Forum Discussion

NS's avatar
NS
Copper Contributor
Dec 23, 2024

Any Intune polices applicable for personal Laptops, that are not enrolled to Microsoft Intune

Hi All,

I have a requirement, where i will provide the AVD machines to vendors, using that AVD machines they will access my applications, but they will use their windows machines and home internet to connect the AVD machines given by us.

We cannot enroll their windows machines to the Microsoft Intune that belongs to our tenant (where the AVD services are hosted)

Is there a way to ensure the windows machines used by them should need to have the basic level of hygiene (Latest OS, Antivirus and latest browser versions), before the access is granted to them to connect AVD machines? 

Also, if they register their windows machines as Entra ID in our tenant, without enrolling their windows machines to Microsoft Intune, what level of controls/checks that i can do in their machine level before i allow them to connect the AVD services? 

Please share your thoughts.

Conditional Access
Intune
  • kyazaferr's avatar
    kyazaferr
    Iron Contributor
    Dec 26, 2024
    1. Conditional Access Policies: Even without Intune enrollment, you can implement device checks through Conditional Access when users register their devices in Entra ID:
    • Require compliant browsers
    • Check OS versions
    • Enforce MFA
    • Set location-based conditions
    1. Azure AD Registration + Device Health Attestation:
    2. # You can configure Device Health Attestation settings via PowerShell
      Set-MsolDeviceRegistrationServicePolicy -EnableDeviceRegistration $true
    3. Client Requirements via RDP Client Settings:
    4. # Example of setting minimum RDP client version requirement
      Set-RDSessionCollectionConfiguration -CollectionName "Collection" -MinimumRDPVersion "10.0"
      1. Security Baseline through Group Policy: Although not enrolled in Intune, you can create and enforce security requirements for the RDP connection:
      • TLS requirements
      • Encryption levels
      • Client device health checks

      Here are specific controls you can implement:

      1. For Entra ID registered devices:
      • Device compliance state verification
      • Risk-based conditional access
      • Browser security requirements
      • Certificate-based authentication
      1. For AVD connection security:
      • Enforce specific client versions
      • Require secure protocols
      • Implement network level authentication
      • Enable session monitoring
      1. Additional Security Measures:
      • Web Application Proxy/Azure AD App Proxy
      • Just-in-Time access
      • Session time limits
      • IP-based restrictions

Resources