Last Update: Sep 04, 2024 | Published: Jun 12, 2020
The worldwide health crisis had led many organizations to expand remote access to enable more employees to work from home. Remote access solutions are sometimes rushed out with limited opportunity to plan how to secure them properly.
In an ideal world, you’d make sure that clients are compliant with a set of minimum standards before connecting remotely to the corporate network. And ensure that clients are secure even when not directly connected to the intranet.
Windows 10 Always On VPN (virtual private network) can integrate with Azure Active Directory (AD) to check Windows for health compliance when a connection attempt is made. Azure AD-issued short-lived certificates are used to authenticate the VPN if the device meets compliance rules. When a certificate expires, the client checks Azure AD again for compliance before Azure issues a new certificate.
For more information on Windows 10 Always On VPN, check out Understanding Windows 10 Always On VPN on Petri.
Another approach, which can also be used with VPNs, is to check for compliance whenever devices are connected to the public Internet. To check Windows 10 compliance, you’ll need a Mobile Device Management (MDM) solution.
Intune is Microsoft’s MDM solution. Organizations can purchase Intune licenses to manage users and devices. Intune licenses are also included with some Microsoft 365 plans, like Microsoft 365 Business Premium.
There are several ways that Windows 10 devices can be enrolled with Intune. If a Windows 10 device is joined to an Azure Active Directory, it can optionally be automatically enrolled with Intune.
For more information on how to enroll devices and assign Intune licenses, see Microsoft Intune: Windows 10 Device Enrollment on Petri.
Once your devices are enrolled with Intune, create a compliance policy to make sure devices meet certain security standards. To create a policy, log in to the Microsoft Endpoint Manager (MEM) admin center and following the instructions below.
The policy settings in the instructions below are given as an example. You can of course choose your own settings according to your organization’s security policy.
To get the Windows 10 version in the major.minor.build.revision format required by Intune, open a command prompt, type ver, and press ENTER.
The Remotely lock the noncompliant device isn’t supported for Windows 10 desktop devices. There’s an action to send an email to the user, and additional recipients. The Retire the noncompliant device action, removes all company data and the device is removed from Intune management.
Once the policy is created, any Windows 10 devices that fall out of compliance will be flagged as Not compliant. To check the status of devices:
Remember that when creating new policies, they are not applied immediately to devices. Each device must sync with Intune before new policies are applied.