A device marked as compliant in Microsoft Intune gives peace of mind, but offers no guarantee. Compliance status reflects a snapshot in time, not what happens on the device in the minutes, hours or days that follow. In this article we explain what device compliance does and does not measure, which pitfalls organisations encounter, and how to combine Intune with Conditional Access for a genuinely strong security posture.
Imagine: you manage your employees' devices through Microsoft Intune. Your compliance policy is configured, the dashboard shows a green list and almost all devices are marked compliant. Yet someone is logging into your business environment from a device whose antivirus software has not been updated in weeks, and the employee simply has not noticed.
This scenario is not a theoretical edge case. It is one of the most common misconceptions around Intune device compliance: the assumption that compliant equals secure. It does not, and understanding the difference is essential for any organisation that takes Microsoft 365 security seriously.
Device compliance in Intune is a policy check. You define rules, for example that the disk must be encrypted, the operating system must be up to date, a PIN or password must be set, and the firewall must be active. Intune periodically checks whether a device meets those rules and then assigns a status of compliant or not compliant.
That periodic check is also the first pitfall. Intune does not check continuously. The default check interval is eight hours for Windows devices. That means a device that was compliant this morning may no longer be by midnight, but you will only see that at the next check. During those intervening hours the device simply has access to your business data.
Microsoft Intune has a default setting that unknowingly creates a security risk in many organisations: devices without an assigned compliance policy are considered compliant by default. This sounds harmless, but in practice it means that a newly enrolled device, or a device outside the scope of your policies, automatically has access to your environment without having passed a single check.
Microsoft's own recommendation is to explicitly change this setting to not compliant for devices without a policy. This enforces that every device needs an active compliance policy before it gets access. This is one of the first settings you should check in an Intune configuration review.
Device compliance by itself has limited value if it is not linked to Conditional Access in Microsoft Entra. Compliance is the measurement, Conditional Access is the enforcement. Without that connection you establish that a device is not compliant but you do not block access.
Conditional Access lets you define rules such as: only allow access to Microsoft 365 if the device is compliant AND the user has completed multi-factor authentication. This is the combination that gives your compliance policy real teeth. A device that does not meet requirements simply cannot get in, regardless of whether the employee has the correct credentials.
When configuring Conditional Access for the first time, we recommend starting in report-only mode. In this mode the system evaluates all traffic against the policy rules and shows which users and devices would be blocked, without actually blocking anyone. This prevents accidentally locking out legitimate employees when tightening settings.
A solid baseline policy for Windows devices includes at minimum: disk encryption via BitLocker, a minimum operating system version, an active firewall and antivirus protection, and password or PIN enforcement. For mobile devices, iOS and Android, similar requirements apply, supplemented by checks on whether the device is jailbroken or rooted. A jailbroken phone bypasses the security layers of the operating system and should never have access to business data.
Another risk organisations regularly underestimate is shadow IT: devices that employees use for work but that have never been enrolled in Intune. A personal laptop, an old business device that was never handed over, a tablet from home. These devices are invisible to your compliance policy and are simply not included in the assessment.
The only way to address this structurally is to configure Conditional Access so that only managed and compliant devices have access. Unmanaged devices are then blocked by default, regardless of whether the user has the correct credentials.
A good approach starts with an inventory: which devices exist, which are already in Intune, which are not, and what are the current compliance scores? You then establish a baseline policy that matches your risk appetite and the nature of your data.
You then link the compliance policy to Conditional Access, start in report-only mode, evaluate the results and then switch to enforcement. This is not a one-time project but an ongoing management process. Operating systems are updated, new devices are added and security requirements change. Compliance is a state you must actively maintain, not a configuration you set once.
Want to know how your current Intune setup stands and where the blind spots are? Zarioh conducts Intune configuration reviews for SME organisations and helps set up a compliance policy tailored to your specific situation. Get in touch for a no-obligation conversation.
