Tip of the Day: Device Compliance for Remote Windows 10 Clients

  • Article

Today’s Tip…

With the Removal of NAP in Windows 10, there was no longer a viable Device Compliance mechanism for remote access.  The Conditional Access Framework provides services to fill this gap and is ideal for assuring health of VPN remote clients, as well as for those accessing online services, such as O365.

Let’s take a brief look at some of the solution components…….

The Conditional Access Framework

Conditional Access

Conditional Access is a powerful policy evaluation engine built into Azure AD. It gives IT admins an easy way to create access policies that evaluate the context of a user's login to make real-time decisions about which applications they should be allowed to access, including access to VPN.

Azure AD Connect Health

Azure AD Connect Health is a cloud based service and a key part of our effort to help you monitor and secure your cloud and on-premises identity infrastructure. In this first preview, Azure AD Connect Health provides customers who use ADFS with detailed monitoring, reporting and alerts for their ADFS servers.

For more information on device compliance and the Windows Health Attestation Service see Controlling the health of Windows 10-based devices

Windows Health Attestation Service

The role of Windows Health Attestation Service is essentially to evaluate a set of health data (TCG log and PCR values), make a series of detections (based on available health data) and generate encrypted health blob or produce report to MDM servers.

Health Attestation CSP

The HealthAttestation configuration service provider enables enterprise IT managers to assess the health of managed devices and take enterprise policy actions.

The following is a list of functions performed by the HealthAttestation CSP:

  • Collects data that is used in verifying a devices health states
  • Forwards the data to the Health Attestation Service (HAS)
  • Provisions the Health Attestation Certificate that it receives from HAS
  • Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM Server for verification

For more information on the HealthAttestation CSP, including examples for integrating Health Attestation into your environment, see the following link: Health Attestation CSP

Intune Compliance Policies

The Conditional Access Framework leverages the compliance policy already available in Intune.  MDM is capable of querying device state & define compliance rules for the following:

  • Firewall status
  • Antivirus status
  • Auto-update status & Update compliance
  • Password policy compliance
  • Encryption compliance
  • Device health attestation state (validated against attestation service after query)

At the time of this writing Intune only supports a subset of these, but more are to be added soon.