Require device security compliance for Windows App with Microsoft Intune and Microsoft Entra Conditional Access

You can use a combination of Microsoft Intune and Microsoft Entra Conditional Access to require that users' devices meet your specific security requirements before they can connect to Azure Virtual Desktop, Windows 365, and Microsoft Dev Box. This approach enables you to enforce security requirements for Windows App in the following scenarios:

Device platform	Intune device management
iOS/iPadOS	Managed or unmanaged
Android¹	Managed or unmanaged
Web browser (only Microsoft Edge on Windows)	Unmanaged only

1. Doesn't include support for Chrome OS.

For information on using app protection policies with managed and unmanaged devices, see Target app protection policies based on device management state.

Some of the policy settings you can enforce include requiring a PIN, a specific operating system version, blocking third-party keyboards, and restricting cut, copy, and paste operations between other apps on local client devices. For the full list of available settings, see Conditional launch in iOS app protection policy settings and Conditional launch in Android app protection policy settings.

Once you set security requirements, you can also manage whether on iOS/iPadOS and Android devices their local resources such as cameras, microphones, storage, and the clipboard are redirected to a remote session. Requiring local device security compliance is a prerequisite to manage local device redirection settings. To learn more about managing local device redirection settings, see Manage local device redirection settings with Microsoft Intune.

At a high-level, there are two areas to configure:

• Intune app protection policy: used to specify security requirements that the application and the local client device must meet. You can use filters to target users based on specific criteria.

• Conditional Access policy: used to control access to Azure Virtual Desktop and Windows 365 only if the criteria set in app protection policies are met.

Prerequisites

Before you can require local client device security compliance using Intune and Conditional Access, you need:

• An existing host pool with session hosts, or Cloud PCs.

• At least one Microsoft Entra ID security group containing users to apply the policies to.

• For managed devices only, you need to add each of the following apps you want to use to Intune:

  • For Windows App on iOS/iPadOS, see Add iOS store apps to Microsoft Intune.
  • For Microsoft Edge on Windows, see Add Microsoft Edge for Windows 10/11 to Microsoft Intune.

• A local client device running one of the following versions of Windows App or using Windows App in Microsoft Edge:

  • Windows App:

    • iOS/iPadOS: 11.1.1 or later.
    • Android 1.0.0.161 or later.

  • Microsoft Edge on Windows: 134.0.3124.51 or later.

• Also on the local client device, you need the latest version of:

  • iOS/iPadOS: Microsoft Authenticator app
  • Android: Company Portal app, installed in the same profile as Windows App for personal devices. Both apps need to either be in a personal profile or in a work profile, not one in each profile.

• There are more Intune prerequisites for configuring app protection policies and Conditional Access policies. For more information, see:

  • How to create and assign app protection policies.
  • Use app-based Conditional Access policies with Intune.

Create a filter

By creating a filter you can apply policy settings only when the criteria set in the filter are matched, allowing you to narrow the assignment scope of a policy. With Windows App you can use the following filters:

• iOS/iPadOS:

  • Create a managed apps filter for unmanaged and managed devices.
  • Create a managed devices filter for managed devices.

• Android:

  • Create a managed apps filter for unmanaged and managed devices.

• Windows: Filters aren't applicable to Microsoft Edge on Windows.

Use filters to narrow the assignment scope of a policy. Creating a filter is optional; if you don't configure a filter, the same device security compliance and device redirection settings apply to a user, regardless of whether they are on a managed or unmanaged device. What you specify in a filter depends on your requirements.

To learn about filters and how to create them, see Use filters when assigning your apps, policies, and profiles in Microsoft Intune and Managed app filter properties.

Create an app protection policy

App protection policies allow you to control how apps and devices access and share data. You need to create a separate app protection policy for iOS/iPadOS, Android, and Microsoft Edge on Windows. Don't configure both iOS/iPadOS and Android in the same app protection policy as you aren't able to configure policy targeting based on managed and unmanaged devices.

Select the relevant tab.

iOS/iPadOS

To create and apply an app protection policy, follow the steps in How to create and assign app protection policies and use the following settings:

• Create an app protection policy for iOS/iPadOS.

• On the Apps tab, select Select public apps, search for and select Windows App, then select Select.

• On the Data protection tab, only the following settings are relevant to Windows App. The other settings don't apply as Windows App interacts with the session host and not with data in the app. On mobile devices, unapproved keyboards are a source of keystroke logging and theft.

  You can configure the following settings:

  Parameter	Value/Description
  Data transfer
  Send org data to other apps	Set to None to enable screen capture protection. For more information on screen capture protection in Azure Virtual Desktop, see Enable screen capture protection in Azure Virtual Desktop.
  Restrict cut, copy, and paste between other apps	Set to Blocked to disable clipboard redirection between Windows App and the local device. Use with disabling clipboard redirection in an app configuration policy.
  Third-party keyboards	Set to Blocked to block third-party keyboards.

• On the Conditional launch tab, we recommend you add the following conditions:

  Condition	Condition type	Value	Action
  Min app version	App condition	Based on your requirements. Enter a version number for Windows App on iOS/iPadOS	Block access
  Min OS version	Device condition	Based on your requirements.	Block access
  Primary MTD service	Device condition	Based on your requirements. Your MTD connector must be set up. For Microsoft Defender for Endpoint, configure Microsoft Defender for Endpoint in Intune.	Block access
  Max allowed device threat level	Device condition	Secured	Block access

  For more information about the available settings, see Conditional launch in iOS app protection policy settings.

• On the Assignments tab, assign the policy to your security group containing the users you want to apply the policy to. You must apply the policy to a group of users to have the policy take effect. For each group, you can optionally select a filter to be more specific in the app configuration policy targeting.

Android

To create and apply an app protection policy, follow the steps in How to create and assign app protection policies and use the following settings:

• Create an app protection policy for Android.

• On the Apps tab, select Select public apps, search for and select Windows App, then select Select. If Windows App doesn't yet appear for you, enter Remote Desktop instead. This is due to Intune deployment timing. Both apps use the same package ID com.microsoft.rdc.androidx, so app protection policies apply to both apps regardless of the app name you see in the Intune console.

• On the Data protection tab, only the following settings are relevant to Windows App. The other settings don't apply as Windows App interacts with the session host and not with data in the app. On mobile devices, unapproved keyboards are a source of keystroke logging and theft.

  You can configure the following settings:

  Parameter	Value/Description
  Data transfer
  Restrict cut, copy, and paste between other apps	Set to Blocked to disable clipboard redirection between Windows App and the local device. Use with disabling clipboard redirection in an app configuration policy.
  Screen capture and Google Assistant	Set to Block to block screen capture protection and Google Assistant. For more information on screen capture protection in Azure Virtual Desktop, see Enable screen capture protection in Azure Virtual Desktop.
  Approved keyboards	Set keyboards to approve from the list or add custom entries.

• On the Conditional launch tab, we recommend you add the following conditions:

  Condition	Condition type	Value	Action
  Min app version	App condition	Based on your requirements. Enter a version number for Windows App on Android.	Block access
  Min OS version	Device condition	Based on your requirements.	Block access
  Primary MTD service	Device condition	Based on your requirements. Your MTD connector must be set up. For Microsoft Defender for Endpoint, configure Microsoft Defender for Endpoint in Intune.	Block access
  Max allowed device threat level	Device condition	Secured	Block access

  For more information about the available settings, see Conditional launch in Android app protection policy settings.

• On the Assignments tab, assign the policy to your security group containing the users you want to apply the policy to. You must apply the policy to a group of users to have the policy take effect. For each group, you can optionally select a filter to be more specific in the app configuration policy targeting.

Web browser

To create and apply an app protection policy for Microsoft Edge on Windows:

1. Sign in to the Microsoft Intune admin center.

2. Select Apps, then under Manage apps, select Protection.

3. Select Create, then select Windows. The Create policy pane is displayed.

4. On the Basics tab, complete the following information:

   Parameter	Value/Description
   Name	Enter a name for this app protection policy.
   Description	Optionally enter a description.

   Once you complete this tab, select Next.

5. On the Apps tab, select Select apps. In the pane that opens, search for and select Microsoft Edge, then select Select. Once Microsoft Edge is listed in your list of selected apps, select Next.

6. On the Data protection tab, you can configure the following settings:

   Parameter	Value/Description
   Data transfer
   Receive data from	Set to No sources to disable drive redirection from Windows App. Must also configure Send org data to.
   Send org data to	Set to No destinations to disable drive redirection to Windows App. Must also configure Receive data from.
   Allow cut, copy, and paste for	Set to No destination or source to disable clipboard redirection between Windows App and the local device.
   Functionality
   Print org data	Set to Block to prevent printing from Windows App.

   Note

   This scenario targets Windows App in web browser with Microsoft Edge using an app protection policy, which is different from using the natively installed versions of Windows App.

   • You can't allow drive redirection and block printing. Printing from a web-based remote session relies on data transfer settings. You can use other methods to block printing, such as Azure Virtual Desktop host pool settings or configuring session hosts or Cloud PCs instead of the local device. Alternatively, use one of the natively installed versions of Windows App. For more information, see Configure printer redirection over the Remote Desktop Protocol.

   • You can block drive redirection and allow printing.

• On the Health Checks tab, we recommend you add the following conditions:

  Condition	Condition type	Value	Action
  Min app version	App condition	Based on your requirements. Enter a version number for Microsoft Edge, with 134.0.3124.51 as the earliest supported version.	Block access
  Min OS version	Device condition	Based on your requirements. Enter a build number for Windows in one of these formats: major.minor, major.minor.build, major.minor.build.revision, for example 10.0.26100.3476. You can find Windows build numbers at Windows release health and selecting the link for release information for each operating system.	Block access
  Max allowed device threat level	Device condition	Secured	Block access

  For more information about the available settings, see Health checks in app protection policy settings for Windows.

• On the Assignments tab, assign the policy to your security group containing the users you want to apply the policy to. You must apply the policy to a group of users to have the policy take effect. For each group, you can optionally select a filter to be more specific in the app configuration policy targeting.

Create a Conditional Access policy

A Conditional Access policy allows you to control access to Azure Virtual Desktop, Windows 365, and Microsoft Dev Box based on specific criteria of the user connecting and the device they're using. We recommend you create multiple Conditional Access policies to achieve granular scenarios based on your requirements. Some example policies are in the following sections.

Important

Carefully consider the range of cloud services, devices, and versions of Windows App you want your users to be able to use. These example Conditional Access policies don't cover all scenarios and you need to be careful not to inadvertently block access. You should create policies and adjust settings based on your requirements.

To create and apply a Conditional Access policy, follow the steps in Set up app-based Conditional Access policies with Intune and use the information and settings in the following examples.

Example 1: Allow access only when an app protection policy is applied with Windows App

This example allows access only when an app protection policy is applied with Windows App:

• For Assignments, include the security group containing the users to apply the policy to. You must apply the policy to a group of users to have the policy take effect.

• For Target resources, select to apply the policy to Resources, then for Include, select Select resources. Search for and select the following resources. You only have these resources if you registered the relevant service in your tenant.

  Resource Name	Application ID	Notes
  Azure Virtual Desktop	9cdead84-a844-4324-93f2-b2e6bb768d07	It might be called Windows Virtual Desktop instead. Verify with the application ID.
  Windows 365	0af06dc6-e4b5-4f28-818e-e78e62d137a5	Also applies to Microsoft Dev Box.
  Windows Cloud Login	270efc09-cd0d-444b-a71f-39af4910ec45	Available once one of the other services is registered.

• For Conditions:

  • Select Device platforms, then include iOS and Android.
  • Select Client apps, then include Mobile apps and desktop clients.

• For Access controls, select Grant access, then check the box for Require app protection policy and select the radio button for Require all the selected controls.

• For Enable policy, set it to On.

Example 2: Require an app protection policy for Windows devices

This example limits unmanaged personal Windows devices to use Microsoft Edge to access to a remote session using Windows App in a web browser only. For more detail on this scenario, see Require app protection policy for Windows devices.

• For Assignments, include the security group containing the users to apply the policy to. You must apply the policy to a group of users to have the policy take effect.

• For Target resources, select to apply the policy to Resources, then for Include, select Select resources. Search for and select the following resources. You only have these resources if you registered the relevant service in your tenant.

  Resource Name	Application ID	Notes
  Azure Virtual Desktop	9cdead84-a844-4324-93f2-b2e6bb768d07	It might be called Windows Virtual Desktop instead. Verify with the application ID.
  Windows 365	0af06dc6-e4b5-4f28-818e-e78e62d137a5	Also applies to Microsoft Dev Box.
  Windows Cloud Login	270efc09-cd0d-444b-a71f-39af4910ec45	Available once one of the other services is registered.

• For Conditions:

  • Select Device platforms, then include Windows.
  • Select Client apps, then include Browser.

• For Access controls, select Grant access, then check the box for Require app protection policy and select the radio button for Require one of the selected controls.

• For Enable policy, set it to On.

Verify the configuration

Now that you configure Intune and Conditional Access to require device security compliance on personal devices, you can verify your configuration by connecting to a remote session. What you should test depends on whether you configured policies to apply to enrolled or unenrolled devices, which platforms, and data protection settings you set. Verify that you can only perform the actions you can perform match what you expect.

Related content

• Manage local device redirection settings with Microsoft Intune