TL;DR
Introduction
Device compliance should be at the top of any organisation’s cybersecurity priorities. It defines whether a device is trusted and more importantly, whether it should be allowed to access corporate data.
What is device compliance and why does it matter?
Device compliance ensures that endpoints meet defined security standards before accessing company resources.
- No clear visibility into insecure devices
- No way to enforce access control
- Increased exposure to cyber threats
What is device risk in Defender for Endpoint?
Device risk is determined by Microsoft Defender for Endpoint based on:
- Active alerts
- Detected vulnerabilities
- Suspicious or malicious activity
However, what’s not new is Defender for Endpoint is preventing these threats in the device and making sure the device is safe by quarantining malware or going through the Automated Investigation and Resolution tasks if configured.
Identifying risks in the device can vary from a user opening a malicious file to suspicious activities in the device identified by the Defender for Endpoint Behavioural monitoring and reporting it as an alert.
The risk level reflects the overall risk assessment of the device based on combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.
Below figures shows how Defender for Endpoint reports the device risk.
Risk levels
Risk Levels explained below are determined by Defender for Endpoint. It takes the vulnerabilities, risks along with the behavioural analysis done by the machine learning capabilities in Defender XDR. It is important to note that you are required to setup the security polices in Defender and apply it to your devices.
- Clear/ Secure – No active threats
- Low – Minor risks detected
- Medium – Moderate threats present
- High – Significant security risk
A real-life example
Before enforcing policies, it’s important to understand how risk evolves in real environments.
- End-user devices used for browsing, email, Teams, and SaaS apps—where vulnerabilities are constantly being patched
- Phishing attacks, where users click malicious links that compromise the device
Defender for Endpoint provides real time telemetry about your device fleet. If any of your devices are vulnerable to the threats or the device reports as infected, this risk level is updated automatically.
This change of risk levels will signal Microsoft Intune to change the compliance of your device which will signal Entra ID to trigger the necessary Conditional Access Policies.
How Intune, Defender and Conditional Access work together
This is where unified endpoint security becomes powerful.
- Defender for Endpoint detects a threat → increases device risk
- Microsoft Intune evaluates the device compliance
- Device is marked as non-compliant if risk exceeds threshold
- Microsoft Entra Conditional Access blocks access
- User regains access only after remediation
- Risk signals are acted on instantly
- Access decisions are automated
- Security is enforced consistently
The powerful role of Microsoft Intune
This is where Microsoft Intune comes into play.
- Define compliance policies
- Continuously evaluate device health
- Trigger actions based on compliance status
When combined with Conditional Access:
- Non-compliant devices are blocked from corporate resources
- Access is only granted when risk levels are acceptable
Device compliance policy rules in Defender for Endpoint
Microsoft Intune device compliance policies now have rules for Defender for Endpoint risk levels,.
You can configure devices to:
- Become non-compliant immediately if risk exceeds thresholds
- Regain compliance only when risk is reduced
Combine this with the Conditional Access Policies. Access to corporate applications and data will be immediately stopped as the device now poses a risk due to detected threats discovered by Defender for Endpoint. Users will be able to access the resources as soon as the device risk level is secure/ clear.
This requires the device to be at or under the machine risk score in-order to enforce the controls. Devices that exceed the provided score get marked as noncompliant.
Compliance behaviour based on risk:
| Risk Level | Compliance Outcome |
|---|---|
| Secure | Fully compliant
|
| Low | Compliant
|
| Medium | Conditionally compliant
|
| High | Typically non-compliant.
|
You define the acceptable risk level – anything beyond that triggers enforcement.
Configure Components
To enable this integration:
- Devices must be enrolled in Microsoft Intune
- Devices must be onboarded to Defender for Endpoint
- Service connection between Intune and Defender must be configured
- Supported platforms:
- Windows
- iOS / iPadOS
- Android
Microsoft Intune app protection policies
Beyond device compliance, App Protection Policies provide another layer of control.
- Block access to apps based on device risk
- Protect corporate data even on unmanaged devices
- Android
- iOS / iPadOS
- Windows
Further, Microsoft Intune App Protection Policies can be configured in order to block access to the apps in the policy scope.
This policy can be configured in ‘App | Protection’.
Configure the conditional access policy
Conditional Access (CA) is the final enforcement layer.
Key capabilities:
- Block access from non-compliant devices
- Use device filters to target specific scenarios
- Require devices to meet compliance before accessing apps
End-user experience:
- Access is blocked when device risk is high
- Users must remediate issues before regaining access
Setting it up:
Create the CA policy in-order to block access to corporate resources depending on the device compliance.
At a glance, Entra ID devices page will show you the compliance signal.
Use device filters in conditions
When creating the Conditional Access policy, you can use the above compliance signal to make sure you are addressing the correct set of devices by setting a Device Filter in your policy.
Set the grant action
This will make sure the access to the resources are blocked until the device risk is remediated and marked as compliant. Which means the Device Risk needs to be clear or have to be at the given state.
End-user experience with the conditional access policy enforcement
Notifications and visibility
IT Admins can configure notifications to:
- Alert users when devices become non-compliant
- Notify IT or helpdesk teams
- Email notifications to end users
- Additional recipients (e.g. IT admins)
Setting it up:
Create notifications in ‘Compliance Policies’ and you’ll get notified when the devices are not compliant.
Set the option ‘Send email’ to ‘end user’ and select an additional user as well. This can be your IT admin or helpdesk email address.
Remediation
To restore compliance and access:
- Remediate vulnerabilities (manually or automatically)
- Resolve active alerts on the device
- Reduce device risk level
Wrapping up
The ability to link real-time risk signals with automated access control is one of the biggest strengths of Microsoft’s security ecosystem.
- Detect threats instantly
- Enforce compliance automatically
- Block risky devices in real time
