MD-101 Managing Modern Desktops – Implement conditional access and compliance policies for devices Part 2

3. Understanding device compliance policies

What exactly are compliance policies? So compliance policies in entune this is going to allow you to define some rules that are essentially going to check certain settings on a person’s device to make sure that they meet a certain criteria, okay? And of course, if they don’t meet a certain criteria, then a couple of things can happen. You can have reports being generated, auditing can occur. Or if you’re working with conditional access, you can actually have the device blocked, you can force it to meet certain rules, all of that. So a couple of nice things here, a couple of great features. It’s sort of like, I always use the analogy that it’s like when you go to a store here in the United States, we have this no shirt, no shoes, no service rule, right? And so imagine that you get into the store with clothes on, all right?

Then all of a sudden, for whatever weird reason, somebody decides to take their shirt off while they’re in the store. And I’m not just talking about like a changing room, I’m talking about they take their shirt off, at that point, they are no longer compliant inside that store, okay? Now one of two things can happen. They can get kicked out or they can get picked up on video surveillance and maybe nothing happens to them, I don’t know. But this is sort of how conditional access policies and compliance policies are going to work together to do this. All right? If you have conditional access policies in place with compliance policies, okay, so the two are working together, the compliance policy can detect whether or not the device is compliant.

And if it’s not compliant, then at that point we can make it where the user has no access to their organization resources. So we’re talking things like OneDrive and SharePoint exchange their files that they want to use. They don’t get any access. Of course, if you don’t have any conditional access policies in place, then at that point, then the device is not going to get restricted. However, it will do reporting. It will allow an administrator to audit their users and audit the devices and to determine maybe who are our trouble making users here, who are our trouble making devices. Okay? So again, with conditional access policies, the device can be blocked. The device can be restricted without conditional access policies. Well, the device does not get restricted, but it does generate reports and allows me to audit exactly which devices are causing problems.

Okay? So another thing we got is I want to talk about what exactly are devices that aren’t compliant? So here is the main criteria that you can look at in regards to whether or not a device is compliant. We have Pin number password, so we can require the device has a certain size of password, or if it’s a Pin number, it’s got to be a certain number of characters, okay? Size all that so we’ve talked about password policies in the past. It’s along those lines. And of course, if their password isn’t strong enough, then they are not compliant. We have device encryption. Now most devices nowadays do require device encryption, especially if you’ve got Apple devices and all that. But Windows devices and Android devices, device encryption is something that’s got to be turned on, although a lot of those devices, it’s turned on by default.

Of course, somebody could turn it off if they wanted to. For example, you buy Surface Pro tablet, it’s going to have BitLocker, but you could turn that off. You get an Android device, it’s going to be encrypting the device through full disk encryption. However, you could turn that off. Another thing is gel broken or rooted devices. In the Apple world they use gel breaking, and in the Android world they call it rooted. But that’s basically somebody has taken over and gotten admin rights over the operating system. The downside to that, the reason why that’s considered a security risk is because the device is no longer being protected by the operating systems, digital signing and all of that. So they could get malware on the device. Another thing would be email profile.

You could require that email be set up a certain way that email application is being used. Maybe I want to require that they have to use the official Outlook app to get access to email. I could put that in place. Minimum operating system and maximum operating system version. That’s pretty straightforward. Whatever the operating system is, iOS, Android, or Windows, you could require it to certain version. Then you got health attestation. This is going to involve making sure that the device is healthy and not reporting malware, not reporting a virus on the device right now. What is the outcome of non compliance? First off, it’s going to happen one of two ways. The device can be remediated so the device operating system can enforce compliance. So for example, maybe you have a user who doesn’t have a Pin number that’s long enough.

They could, they could force them to reset their password or Pin number and make it longer. Or maybe they’re missing an operating system update, can force them to get that update. Secondly, the device can be quarantined. So if it doesn’t, this is what would happen. For example, if you’re not enforcing compliance, okay, maybe you’re not using conditional access policies with it. Then at that point it’s not going to enforce anything. The user will get a message. They’ll get notified using the portal app that’s being used there and it will let them know, hey, you’re not compliant. You need to get compliant, not going to enforce it. So that’s the difference between remediated and quarantined, okay? Hopefully that gives you guys a good understanding of dealing with the concepts of compliance policies and why they’re important. And in this next little section, we’ll also be looking at actually implementing compliance policies.

4. Implementing and managing compliance policies

Now that we’ve got a good understanding of what compliance policies are, I want to now go and talk about how we can actually create and implement compliance policies. Okay, so here we are in Endpoint Manager. This is the endpoint. Microsoft. com portal. We’re going to go to the Devices Blade over here, okay? And then from there we’re going to go and click on compliance policies. Now, I’d also like to point out you could also create conditional access policies here as well. So you can actually do it a couple of different ways. You can do conditional access policies in Azure ad like I’ve showed you, or you can do it here and then you’ve got compliance policies here as well.

Okay? So we’re going to go and click on compliance policies. And currently I don’t have any compliance policies, so we’re going to click to create a compliance policy, then we’re going to select our platform. So here’s all our options for platforms. You’ve seen a list like this in the past and I’m going to go with Windows Ten just because, again, this course is definitely more heavily focused on Windows Ten. So we’re going to select on that. The exam is also heavily focused on Windows Ten, by the way, but I’m going to click to create that policy and then we’re going to give this a name. I’m just going to call it Windows Ten compliance.

All right, we could give a description, we could specify everything in there that we’re going to want in that what we’re doing in this policy, everything we’re going to configure to give it a nice description for our fellow admins. But I’m going to go ahead and click next. And this is where the magic happens. So this is where we are going to specify exactly what policies we want, what our settings are going to be. So I’ve got Device Health and as you can see, I can specify a bunch of things here. Maybe I’m going to require BitLocker to be on somebody’s machine. Maybe I’m going to require secure boot to be enabled on the person’s machine. That’s the UEFI setting that we’ve got.

I can require code integrity that’s going to verify the TPM settings of the machine. Again, that’s going to involve secure boot. We’ve got device settings. All right. I can do a minimum operating system. Maximum operating system? Same thing for mobile devices. The mobile version of Windows Ten. You can have it validate certain builds on the operating system. Down here you’ve got configuration manager compliance. I can require that this machine is also managed through Windows Ten. Windows. Ten Sports Co. Management with the configuration manager. From there I can do system security settings. Drop that down. I could require you to have a certain type of password. Maybe you’re not allowed to use simple passwords, so I could block that if I wanted to.

OK, specify the type of password, alphanumeric numeric password. If I was going to do maybe a Pin number. I could specify how many characters I want this to be. Maybe I want this to be at least a minimum of seven characters. Okay. Maximum minutes of inactivity before password required. So you can do that if you wanted. Set the inactivity setting password expires after a certain amount of days. Number previous passwords to prevent reuse. Require passwords when device returns from idle state. Okay? So if it goes idle, they’ll have to put their password and it will auto lock on them. You could enable the encryption of data storage on the device. So this requires them to have some form of data encryption, whether it be Bit, locker or third party.

So firewall settings, I can require that to be on. I can require that they have a TPM chip. That’s a special type of chip that’s on the motherboard that allows you to use things like BitLocker, okay. Antivirus, you can require that require in a spyware, you could require that they’re using Windows Defender and not something else. So if I wanted, I could force that, or I could just allow them to use whatever virus protection they’ve got. Down here you’ve got windows, Defender, ATP. That’s Advanced Threat Protection. Some of these Windows Defender features we’re going to be talking about here towards the tail end of all this. But I could require that to be turned on.

And this is kind of cool. I’ve got under this ATP setting, I’ve got require the device to be at or under the machine risk score. So we’ve talked about how in the Azure Admicroft 365 environment, we’ve got a machine learning system that Microsoft supports, where based on the way you’re using your machines, the times of day you’re using machines, it’s actually learning the way your users use their devices. What are the normal hours that they work? Where are they normally logging on from? Do they have lots of bad password attempts, things like that? If they do things like that, they are entering passwords and bad constantly and having some issues and logging on at weird hours and things like that, then the machine gets rated as a possible risk. So you could require that the machine at least stays at a low risk level if you wanted. All right? Or you could say it’s clear so there’s none or not configured, which means you’re just not going to turn this on. So these are all these little settings that I can configure, quite a few little settings there that we’ve got very cool different features that can be turned on. And Microsoft is adding additional settings to this all the time. So I’m going to go ahead now, I’m going to click next. And these are the actions for non compliance. So what’s going to happen if you’re not compliant? So it says if mark the device not compliant, says immediately.

And as you can see, that is the default. And it says scheduled days after compliance. So you’ve got that set to zero. Okay, I could change this. We’ll say send an email to the end user. All right. Also if I’m going to do that, it’s making me select a template for that. So I’m going to specify a name. So selected notification methods. We haven’t created a notification message, so I don’t have a name that I can select for notification here. All right, but I won’t get into creating the notification messages here. But you can do that. You can specify the recipient, whoever you want to receive the notifications if you want. So I could put in an admin or something like that if I wanted a recipient.

Or I could simply say remotely lock the non compliant device. So it locks it. All right, so here’s the thing. Let’s say somebody is sitting at this device that shouldn’t be sitting there, and then all of a sudden they do some things that make the device not compliant. It can auto lock the device and at that point they’d have to enter in credentials. It could force MFA, multi factor authentication, all that. Okay? I could also say retire the non compliant device that’s going to basically make it where the device can access any information, open anything in our corporate environment, like OneDrive SharePoint exchange. Nothing will open if the device is then marked not compliant. Okay, so I have all these different options that I can go with if I want.

Okay? So right now I’m just going to say Mark would not compliant. Here’s the thing. If we pair this with a conditional access policy, as I said earlier, then what will happen is it’ll actually force compliance or it’ll just block the device altogether. So you saw when we went over conditional access a little earlier that we could implement that. And so these two complement each other. Conditional access policies and compliance policies work together. Okay, so I’m going to go ahead now. I’m going to click next, and then I could specify scope tags. I’ve mentioned scope tags before. Scope tags are for admins to specify what certain administrators can manage. So I might have a Windows Ten scope tag and I might allow an admin to manage that scope tag.

So I’m just going to go with the default scope tag because I don’t have a bunch of scope tags created at the moment. So we’ll just select the default. Okay, so we’ll go here, select default, and we’re going to go ahead now and click next. And then we get to assignment. So assignment is who we’re going to actually assign this to. So if we wanted to assign this, we could say add it to an exclusion group. Maybe we’ll add this to our Windows Ten people and our marketing people, and then we will exclude our It people. All right, remember that exclusion is always override inclusion. So maybe I don’t want to include my It people in this actually, in the real world, you probably would want to include your It people.

Or maybe what I might do is I might have some specific compliance settings just for my It people. Okay? So the reason maybe that I’m excluding it right now is because I don’t want it to affect them, but I might also have something more restrictive for them. So at that point, I can click next, and I’m going to click create, and I have officially created my compliance policy. All right? So at that point, it would get applied to the people that are in that group. The device is in that group, and the setting will take a few minutes to take effect. This does not instantly take effect. It can take a few minutes. The machines will check in into intune, and at that point, it will actually get assigned and take effect on their device.