💼 Management Samenvatting
Deze security regelen waarborgt de correcte configuratie van beveiligingsinstellingen op Windows endpoints.
Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
2u (tech: 1u)
Van toepassing op:
✓ Windows
Deze instelling is onderdeel van de Windows security baseline en beschermt tegen bekende aanvalsvectoren door het afdwingen van veilige configuraties.
PowerShell Modules Vereist
Primary API: Graph
Connection:
Required Modules: Microsoft.Graph.DeviceManagement
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.DeviceManagement
Implementatie
Dit regelen configureert managed device required via Microsoft Intune apparaat configuratie beleid of compliance policies om Windows endpoints te beveiligen volgens security best practices.
Vereisten
m365
Implementatie
Gebruik PowerShell-script managed-device-required.ps1 (functie Invoke-Monitoring) – Monitoren.
monitoring
Gebruik PowerShell-script managed-device-required.ps1 (functie Invoke-Monitoring) – Controleren.
Remediatie
Gebruik PowerShell-script managed-device-required.ps1 (functie Invoke-Remediation) – Herstellen.
Compliance en Auditing
Beleid documentatie
Compliance & Frameworks
- CIS M365: Control 18.9.19.2 (L1) - CIS Security Benchmark aanbevelingen
- BIO: 16.01 - BIO Baseline Informatiebeveiliging Overheid - 16.01 - Gebeurtenissen logging en audittrails
- ISO 27001:2022: A.12.4.1 - ISO 27001:2022 - Gebeurtenissen logging en audittrails
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Managed Device Required
.DESCRIPTION
Ensures Conditional Access requires managed (Intune-enrolled) devices.
Prevents access from unmanaged personal devices.
.NOTES
Filename: managed-device-required.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\managed-device-required.ps1 -Monitoring
Check if managed device requirement exists
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory = $false)]
[switch]$Monitoring,
[Parameter(Mandatory = $false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Managed Device Required" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
Managed Device Required
.DESCRIPTION
Ensures Conditional Access requires managed (Intune-enrolled) devices.
Prevents access from unmanaged personal devices.
.NOTES
Filename: managed-device-required.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\managed-device-required.ps1 -Monitoring
Check if managed device requirement exists
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Managed Device Required" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Checking for managed device policies..." -ForegroundColor Gray
$policies = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies"
$result = @{
isCompliant = $false
devicePolicies = 0
policyNames = @()
}
foreach ($policy in $policies.value) {
if ($policy.state -ne 'enabled') { continue }
# Check if requires compliant or hybrid joined device
$requiresCompliant = $policy.grantControls.builtInControls -contains 'compliantDevice'
$requiresHybridJoin = $policy.grantControls.builtInControls -contains 'domainJoinedDevice'
if ($requiresCompliant -or $requiresHybridJoin) {
$result.devicePolicies++
$result.policyNames += $policy.displayName
$result.isCompliant = $true
$deviceType = if ($requiresCompliant) { "Compliant Device" } else { "Hybrid Joined" }
Write-Host " [OK] DEVICE POLICY: $($policy.displayName) [$deviceType]" -ForegroundColor Green
}
}
Write-Host "`n Managed device policies: $($result.devicePolicies)" -ForegroundColor $(
if ($result.devicePolicies -gt 0) { 'Green' } else { 'Yellow' }
)
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n⚠️ NO DEVICE REQUIREMENT FOUND" -ForegroundColor Yellow
Write-Host "Consider requiring managed devices for sensitive data" -ForegroundColor Cyan
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess" -ErrorAction Stop -NoWelcome
Write-Host "Creating managed device policy..." -ForegroundColor Gray
$policyBody = @{
displayName = "Require Managed Device - Nederlandse Baseline"
state = "enabledForReportingButNotEnforced"
conditions = @{
users = @{
includeUsers = @("All")
excludeUsers = @()
}
applications = @{
includeApplications = @("All")
}
platforms = @{
includePlatforms = @("windows", "macOS", "iOS", "android")
}
}
grantControls = @{
operator = "OR"
builtInControls = @("compliantDevice", "domainJoinedDevice")
}
}
$newPolicy = Invoke-MgGraphRequest -Method POST `
-Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies" `
-Body ($policyBody | ConvertTo-Json -Depth 10)
Write-Host "`n[OK] Managed device policy created" -ForegroundColor Green
Write-Host "Policy: $($newPolicy.displayName)" -ForegroundColor Cyan
Write-Host "⚠️ In REPORT-ONLY mode" -ForegroundColor Yellow
Write-Host "`nRequirements:" -ForegroundColor Cyan
Write-Host " - Device must be Intune-compliant, OR" -ForegroundColor Gray
Write-Host " - Device must be Hybrid Azure AD joined" -ForegroundColor Gray
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Checking for managed device policies..." -ForegroundColor Gray
$policies = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies"
$result = @{
isCompliant = $false
devicePolicies = 0
policyNames = @()
}
foreach ($policy in $policies.value) {
if ($policy.state -ne 'enabled') { continue }
# Check if requires compliant or hybrid joined device
$requiresCompliant = $policy.grantControls.builtInControls -contains 'compliantDevice'
$requiresHybridJoin = $policy.grantControls.builtInControls -contains 'domainJoinedDevice'
if ($requiresCompliant -or $requiresHybridJoin) {
$result.devicePolicies++
$result.policyNames += $policy.displayName
$result.isCompliant = $true
$deviceType = if ($requiresCompliant) { "Compliant Device" } else { "Hybrid Joined" }
Write-Host " [OK] DEVICE POLICY: $($policy.displayName) [$deviceType]" -ForegroundColor Green
}
}
Write-Host "`n Managed device policies: $($result.devicePolicies)" -ForegroundColor $(
if ($result.devicePolicies -gt 0) { 'Green' } else { 'Yellow' }
)
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n⚠️ NO DEVICE REQUIREMENT FOUND" -ForegroundColor Yellow
Write-Host "Consider requiring managed devices for sensitive data" -ForegroundColor Cyan
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
Managed Device Required
.DESCRIPTION
Ensures Conditional Access requires managed (Intune-enrolled) devices.
Prevents access from unmanaged personal devices.
.NOTES
Filename: managed-device-required.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\managed-device-required.ps1 -Monitoring
Check if managed device requirement exists
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Managed Device Required" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Checking for managed device policies..." -ForegroundColor Gray
$policies = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies"
$result = @{
isCompliant = $false
devicePolicies = 0
policyNames = @()
}
foreach ($policy in $policies.value) {
if ($policy.state -ne 'enabled') { continue }
# Check if requires compliant or hybrid joined device
$requiresCompliant = $policy.grantControls.builtInControls -contains 'compliantDevice'
$requiresHybridJoin = $policy.grantControls.builtInControls -contains 'domainJoinedDevice'
if ($requiresCompliant -or $requiresHybridJoin) {
$result.devicePolicies++
$result.policyNames += $policy.displayName
$result.isCompliant = $true
$deviceType = if ($requiresCompliant) { "Compliant Device" } else { "Hybrid Joined" }
Write-Host " [OK] DEVICE POLICY: $($policy.displayName) [$deviceType]" -ForegroundColor Green
}
}
Write-Host "`n Managed device policies: $($result.devicePolicies)" -ForegroundColor $(
if ($result.devicePolicies -gt 0) { 'Green' } else { 'Yellow' }
)
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n⚠️ NO DEVICE REQUIREMENT FOUND" -ForegroundColor Yellow
Write-Host "Consider requiring managed devices for sensitive data" -ForegroundColor Cyan
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess" -ErrorAction Stop -NoWelcome
Write-Host "Creating managed device policy..." -ForegroundColor Gray
$policyBody = @{
displayName = "Require Managed Device - Nederlandse Baseline"
state = "enabledForReportingButNotEnforced"
conditions = @{
users = @{
includeUsers = @("All")
excludeUsers = @()
}
applications = @{
includeApplications = @("All")
}
platforms = @{
includePlatforms = @("windows", "macOS", "iOS", "android")
}
}
grantControls = @{
operator = "OR"
builtInControls = @("compliantDevice", "domainJoinedDevice")
}
}
$newPolicy = Invoke-MgGraphRequest -Method POST `
-Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies" `
-Body ($policyBody | ConvertTo-Json -Depth 10)
Write-Host "`n[OK] Managed device policy created" -ForegroundColor Green
Write-Host "Policy: $($newPolicy.displayName)" -ForegroundColor Cyan
Write-Host "⚠️ In REPORT-ONLY mode" -ForegroundColor Yellow
Write-Host "`nRequirements:" -ForegroundColor Cyan
Write-Host " - Device must be Intune-compliant, OR" -ForegroundColor Gray
Write-Host " - Device must be Hybrid Azure AD joined" -ForegroundColor Gray
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess" -ErrorAction Stop -NoWelcome
Write-Host "Creating managed device policy..." -ForegroundColor Gray
$policyBody = @{
displayName = "Require Managed Device - Nederlandse Baseline"
state = "enabledForReportingButNotEnforced"
conditions = @{
users = @{
includeUsers = @("All")
excludeUsers = @()
}
applications = @{
includeApplications = @("All")
}
platforms = @{
includePlatforms = @("windows", "macOS", "iOS", "android")
}
}
grantControls = @{
operator = "OR"
builtInControls = @("compliantDevice", "domainJoinedDevice")
}
}
$newPolicy = Invoke-MgGraphRequest -Method POST `
-Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies" `
-Body ($policyBody | ConvertTo-Json -Depth 10)
Write-Host "`n[OK] Managed device policy created" -ForegroundColor Green
Write-Host "Policy: $($newPolicy.displayName)" -ForegroundColor Cyan
Write-Host "⚠️ In REPORT-ONLY mode" -ForegroundColor Yellow
Write-Host "`nRequirements:" -ForegroundColor Cyan
Write-Host " - Device must be Intune-compliant, OR" -ForegroundColor Gray
Write-Host " - Device must be Hybrid Azure AD joined" -ForegroundColor Gray
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
Managed Device Required
.DESCRIPTION
Ensures Conditional Access requires managed (Intune-enrolled) devices.
Prevents access from unmanaged personal devices.
.NOTES
Filename: managed-device-required.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\managed-device-required.ps1 -Monitoring
Check if managed device requirement exists
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Managed Device Required" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Checking for managed device policies..." -ForegroundColor Gray
$policies = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies"
$result = @{
isCompliant = $false
devicePolicies = 0
policyNames = @()
}
foreach ($policy in $policies.value) {
if ($policy.state -ne 'enabled') { continue }
# Check if requires compliant or hybrid joined device
$requiresCompliant = $policy.grantControls.builtInControls -contains 'compliantDevice'
$requiresHybridJoin = $policy.grantControls.builtInControls -contains 'domainJoinedDevice'
if ($requiresCompliant -or $requiresHybridJoin) {
$result.devicePolicies++
$result.policyNames += $policy.displayName
$result.isCompliant = $true
$deviceType = if ($requiresCompliant) { "Compliant Device" } else { "Hybrid Joined" }
Write-Host " [OK] DEVICE POLICY: $($policy.displayName) [$deviceType]" -ForegroundColor Green
}
}
Write-Host "`n Managed device policies: $($result.devicePolicies)" -ForegroundColor $(
if ($result.devicePolicies -gt 0) { 'Green' } else { 'Yellow' }
)
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n⚠️ NO DEVICE REQUIREMENT FOUND" -ForegroundColor Yellow
Write-Host "Consider requiring managed devices for sensitive data" -ForegroundColor Cyan
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess" -ErrorAction Stop -NoWelcome
Write-Host "Creating managed device policy..." -ForegroundColor Gray
$policyBody = @{
displayName = "Require Managed Device - Nederlandse Baseline"
state = "enabledForReportingButNotEnforced"
conditions = @{
users = @{
includeUsers = @("All")
excludeUsers = @()
}
applications = @{
includeApplications = @("All")
}
platforms = @{
includePlatforms = @("windows", "macOS", "iOS", "android")
}
}
grantControls = @{
operator = "OR"
builtInControls = @("compliantDevice", "domainJoinedDevice")
}
}
$newPolicy = Invoke-MgGraphRequest -Method POST `
-Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies" `
-Body ($policyBody | ConvertTo-Json -Depth 10)
Write-Host "`n[OK] Managed device policy created" -ForegroundColor Green
Write-Host "Policy: $($newPolicy.displayName)" -ForegroundColor Cyan
Write-Host "⚠️ In REPORT-ONLY mode" -ForegroundColor Yellow
Write-Host "`nRequirements:" -ForegroundColor Cyan
Write-Host " - Device must be Intune-compliant, OR" -ForegroundColor Gray
Write-Host " - Device must be Hybrid Azure AD joined" -ForegroundColor Gray
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
Risico zonder implementatie
Risico zonder implementatie
High: No auth tracking.
Management Samenvatting
Schakel in audit logging.
- Implementatietijd: 2 uur
- FTE required: 0.01 FTE