Forum Discussion

StuartK73's avatar
StuartK73
Iron Contributor
Sep 04, 2025

Restrict some devices

Hi All   I hope you are well.   Anyway, I'm looking for some advice.   We have identified some Intune enrolled, Entra ID joined devices that may be security risks (malware) and would like to re...
Conditional Access
Intune
mobile device management (mdm)
rahuljindal's avatar
rahuljindal
Bronze Contributor
Sep 04, 2025

Are these devices enrolled in Defender for Endpoint? If yes, then you can configure the compliance policy in Intune to look at MDE risk score and then leverage this as into a conditional access policy looking at device compliance as a grant control. If you are using a non-Microsoft security solution, then you can still use the compliance policy, but it may require a bit of scripting to pull the desired status of the device in form a custom compliance policy. Alternatively, if you have list of devices already identified, then you can block access to them using conditional access device filters. 

  • Bogdan_Guinea's avatar
    Bogdan_Guinea
    Iron Contributor
    Sep 05, 2025

    rahuljindal​ 

    Using Defender together with the Risk Score looks like a solid solution.
    The Custom Compliance Policy you mentioned also seems useful — but do you know if it still works when combined with a Custom Extension Attribute that's based on a Conditional Access (CA) filter?

    From my understanding, the device would need to be marked as compliant at the time when the attribute is created, correct?

    That said, it looks like the Stuarts´s company is using an endpoint protection solution other than Defender, which might still fit into this scenario.

    My question is: how would you approach this? Would you try to capture the required signals via a script (for example by checking logs or client version)? Normally, the AV solution itself should be capable of quarantining or blocking malware.

    I think it would be helpful if StuartK73​ could provide us with some additional input on this.

    Good luck!

  • StuartK73's avatar
    StuartK73
    Iron Contributor
    Sep 04, 2025

    Hi Buddy

    Unfortunately, these devices are not yet enrolled in Defender for Endpoint, I am and have been pressing for this for a while now.

     

    Could you elaborate on "Alternatively, if you have list of devices already identified, then you can block access to them using conditional access device filters. "

     

    I'm struggling to get my head around the Include filtered devices in the policy  / Exclude filtered devices from the policy.

     

    Let say we do

     

    CA Policy - Filtered Devices

    All users

    All resources

    Access = BLOCK

    Include filtered devices in the policy

    Property Operator Value

    DeviceID Equals Device ID from Intune

     

    Does that policy work out as any user accessing any cloud resource on a deviceID is blocked?

     

    SK

     

     

    • rahuljindal's avatar
      rahuljindal
      Bronze Contributor
      Sep 05, 2025

      Hey. Yes, pretty much any user (provided you select all users in the CA) that tries to access the cloud resources you define in the CA, will be blocked when you select the grant control as blocked. 

Resources