Practice Lab: Configuring and validating device compliance
Summary
In this lab, you validate device compliance by configuring a compliance policy and associated conditional access rule used to determine the status of a managed device.
Prerequisites
To following lab(s) must be completed before this lab:
-
0101-Managing Identities in Azure AD
-
0102-Synchronizing Identities by using Azure AD Connect
-
0203-Manage Device Enrollment into Intune
-
0204-Enrolling devices into Intune
-
0301-Creating and Deploying Configuration Profiles
Note: You will also need a mobile phone that can receive text messages used to secure Windows Hello sign in authentication to Azure AD.
Exercise 1: Configuring compliance policies
Scenario
Contoso would like to ensure that Windows devices that are enrolled in Intune meet a minimum configuration specification. The following are specifications are required:
- Minimum Windows operating system version: 10.0.19041.329
- Microsoft Defender Antimalware required
If a device meets these requirements, it will be marked as compliant. If the device does not meet these requirements, the device should be marked as non-compliant.
Task 1: Create and assign a compliance policy
-
Sign in to SEA-SVR1 as Contoso\Administrator with the password Pa55w.rd and close Server Manager.
-
On the taskbar, select Microsoft Edge.
-
In Microsoft Edge, type https://intune.microsoft.com in the address bar, and then press Enter.
-
Sign in as as
[email protected]
with the default tenant password. -
From the navigation pane select Devices, then select Compliance policies.
-
On the Compliance policies | Policies blade, in the details pane select Create policy.
-
On the Create a policy blade, provide the following value and select Create:
- Platform: Windows 10 and later
-
On the Basics tab, provide the following value and select Next:
- Name: Compliance1
-
On the Compliance settings tab, expand Device Health and review the available settings.
-
On the Compliance settings tab, expand Device Properties. In the Minimum OS version field, type 10.0.19041.329.
-
On the Compliance settings tab, expand System Security. Set the Microsoft Defender Antimalware setting to Require.
-
Select Next. On the Actions for noncompliance tab, note the action to Mark device noncompliant default setting is immediately.
Review how you can configure the number of days after which the device is marked as noncompliant, and configuration additional actions.
-
Select Next. On the Assignments tab, under Included groups select Add groups. Select Windows Devices, choose Select, and then select Next.
Note: The Windows Devices group was created in the Module 0301 lab.
-
On the Review + create tab, review the settings and then select Create.
-
In the navigation menu, select Devices and then in the Devices navigation pane, select Compliance policies.
-
On the Compliance policies page, select Compliance policy settings.
-
On the Compliance policy settings page, next to Mark devices with no compliance policy assigned as, select Not Compliant and then select Save.
This setting will ensure that any device that does not have a compliance policy assigned will be set to Not compliant.
Results: After completing this exercise, you will have successfully configured a compliance policy.
Exercise 2: Creating a conditional access policy to enforce compliance
Scenario
When a user uses a device that is marked as non-compliant, they should not be able to access their e-mail. You've been asked to configure a conditional access policy that enforces this rule, and verify it functions as expected. In some cases, the user may experience a loop where they are prompted to sign in repeatedly.
Task 1: Create a conditional access policy
-
On SEA-SVR1, in the Intune admin center select Devices, then select Conditional access.
-
On the Conditional Access | Overview blade, select Policies.
-
On the Conditional Access | Policies blade, select New policy.
-
On the New blade, in the Name text box, type Conditional1 and then select 0 users and groups selected.
-
Under Include, select the All users radio button.
-
On the New blade, in the Target resources section, select No target resources selected.
-
Under Include choose the Select apps radio button, under the Select option select None, select Office 365 Exchange Online, and then click Select.
-
On the New blade, in the Conditions section, select 0 conditions selected.
-
In the list of conditions, under Device platforms, select Not configured. In the Configure section select Yes, select the Select device platforms radio button, select the Windows check box, and then select Done.
-
On the New blade under Access controls, in the Grant section, select 0 controls selected. Select the Require device to be marked as compliant check box, and then select Select.
-
On the New blade, select On for the Enable policy option and then select Create.
-
Close Microsoft Edge.
Task 2: Verify that the conditional access policy is working
-
Switch to SEA-WS3 and sign in as Admin with the password of Pa55w.rd.
-
On SEA-WS3, on the taskbar, select Microsoft Edge.
-
In Microsoft Edge, type outlook.office.com and then press Enter.
-
On the pick an account dialog box, select
[email protected]
. -
On the Enter password page, enter Pa55w.rd1234! and select Sign in. If the Microsoft Edge Save password prompt appears, select Update.
-
You should receive a message that ask you to switch Edge profile. Select Switch Edge profile.
-
You will be prompted with a message stating, "Continue with your work or school account". Select Sign in to sync data.
-
You will be required to enter your password again. Enter Pa55w.rd1234! and select Sign in.
-
A message will appear stating, "Stay signed in to all your Microsoft apps". Select no, sign in to this app only.
Note: A prompt will appear stating, "Allow my organization to manage my device". This is because SEA-WS3 is not joined to Azure AD and not managed by Intune. As such, you are unable to access Aarons' mailbox from this device.
-
Close all windows and sign out of SEA-WS3.
-
Switch to SEA-WS1, and sign in as as Aaron Nicholls with the PIN 102938.
Note: SEA-WS1 is a managed Windows 11 device that is enrolled in Intune.
-
On the taskbar, select Microsoft Edge.
-
In Microsoft Edge, type outlook.office.com and then press Enter.
-
Verify that you can access Aaron's mailbox.
Note: This is because SEA-WS1 is a managed device and marked as compliant._
-
Close Microsoft Edge and sign out of SEA-WS1.
Task 3: Disable the conditional access policy
-
Switch to SEA-SVR1 and enter the password Pa55w.rd.
-
On the taskbar, select Microsoft Edge.
-
In Microsoft Edge, type https://intune.microsoft.com in the address bar, and then press Enter.
-
Sign in as as
[email protected]
with the default tenant password. -
From the navigation pane select Devices, then select All devices.
Notice that SEA-WS1 is compliant, which is why Aaron was allowed to access his mailbox.
-
From the navigation pane select Devices, then select Conditional access.
-
On the Conditional Access page, select Policies and then select Conditional1.
-
On the Conditional1 page, at the bottom of the page, select Off and then select Save.
-
Close Microsoft Edge.
Results: After completing this exercise, you will have successfully configured a conditional access policy to determine device compliance.
END OF LAB