Device Compliance for your Virtual Machine(s)

Microsoft Intune

This article describes a simple but effective way to configure Device Compliance policies for Virtual Machines. Probably every admin recognizes the problem of testing Intune devices when it comes to Device Compliance. Not every admin has a physical (spare) device to test with and or wants to carry this with them.

Virtual Machines are a great solution for this. Looking at myself, i have always a few virtual machines on my notebook in Hyper-V. Most are virtual workplaces for customers where I’m actively working for. I’ll pretend these virtual machines to be exactly the same as a physical device. They get the same applications, settings and policies as the physical devices these customers are using.

This works perfectly fine, except for the Compliance Policy. It totally depends on the requirements you have within the policy. If you are blocking access to (for example: Office 365) from devices which are not compliant this could be an issue. A separate Compliance Policy is what you need! 

Normally i require at least the following compliance settings:

Physical device Compliance Policy setting

  • Device Health -> Bitlocker: Require
  • Device Health -> Secure Boot: Require
  • Device Health -> Code integrity: Require
  • System Security -> Require encryption of data storage on device: Require
  • System Security -> Firewall: Require
  • System Security -> Trusted Platform Module (TPM): Require
  • System Security -> Antivirus: Require
  • System Security -> Antispyware: Require
  • System Security -> Microsoft Defender Antimalware: Require
  • System Security -> Microsoft Defender Antimalware security intelligence up-to-date: Require
  • System Security -> Real-time protection: Require
  • Microsoft Defender for Endpoint -> Require the device to be at or under the machine risk score: Medium

For virtual machines (for example: Hyper-V VM’s), not all of these requirements can be met. Therefor I split my compliance policies into two separate policies.

Virtual device Compliance Policy setting

  • Device Health -> Code integrity: Require
  • Device Health -> Secure Boot: Require
  • System Security -> Firewall: Require
  • System Security -> Trusted Platform Module (TPM): Require
  • System Security -> Antivirus: Require
  • System Security -> Antispyware: Require
  • System Security -> Microsoft Defender Antimalware: Require
  • System Security -> Microsoft Defender Antimalware security intelligence up-to-date: Require
  • System Security -> Real-time protection: Require
  • Microsoft Defender for Endpoint -> Require the device to be at or under the machine risk score: Medium

Splitting by using Filters

Splitting these policies between the device groups (physical/virtual) can be done using Intune Filters. Let’s create two new filters!

Physical device Filter

  1. Sign into Intune (https://intune.microsoft.com)
  2. Go to Devices -> Other (section) -> Filters
  3. Click Create -> Managed devices
  4. Give it a name. For example: Windows – Physical device
  5. Platform: Select Windows 10 and later
  6. Click Rule syntax (Edit) and copy the following syntax: (device.model -ne “Virtual Machine”) and (device.osVersion -startsWith “10.0”)

Virtual device Filter

  1. Navigate to https://intune.microsoft.com
  2. Go to Devices -> Other (section) -> Filters
  3. Click Create -> Managed devices
  4. Give it a name. For example: Windows – Virtual device
  5. Platform: Select Windows 10 and later
  6. Click Rule syntax (Edit) and copy the following syntax: (device.model -eq “Virtual Machine”) and (device.osVersion -startsWith “10.0”)

This creates a filter which holds all the devices who are NOT virtual machines and are running Windows 10 or Windows 11. There’s no need to modify the device.osVersion value. 10.0.1 is used for Windows 10 and 10.0.2 is used for Windows 11. Using 10.0 as the value would include both operating systems.

Assign the filters

Physical device policy

Click on Devices -> Compliance policies -> Open: Windows – Compliance Policy. In my case this is the physical device policy. Click Properties -> Assignments -> Edit.

Find the Assignment (Group) you want to modify. Click Edit filter.

Select Exclude filtered devices in assignment and click on the filter Windows – Virtual Machine and Save the policy.

Virtual device policy

Click on Devices -> Compliance policies -> Open: Windows – Compliance Policy – Virtual Machine. In my case this is the physical device policy. Click Properties -> Assignments 

Find the Assignment (Group) you want to modify. Click Edit filter.

Select Exclude filtered devices in assignment and click on the filter Windows – Physical device and Save the policy.

The filters will apply a.s.a.p. to the devices within the filter. They will then start to report as compliant depending on the policy the device belongs to. Not applicable is perfectly fine in this case.

Author

  • Joey Verlinden is a Microsoft MVP in the security category from the Netherlands. He is the first guest contributor in this community. Make sure to follow him as he guides us in the world of security!

    View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *