – Windows Defender Advanced Threat Protection
Allrighty then, let’s this give a try!
So, that is done. For testing the conditional access is it the best if you got an infected device. These steps are explained in the blogpost later. First, we must make a conditional access policy.
Go to Microsoft Intune portal -> Conditional Access
Click on the button New policy.
Give the policy a name. The policy is for all users and select a cloud app, for example Exchange Online. You cannot select all cloud apps. The combination of all users and all cloud apps is not allowed to use for Conditional Access. So, for this Conditional Access I will test if I get access to Exchange Online on an infected device.
Click on Conditions and click on Device Platforms. You have to enable this by clicking on the Yes button. Then select Windows. Click on the Select button.
Click on Device state (preview). Click on the Yes button.
Then go to Exclude tab to exclude compliant devices. Select Device marked as compliant. Click on the button done (twice).
Go to Access controls -> Grant. Select here for Block
access. You do not want to give the infected devices access to your environment! Click on the Select button.
Click on the button On to turn on the policy and click on the button Create to create the policy.
This is it! Conditional Access policy has been set. It is time to test the conditional access.
Go to the Windows Defender ATP portal ->? (help) -> Simulations & tutorials. (https://securitycenter.windows.com)
Choose for scenario 2. Click on the button Copy simulation script.
Then go to your test device (virtual machine) and open Notepad. Copy the script into Notepad. You can copy the text via Clipboard -> Type clipboard text.
Save this as a PS1 file.
Open PowerShell with admin privileges.
You have to change the execution policy in PowerShell. Run this command Set-ExecutionPolicy –ExecutionPolicy Bypass. After that press the Y or A to confirm.
Run the just created PowerShell script to fileless attack. During the run, Notepad appears and disappears.
So, we have now an infected device. Check Windows Defender ATP portal for the alerts.
Go back to your Windows Defender ATP portal.
Click on Machine list from the menu. Click on device, which you just have infected.
You see here that the computer is being infected and because of that, the Machine Risk status is changed to Medium (risk levels are based the aggression of the malware/virus). This is good! Go to the Microsoft Intune portal.
This is my Windows Defender ATP compliance policy.
The device will be compliant if the device has no risks, but the infected device has a medium risk level. That is why the device is not compliant. Look at the compliance status on the device.
The device is marked as Not compliant. This means that the Conditional Access does not allow the device nor user to connect to Exchange Online. Let’ try!
Go to https://outlook.office365.com. You should see this message. This is how conditional access works. The user cannot accessing the OWA (webmail)
Or try the Outlook Desktop application..
Also, here the user was blocked by Conditional Access.
Let’s try to solve this problem and make the device healthy again. Go back to Windows Defender ATP portal and go to Machine list. Click on the infected device.
Click on the alert for more details.
Click on Actions and choose for Manage alerts.
Click on Resolved. Select True alert as Alert classification and for determination Security Testing.
Repeat for every alert this for the infected device (you got 2 alerts)
You see that the device risk level is changed into No known risk.
Check also Intune if the compliance status has changed. The device is healthy and compliant again. Try accessing in OWA again.
Yes! I can access OWA again because of the healthy and compliant device.
This is how the integration with Windows Defender ATP and Microsoft Intune works. Together with Conditional Access you can block infected devices from your corporate sources. This integration is very simple to configure, but it makes Microsoft Intune more powerful and secure than ever. Both great products to use!
If you have any questions, comments or maybe a tip, don’t hesitate to contact me by email or by posting a comment. I am also active on social media, like Twitter and LinkedIn.
Thanks for reading this blogpost. Take care now, bye bye then!