Skip to main content
All CollectionsConnectionsProvider
Intune (Windows) Connection
Intune (Windows) Connection

This article walks through the details of configuring Intune to connect to Drata.

Updated over a week ago

HERE'S WHY

Connecting to Intune will turn on the MDM option in Workstation Configuration Monitoring on your Company's Internal Security settings. If the Drata Agent is not present and active, it will then proceed to obtain workstation configuration information from the Intune instance for compliance purposes.

BEFORE DIVING IN

  1. Make sure that the devices you wish to monitor are enrolled through the Intune Company Portal website or app. Devices can be enrolled by any of these methods. If your employees are already enrolled, it is not necessary for them to install the Company Portal application.

  2. Make sure that your Entra (formerly Azure) account has already been populated with users.

  3. Make sure you have an existing Microsoft Endpoint Manager group containing all users that need to be monitored. Both types of "Microsoft 365" and "Security" are supported.

  4. Make sure that all devices that need to be synced have the user's email address entered into the device's User Principal Name field. Also ensure this value matches the Personnel email address in Drata.

  5. You will need a Global Administrator account in order to set everything up in Entra/Intune.

  6. At this time, while Drata’s device compliance checks using the Intune connection check device settings directly for Hard Disk Encryption, the rest of Drata’s device compliance checks confirm the following:

    • Does the policy of the required name and/or type exist?

    • Is that policy mapped to the device?

    • Is that device compliant with that policy?

    If all three of the above criteria are met, Drata will show that device as passing for the other device compliance checks.

Current Limitations

  • The integration supports Microsoft Windows 10 and 11 Pro and Enterprise devices only. Windows 10 and 11 Home devices are not supported.

  • Drata's Autopilot (nightly automated testing) must run before the application list from Intune can be shown.

  • The application list for each device can take up to seven days to sync. This is because Intune updates the discovered apps list once every seven days after Intune was installed.

  • Drata supports both the Intune Discovered Apps list and Intune Managed Apps list natively.

  • The Intune API doesn't return the version of the Intune Agent used.

  • Only one configuration source per machine will be read, with the Drata agent taking precedence. To sync Intune data, ensure the Drata agent is uninstalled.

  • 1Password is only detected when it is installed via Intune.

  • Intune cannot natively pick up browser extensions, so if those are being used as a password manager, that compliance check will fail. Your users will need to use the equivalent installed desktop application. Ensure that this app shows on either Intune's discovered apps list or Intune's Managed Apps list.

    • You may choose to upload manual evidence as an alternative.

  • Currently, policies and configuration profiles set up using Intune Settings Catalog are not supported. In order for compliance data to sync, you must use the policy and configuration profile types defined in this help article.

  • Currently, Endpoint Security policies (required for Disk Encryption and Firewall settings) set up using Security Baselines are not supported. In order for compliance data to sync, you must use the policy and configuration profile types defined in this help article.

Overview of what we're going to set up

Create Intune App on Entra ID

Create new App Registration

  1. You can start from the Microsoft Intune admin center or portal.azure.com. Start from step 3 if you would like to start at portal.azure.com. Depending on your starting point, the instructions to do certain actions may differ.

  2. If you start from Microsoft Intune admin center,

    1. Select All services and then search for and select Microsoft Entra. A new tab will open the Microsoft Entra admin center.

    2. On the Microsoft Entra admin center tab, expand Identity and then Applications. Then, select App registrations.

  3. If you start from portal.azure.com,

    • Search and select App registrations. Ensure it is under Services.

  4. On the App Registration page, select + New registration.

  5. On the Register an application page, enter or select the following values exactly as provided:

    • Name: Drata - Intune App

    • Supported account types: Accounts in this organizational directory only (<directory name> only - Single tenant)

  6. Select Register. You are taken back to the app's Overview page.

  7. Copy the Application (client) ID and Directory (tenant) ID. You will use the IDs to connect to your Intune instance in Drata.

    • You may have to select the newly registered app to view the IDs.

  8. Select Add a certificate or secret or <#>certificate, <#> secret. If you do not see this option, you may have to select the newly registered app.

    • The following screenshot displays the number of created values. If you do not have any values created, it will showcases Add a certificate or secret instead. Select that instead it will lead to the same page.

  9. Select + New client secret.

  10. Enter the details for the Description, select 24 months for Expires, and then select Add.

  11. Copy the Value (not the Secret ID) of the new secret to paste it into the Application Secret text field on the Drata slide-out panel.

    • Note: This will be the only time you can copy this secret key.

  12. Refresh the Azure Certificates and Secrets screen to make the secret Value useable. Microsoft holds it in a pending state until the screen is refreshed.

    • Note: Ensure to update before the expiration date so the connection remains active.

API Permissions

Microsoft Graph has two types of permissions: Delegated and Application. The Drata OAuth app needs Application permissions.

  1. Select API permissions. Utilize the search bar if you cannot find this option.

    • Ensure you have selected the app. The following image showcases the app Creation App Test. From there, we are able to select API permissions.

  2. Select + Add a permission.

  3. Select Microsoft Graph.

  4. Select Application permissions.

  5. Search and select the following four permissions:

    • DeviceManagementManagedDevices.Read.All

    • DeviceManagementConfiguration.Read.All

    • User.Read.All

    • DeviceManagementApps.Read.All

  6. Select Add permissions.

  7. The four new permissions status displays as Not granted. Select Grant admin consent to grant the app these new permissions.

  8. Select Yes in the Grant admin consent confirmation popup.

  9. Confirm that the status displays Granted.

Connect to your Intune instance in Drata

  1. Go to the Drata app to select Connections (located on the bottom sidebar).

  2. Search and select Connect for the Intune integration.

  3. In the extended drawer, enter the details you saved in the previous steps: Directory (tenant) ID, Application (client) ID, and Application Secret.

  4. Select Save & Test Connection.

Configure Intune in Drata for employee onboarding

  1. Go to Settings and then Internal Security.

    • To go to Settings, select your username and then you can select Settings

  2. Toggle on Automated via Intune on and toggle off Automated via Drata Agent to disable the Drata agent.

  3. Note: If both remain on, and the Drata agent is installed on an employee computer, the Drata agent will take precedence; meaning, employee compliance checks will come from the agent.

Lock Screen and Password Configuration Profile

Create a new Configuration Profile with a Device Restriction Policy to get the Lock Screen and Password information according to the following steps.

NOTE: If you already have an existing Lock Screen and Password Configuration Profile, you may submit that profile's name to our Support team and Drata will apply it after your connection is made.

  1. Select Devices on the left side navigation menu.

  2. Then, search and select Configuration under Manage devices. Then, select Create and New Policy.

  3. Enter the following properties:

    • Platform: Choose Windows 10 and later

    • Profile: Choose Templates

      • Template name: Device restrictions

  4. Select Create.

  5. You will be redirected to a Device restrictions page where there are multiple steps or tabs to fill out.

  6. On the Basics tab, enter the following name exactly as provided: Drata - Screen Lock and description is optional. Select Next.

  7. On the Configuration settings tab, expand each group of settings, and configure the settings you want to manage with this profile. You must configure the two permissions. After setting these required permissions, select Next.

    • Select Require for Password.

    • Select 15 Minutes for Maximum minutes of inactivity until screen locks (Optional: You can make this shorter).

  8. On the Assignments tab, under Included groups section, select Add groups to choose to assign the profile to one or more groups. Under Excluded groups section, select Add groups to fine-tune the assignment. Select Next.

    • Note: The Security group is the only selectable option for the Screen Lock profile.

  9. Applicability Rules are optional. Select Next.

  10. On the Review + create page, ensure your settings are correct, and select Create.

You are taken back to the profile's Overview page.

Device Security Policy

Create a new compliance policy to sync the BitLocker, Secure Boot, and Antivirus settings with the following steps.

  1. Select Devices on the left side navigation menu. Then, search and select Compliance under Manage devices. Then, select Create policy.

  2. Enter the following property

    • Platform: Windows 10 and later

  3. Select Create.

  4. You will be redirected to a Windows 10/11 compliance policy page where there are multiple steps or tabs to fill out.

  5. On the Basics tab, enter the following name (the following name is recommended, but Drata can read an existing policy with these settings): Drata - Device Security and description is optional. Select Next.

  6. On the Compliance settings tab, expand each group of settings, and configure the settings you want to manage with this policy. The settings below must be set at a minimum.

    • Expand the Device Health option.

      • Select Require for BitLocker

      • Select Require for Secure Boot

    • Expand the System Security and then scroll down to the Device Security section.

      • Select Require for Antivirus.

    • Scroll down to the Defender section.

      • Select Require for Microsoft Defender Antimalware

      • Select Require for Microsoft Defender Antimalware security intelligence up-to-date.

      • Select Require for Real-time protection

  7. The Actions for noncompliance section is optional. Select Next.

  8. On the Assignments tab, under Included groups section, select Add groups to choose to assign the profile to one or more groups. Under Excluded groups section, select Add groups to fine-tune the assignment. Select Next.

  9. On the Review + create page, ensure your settings are correct, and click Create.

You are taken back to the profile's Overview page.

Windows Updates Profile

Create a new policy to sync Windows Autoupdate settings with the following steps.

NOTE: If you already have an existing Windows Update Ring profile, you may submit that profile's name to our Support team and Drata will apply it after your connection is made.

  1. Select Devices on the left side navigation menu. Then, search and select Windows updates under Manage updates. Then, select Create profile.

  2. You will be redirected to a Create Update ring for Windows 10 and later page where there are multiple steps or tabs to fill out.

  3. On the Basics tab, enter the following name exactly as provided: Drata - Windows Updates and description is optional. Select Next.

  4. On the Update ring settings tab, configure the settings you want to manage with this profile. For information about the available settings, refer to Windows update settings. Select Next.

  5. On the Assignments tab, under Included groups section, select Add groups to choose to assign the profile to one or more groups. Under Excluded groups section, select Add groups to fine-tune the assignment. Select Next.

    • Note: The Security group is the only selectable option for the Windows Update profile. While update rings can deploy to both device and user groups (i.e. a Security group can have both as members), consider using only device groups when you also use feature updates.

  6. On the Review + create page, ensure your settings are correct, and select Create. Your new update ring is displayed in the list of update rings.

Create Security Policies

Disk Encryption Security Policy

  1. Select Endpoint security.

  2. Search and select the Disk encryption policy type, and then select Create Policy.

  3. Enter the following properties and then select Create.

    • Platform: Choose Windows

    • Profile: Choose BitLocker

  4. On the Basics page, the following name is recommended, but Drata can read an existing policy with these settings: Drata - Disk Encryption

  5. Description is optional. Select Next.

  6. On the Configuration settings page, configure the settings you want to manage with this policy. For the Drata connection, the following permissions must be enabled. You may have to expand these sections if they are closed, and you can also utilize the search bar to find these permissions more easily.

    • Under the BitLocker section,

      • Require Device Encryption: Enabled

      • Allow Warning For Other Disk Encryption: Enabled

    • Under the BitLocker Drive Encryption section:

      • Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later): Enabled

        • Once you enable the previous permission, enable the following permissions:

        • Select the encryption method for fixed data drives: XTS-AES 128-bit

        • Select the encryption method for operating system drives: XTS-AES 128-bit

        • Select the encryption method for removable data drives: AES-CBC 128-bit

    • Under the Operating System Drives section:

      • Enforce drive encryption type on operating system drives: Enabled

        • Once you enable the previous permission, enable the following permissions:

        • Select the encryption type: (Device): Use Space Only encryption

    • Under the Fixed Data Drives section:

      • Enforce drive encryption type on fixed data drives: Enabled

        • Once you enable the previous permission, enable the following permissions:

        • Select the encryption type: (Device): Allow user to choose

    • Configure other settings as your business requires.

  7. When you're done configuring settings, select Next.

  8. Scope tags are optional. Select Next.

  9. Under Assignments, choose + Add groups under Included Groups and then assign the policy to one or more groups. Use + Add groups to Excluded Groups to fine-tune the assignment as necessary. For more information on assigning profiles, see Assign user and device profiles.

    • Note: The Security group is the only selectable option for the Disk Encryption policy.

  10. On the Review + create page, ensure your settings are correct, and select Create. The new policy is displayed in the list when you select the type for the policy you created.

Firewall Security Policy

  1. Go to Endpoint security.

  2. Select the Firewall policy type, and then select Create Policy.

  3. Enter the following properties:

    • Platform: Choose Windows

    • Profile: Choose Windows Firewall

  4. Select Create.

  5. On the Basics page, the following name is recommended, but Drata can read an existing policy with these settings: Drata - Firewall

  6. Description is optional. Select Next.

  7. On the Configuration settings page, configure the settings you want to manage with this policy.

    • The three settings below must be set at a minimum. You can search for these configurations as well.

      • Select True for Enable Domain Network Firewall

      • Select True for Enable Private Network Firewall

      • Select True for Enable Public Network Firewall

      • Configure other settings as your business requires

  8. When you're done configuring settings, select Next.

  9. Scope tags are optional. Select Next.

  10. Under Assignments, choose + Select groups to include and then assign the policy to one or more groups. Use + Select groups to exclude to fine-tune the assignment. For more information on assigning profiles, see Assign user and device profiles.

    • The Security group is the only selectable option for the Firewall policy.

  11. On the Review + create page, ensure your settings are correct, and select Create. The new policy is displayed in the list when you select the type for the policy you created.

Note: There is a known Intune bug where Firewall compliance could have False/Positive results.

Sync devices to get the latest policies and actions with Intune

The Sync device action forces the selected devices to immediately check in with Intune. When a device checks in, it receives any pending actions or policies that have been assigned to it. This feature can help you immediately validate and troubleshoot policies you've assigned, without waiting for the next scheduled check-in.

Sync bulk devices

  1. Select Devices > All devices > Bulk Device Actions.

  2. Enter the following configurations:

    • Select Windows for OS

    • Select Sync for Device action

  3. On the Devices page, select from 1 to 100 devices. Select Next.

  4. On the Review + create page, ensure your settings are correct, and select Create.

You are taken back to the Devices page.

Note: If the device has just enrolled, the check-in frequency will be more frequent. Windows PCs will check in every 3 minutes for 30 minutes, and then every 8 hours.

Did this answer your question?