Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)

Today’s Tip…

Yesterday’s tip discussed the Conditional Access Framework and how it can be used to ensure device compliance for Windows 10 remote devices.  In today’s tip, we take a look at some of the components and cloud services involved.

Conditional Access Framework Components

The following components work together to provide an end-to-end device compliance solution.

Conditional Access

Conditional Access is a powerful policy evaluation engine built into Azure AD.  It gives IT admins an easy way to create access policies that evaluate the context of a user's login to make real-time decisions about which applications they should be allowed to access, including access to VPN.

Azure AD Connect Health

Azure AD Connect Health is a cloud based service and plays a key role in helping customers monitor and secure their cloud and on-premises identity infrastructure.   In its first preview, Azure AD Connect Health provides customers who use ADFS with detailed monitoring, reporting and alerts for their ADFS servers.

Windows Health Attestation Service

The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.  The role of Windows Health Attestation Service is essentially to evaluate a set of health data (using TCG log and PCR values), make a series of detections (based on available health data) and generate encrypted health blob or produce report to MDM servers.

Windows 10 Health Attestation CSP

Windows 10 contains a configuration service provider (CSP) specialized for interacting with the health attestation feature.  A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how MDM servers can configure settings and manage Windows-based devices. The management protocol is represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as “get”, “set”, “delete”, and so on.

The following is a list of functions performed by the Windows 10 Health Attestation CSP:

  • Collects data that is used to verify a device’s health status
  • Forwards the data to the Health Attestation Service
  • Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
  • Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification

During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs values that are measured during the boot, by using a secure communication channel to the Health Attestation Service.

When an MDM server validates that a device has attested to the Health Attestation Service, it will be given a set of statements and claims about how that device booted, with the assurance that the device did not reboot between the time that it attested its health and the time that the MDM server validated it.

For more information on the HealthAttestation CSP, including examples for integrating Health Attestation into your environment, see the following link: Health Attestation CSP

Who decides device compliance?

The device management server decides if device is compliant based on its configured set of compliance rules.  Intune, 3rd party MDM servers or an SCCM hybrid can be used.  The individual behaviors can vary depending upon the platform used, but most are based on state queries from MDM to the HealthAttestation CSP on the Windows 10 device.

Intune Compliance Policies

The Conditional Access Framework leverages the existing compliance policies configurable in Intune.  Mobile Device Management systems such as Intune are capable of querying device state and define compliance rules for the following:

  • Firewall status
  • Antivirus status
  • Auto-update status & Update compliance
  • Password policy compliance
  • Encryption compliance
  • Device health attestation state (validated against attestation service after query)

At the time of this writing Intune only supports a subset of these, but more are to be added in the future.

Next Time

Stay tuned for tomorrows tip, when we will examine a sample connection flow illustrating how all these components and services work together.