Device managementIntermediate47 min read

What Does Device compliance Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

Device compliance means checking that a computer, phone, or tablet follows the rules set by your company's IT department. If a device is not compliant, it might be blocked from accessing company data or the network. Compliance checks happen automatically when a device tries to connect, and often include requirements like having antivirus software or a strong password.

Common Commands & Configuration

Get-MgDeviceManagementCompliancePolicy -Filter "platforms eq 'windows10AndLater'"

Retrieves all device compliance policies from Microsoft Graph that target Windows 10 and later devices, using the Microsoft Graph PowerShell SDK.

Appears in MD-102 and MS-102 to test administering Intune policies via PowerShell. Often a distractor is using Get-IntuneCompliancePolicy (older module).

dsregcmd /status

Displays the Azure AD join, enterprise registration, and device compliance status for a Windows device, including the device ID, tenant ID, and the compliance status retrieved from the cloud.

Commonly tested in AZ-104 and MD-102 as a troubleshooting command for hybrid Azure AD joined devices. Look for output fields like 'AzureAdJoined' and 'Compliant'.

Invoke-MgDeviceManagementDeviceComplianceScheduledActionForRule –ManagedDeviceId $deviceId –DeviceComplianceScheduledActionForRuleId $ruleId

Triggers a specific scheduled action (like noncompliance notification or quarantine) on a managed device from Microsoft Graph PowerShell.

This command tests the ability to remediate noncompliance programmatically, relevant for CySA+ automation scenarios and MD-102 policy management.

Get-MpComputerStatus | Select-Object AMRunning, AMProductEnabled, NISEnabled, AntivirusEnabled

Retrieves the current Windows Defender state on a local Windows device, checking if antivirus and real-time protection are active.

Used in Security+ and CySA+ to verify compliance conditions. A noncompliant status often results from AMProductEnabled=False, a common exam trap.

intune_device_compliance_policy update –id <policyID> –grace_period 0

Updates an existing Intune compliance policy to set the grace period to zero days, forcing immediate blocking of noncompliant devices.

Exam question scenario: 'Immediately block a noncompliant device.' The correct answer is to set the grace period to 0, not to delete the policy.

Get-BitLockerVolume –MountPoint C:

Check if the C: drive is encrypted with BitLocker, showing the protection status and encryption method.

Tests device compliance BitLocker condition for Windows devices. In MD-102 and CISSP, the command is used to verify the 'Require BitLocker' policy.

sudo fdesetup status

On macOS, checks whether FileVault full disk encryption is enabled on the current boot volume.

Relevant for macOS compliance policies in Microsoft Intune. Exam expects knowledge that macOS uses FileVault, not BitLocker.

iotop -P -o -u root | grep compliance

Fictional representative command (Linux) to check resources related to a compliance agent. Real Linux compliance often uses 'md5deep' or 'aide' for integrity.

Used in CySA+ to illustrate that Linux compliance is often custom. Exams test that Linux may require third-party tools, not native Intune support.

Device compliance appears directly in 68exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA CySA+. Practise them →

Must Know for Exams

Device compliance is a recurring concept across many IT certification exams, each approaching it from its own angle. For the Security+ exam (SY0-601 or SY0-701), device compliance falls under the domain of 'Technologies and Tools' and 'Architecture and Design'. The exam expects you to understand how compliance policies are used in conjunction with security appliances like firewalls and NAC systems. You might be given a scenario where a company wants to enforce that all devices must have a host-based firewall enabled before accessing the internal network. You need to identify the right technology (e.g., NAC) and explain how compliance policies work. The exam also covers the difference between agent-based and agentless compliance checks.

For the CySA+ exam (CS0-002 or CS0-003), device compliance is part of the 'Response and Recovery' domain but also shows up in security operations. CySA+ expects you to know how compliance monitoring can detect anomalies, such as a device that suddenly becomes non-compliant after a policy change, which might indicate a possible compromise. The exam also ties compliance to vulnerability management, as non-compliant devices are often more vulnerable. You may be asked to analyze a compliance report and recommend remediation actions.

The CISSP exam (ISC2) covers device compliance under the 'Asset Security' domain and 'Security Architecture and Engineering'. CISSP treats compliance as a key control in the overall security governance framework. You need to understand how compliance aligns with RMF (Risk Management Framework) and how it supports confidentiality, integrity, and availability. Questions may ask about the role of compliance in protecting data at rest and in transit, or how to enforce compliance in a cloud environment using CASB and DLP integration.

For Azure exams like AZ-104 (Azure Administrator) and SC-900 (Security, Compliance, and Identity Fundamentals), device compliance is central to Microsoft Entra ID (formerly Azure AD) and Intune. AZ-104 expects you to know how to configure conditional access policies that require a compliant device, how to integrate Intune with Azure AD, and how to troubleshoot device compliance issues. SC-900 covers the basics of device compliance as part of the 'Capabilities of Microsoft Security Solutions' module, including how Intune and Compliance Manager work together.

For the MD-102 (Endpoint Administrator) and MS-102 (Enterprise Administrator Expert), device compliance is a core concept. MD-102 is entirely about managing devices, and you must know how to create compliance policies, configure actions for non-compliance, and use compliance reports. MS-102 integrates compliance across Microsoft 365, so you need to understand how device compliance interacts with information protection, DLP, and insider risk management. Questions in these exams often present a scenario and ask what policy setting or action will achieve compliance enforcement.

In the AWS-SAA (Solutions Architect Associate) exam, device compliance is less direct, but it appears when architecting secure workloads using AWS Workspaces, AWS Device Farm, or securing access with AWS IAM and SCPs. You might need to decide how to enforce compliance for virtual desktops or mobile devices accessing AWS resources. Understanding device compliance principles helps you design better security solutions in the cloud.

Simple Meaning

Imagine you are trying to enter a secure building where you need to show your ID card at the entrance. The guard looks at your card to make sure it is valid and not expired. If everything checks out, you are allowed inside. If not, you are sent to a waiting area to get your card updated. Device compliance works in a very similar way, but for digital devices like laptops, smartphones, and tablets. When a device tries to connect to a company network, a system called a policy server or compliance checker inspects the device to see if it meets all the requirements. For example, the device must have the latest security updates, a working firewall, and a legitimate operating system. If the device passes all these checks, it is considered compliant and gets access to the network. If it fails any check, it might be completely blocked, given limited access, or asked to fix the problem first. In many modern workplaces, this process happens automatically without anyone having to do anything special. The device compliance system continuously monitors devices even after they are connected, so if a device later becomes infected or violates a policy, it can be disconnected right away.

To make this even clearer, think of a school that requires all students to wear a uniform. The compliance system is like a teacher at the school gate who checks that every student is wearing the correct shirt, trousers, and shoes before letting them enter. If a student is missing a tie, they are not allowed in until they put one on. Similarly, device compliance ensures that every device connecting to the corporate network is properly configured and secure. This prevents security problems like viruses spreading from an unpatched device or sensitive data being stolen from a device without encryption. Device compliance is a key part of modern IT security because it helps organizations enforce security policies across all devices, whether they are company-owned or personal (BYOD). It also supports remote work by ensuring that devices connecting from home or a coffee shop are just as secure as those inside the office. Without device compliance, an organization would have no way to know if a device is safe to connect, which would be like letting anyone into that secure building without checking their ID.

Full Technical Definition

Device compliance is a security and management concept used primarily in enterprise environments to enforce that endpoints meet a predefined set of policies before they are granted access to network resources, applications, or data. The core mechanism involves a policy decision point (PDP) that evaluates the device's current state against a baseline configuration. This baseline is defined by the organization's security team, often documented in a security policy or compliance framework such as the Center for Internet Security (CIS) benchmarks, NIST guidelines, or internal standards. Common compliance requirements include the presence and active status of antivirus/antimalware software, the version of the operating system and its patch level, the state of the firewall (whether it is enabled and configured correctly), disk encryption (like BitLocker or FileVault), device encryption status, password policy compliance (complexity, length, and screen lock time), and the absence of unauthorized applications or rootkits.

Device compliance is implemented through various technologies, with the most prominent being Microsoft Intune (part of Microsoft Endpoint Manager), Microsoft Configuration Manager (formerly SCCM), and third-party mobile device management (MDM) or unified endpoint management (UEM) solutions like VMware Workspace ONE, JAMF Pro, or ManageEngine. In cloud environments, services like Microsoft Entra ID (Azure AD) Conditional Access evaluate device compliance as part of the authentication and authorization flow. When a user attempts to connect to a resource, the application or service triggers a conditional access policy that requires the device to be marked as compliant. The device compliance status is determined by the MDM service, which periodically checks the device health and reports compliance state to the identity provider (IdP) such as Azure AD or Active Directory. The evaluation can be initiated by a network access control (NAC) system like Cisco ISE, which uses 802.1X authentication and posture assessment to enforce compliance before granting network access.

The technical flow typically begins when a device attempts to connect to the corporate network or access a cloud application. The authentication process authenticates the user and then checks the device's identity. The device compliance engine queries the device for its configuration status using a client agent (e.g., the Intune Company Portal app or the Endpoint Manager client). This agent gathers information about hardware, software, installed updates, security settings, and any third-party extensions. The data is sent to the compliance service, which compares it against the compliance policies assigned to the device or user. If the device meets all requirements, the compliance service marks it as compliant and issues a health certificate or token that is used for subsequent access decisions. If the device is non-compliant, the system can enforce remediation actions: it may prompt the user to update the device, block access entirely, grant restricted access, or allow access for a limited time while the user fixes the issue. In many implementations, the device is placed in a quarantine network with limited connectivity, often only to update servers or the company portal so that it can self-remediate.

Protocols involved in device compliance include OMA-DM (Open Mobile Alliance Device Management) for mobile devices, which is used by MDM solutions to manage configuration and compliance. For Windows devices, the Client Experience (CX) and the Windows Management Instrumentation (WMI) are used by Configuration Manager to collect inventory and compliance data. For network access control, protocols like RADIUS (with EAP methods such as EAP-TLS) and NPS (Network Policy Server) are used to enforce compliance at the network level. In the cloud, Conditional Access policies in Azure AD use the device compliance status signal to enforce MFA, block access from non-compliant devices, or require a compliant device for sensitive data access. The compliance state is stored as a property of the device object in Azure AD and is updated every time a device checks in with the MDM service, which by default is every 8 hours for Intune.

Real-world IT implementation of device compliance is a multi-layered process. Administrators use policy management consoles to create compliance policies. For example, in Intune, they can create a policy requiring Windows 10 or later, minimum OS build number, BitLocker enabled, antivirus running, and the device password length at least 8 characters. This policy is assigned to a group of users or devices. The Intune service then checks each device against that policy. Devices that fail are marked non-compliant, and administrators can configure actions like sending a notification email, marking the device for remote wipe, or blocking access to Exchange Online, SharePoint, or corporate Wi-Fi. The compliance status is visible in the Microsoft 365 admin center and can be reported on for auditing purposes. The granularity of policies allows different levels of compliance for different user roles; for instance, executives may require stricter compliance than contractors. Standards like ISO 27001 and PCI-DSS often mandate device compliance as a control, making it a requirement for regulatory compliance in many industries.

Real-Life Example

Think of device compliance like the safety inspection your car has to pass every year to be allowed on the road. The government sets rules: your car must have working brakes, lights, seat belts, tires with enough tread, and no major fluid leaks. You take your car to a certified inspection station. A mechanic checks each of these items. If everything meets the standard, you get a sticker that says your car is compliant, and you can drive legally for another year. If your car fails, you have to fix the problem and then come back for a re-inspection. You cannot legally drive a non-compliant car on public roads until it passes. That mechanic's inspection is exactly what device compliance does for digital devices.

Now, imagine you have a car that is fine for most of the year, but one month your brake lights burn out. If you get pulled over, the police might give you a ticket and tell you to get them fixed. In the same way, a device compliance system continuously monitors your computer. If your antivirus expires or your firewall turns off, the system flags your device as non-compliant, sends you a warning, and might block access to company email until you fix it. The automatic check is like having a dashboard light that tells you something is wrong before you get into trouble.

In a company, the IT department sets the rules, like the government sets inspection standards. The device compliance system acts like that certified mechanic, checking every device that wants to connect to the company network. If your device passes, it gets a virtual 'sticker' that says it is safe. If it fails, you are told what to fix. This way, the company ensures that all devices on their network are safe and up to standard, just like a city ensures that all cars on the road are safe. Without device compliance, it would be like letting any car onto the road without an inspection, including cars with no brakes or broken headlights. That would be chaotic and dangerous. In the digital world, a non-compliant device can spread malware, leak data, or be used to attack other systems, which is why device compliance is so important.

Why This Term Matters

Device compliance matters because it is the frontline defense against a huge range of security threats. In modern organizations, devices are the primary entry point for attackers. A device that is missing critical security patches, has outdated antivirus definitions, or is infected with malware can be used to breach the entire network. Device compliance ensures that every device accessing sensitive data or critical systems meets a minimum security baseline, drastically reducing the attack surface. Without compliance checks, an employee's personal laptop with an unpatched vulnerability could easily be exploited by a ransomware attack that then spreads to servers and other endpoints.

Beyond security, compliance is essential for regulatory and legal reasons. Standards like HIPAA, GDPR, PCI-DSS, and SOX often require organizations to demonstrate that they control which devices access protected data. Device compliance provides the evidence that policies are being enforced, which is crucial for audits and avoiding fines. It also helps with operational efficiency, because compliant devices tend to be more stable and require less support. When all devices are up-to-date and properly configured, IT has fewer incidents to deal with, and users experience fewer problems. For IT administrators, device compliance simplifies management by giving a single dashboard that shows the health of all endpoints. It also automates many manual checks that would otherwise be impossible to enforce at scale. In a world where remote work and BYOD are common, device compliance is the only way to maintain a consistent security posture across diverse devices and locations.

How It Appears in Exam Questions

Device compliance appears in exam questions primarily in three forms: scenario-based policy enforcement, troubleshooting non-compliance, and configuration of compliance policies. In scenario-based questions, you are given a business requirement: 'A company wants to ensure that all devices accessing corporate email must have encryption enabled and passcode length of at least 6 characters. Which technology should they use?' The answer is usually MDM or Intune with conditional access. Another scenario: 'Users complain they cannot access SharePoint from their personal phones. IT wants to block access only if devices are rooted or jailbroken. What compliance policy setting is needed?' You need to know that you can enforce device health rules.

Troubleshooting questions present a situation where devices that used to be compliant are now being blocked. You need to identify the cause: perhaps a certificate has expired, the Intune policy was updated but devices haven't checked in, or the user's device was jailbroken. For instance: 'After updating a compliance policy to require OS version 10.15 or higher, many macOS users lost access to company email. What is the most likely reason?' The answer could be that some devices are still running 10.14, and you need to either create a grace period or notify users to update.

Configuration questions ask directly about settings. 'In Intune, where do you configure the action to send an email to non-compliant devices?' The answer is 'Compliance policies - Actions for non-compliance.' Or 'Which setting in conditional access requires a device to be marked as compliant?' The answer is 'Grant access - Require device to be marked as compliant.' These questions require precise knowledge of exam objectives. For Security+, you might see: 'Which of the following is the best method to enforce that only devices with latest antivirus can connect to the network?' Options include NAC, firewall rules, IDS, or VLAN segmentation. The correct answer is NAC (Network Access Control).

Some questions combine device compliance with other concepts like identity, authentication, and data protection. For example: 'A user with a compliant device is still denied access to a sensitive file. What should the admin check?' The answer might be that the file has sensitivity labels requiring additional permissions, not just device compliance. So device compliance is often one piece of a larger access control puzzle. In advanced exams like CISSP, you might be asked about the trade-offs between agent-based and agentless compliance scanning, or how to handle compliance for ephemeral devices in a cloud environment.

Practise Device compliance Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A medium-sized company called BlueTech Solutions has 500 employees who use a mix of company-issued laptops and personal smartphones. The IT director wants to ensure that only devices meeting security standards can access the company's cloud-based email and file storage. The company uses Microsoft 365 and Intune for device management. The IT admin, Priya, creates a compliance policy that requires all devices to have a password of at least 8 characters, device encryption enabled (BitLocker on Windows, FileVault on Mac), and the operating system updated within the last 60 days. She assigns this policy to all users. For personal smartphones, she adds a requirement that the device must not be jailbroken or rooted.

After the policy is deployed, many users find they cannot access their email on their phones. Priya investigates and sees in the Intune console that several devices are marked 'non-compliant' because they are missing a passcode. She sends a notification via the Company Portal app asking those users to set a passcode. Within a day, most users comply and regain access. However, one user's laptop continues to show non-compliant because the OS build is outdated. Priya sees that the laptop has not been updated in over three months. She contacts the user, who explains they were on vacation. Priya provides instructions to install the latest updates, after which the device checks in and becomes compliant. Meanwhile, a security report shows that a device has been flagged as jailbroken. Following company policy, the admin remotely wipes that device and sends a replacement. This scenario demonstrates how device compliance works: policies are enforced, users are given a chance to remediate, and non-compliant devices lose access until they fix the issue.

Common Mistakes

Thinking device compliance is the same as device health

Device health usually refers to the functional status of hardware or software, like battery health or disk errors. Device compliance specifically checks against security policies set by the organization. A device can be perfectly healthy but non-compliant if it misses a security update.

Always remember that compliance is about meeting policy requirements, not about whether the device is working correctly.

Believing device compliance applies only to company-owned devices

Device compliance policies can and should apply to personal BYOD devices as well. Many organizations require personal devices to meet the same security standards before accessing corporate data. The misconception limits security coverage.

Understand that device compliance is about the device's security state, not its ownership. It can be enforced on any device that accesses corporate resources.

Assuming compliance is a one-time check at connection

Compliance is continuous. Devices re-check periodically and can become non-compliant after they are already connected if they violate a policy (e.g., antivirus stops running). Many exams test this continuous enforcement aspect.

Think of compliance as an ongoing process, not a one-time admission ticket. Devices are re-evaluated on a schedule or when certain events occur.

Confusing compliance enforcement with authentication

Authentication verifies who you are (user identity). Device compliance verifies what your device is (security state). They are separate steps. A user can be authenticated but still denied access because their device is non-compliant. This is a key distinction in conditional access.

Remember: Authentication = identity. Compliance = device security. Both are required for access in a zero trust model.

Thinking that a compliant device is completely secure

Compliance only checks that the device meets the current policy baseline. It does not guarantee that the device is free from advanced threats, zero-day exploits, or user error. Compliance is a minimum bar, not a guarantee of absolute security.

View compliance as a necessary layer, but not a silver bullet. Additional controls like endpoint detection and response (EDR), data loss prevention (DLP), and user education are still needed.

Exam Trap — Don't Get Fooled

{"trap":"The exam might describe a scenario where a device is compliant but still blocked from accessing a resource. Learners often assume the device compliance system is broken.","why_learners_choose_it":"Because they think compliance is the only condition for access.

They forget about other policies like location, risk level, user group, or application sensitivity that can also block access.","how_to_avoid_it":"Always consider multiple conditional access policies. A device can be compliant but still blocked if the user is not in the correct group, or if the access request comes from an untrusted location, or if the resource requires additional authorization.

In Azure AD Conditional Access, you can require both device compliance and MFA. If MFA is not satisfied, access is denied regardless of compliance."

Commonly Confused With

Device compliancevsDevice health attestation

Device health attestation is a specific feature (like Windows Health Attestation) that verifies the boot integrity and hardware security of a device, often used to detect if the device has been tampered with. Compliance is broader and includes many more settings like antivirus, encryption, and OS version. Health attestation is one component that can feed into a compliance policy.

A device might pass health attestation (boot is clean) but fail compliance because its antivirus is off.

Device compliancevsConditional access

Conditional access is the policy engine that uses signals (including device compliance) to decide whether to grant access to a resource. Device compliance is one of those signals, not the same as conditional access itself. Conditional access can also consider user location, risk, application, and others.

A conditional access policy might say: 'If device is compliant AND user is in the office, allow access.' The compliance part is just one condition.

Device compliancevsNetwork access control (NAC)

NAC focuses on controlling which devices can connect to the network based on posture and often uses 802.1X. Device compliance is a broader concept that can be enforced at the network level (NAC), at the application level (via MDM), or at the identity level (via conditional access). NAC is one method of enforcing compliance, not the definition of compliance.

A NAC system can block a non-compliant device from getting an IP address. That is one way to enforce compliance at the network layer.

Device compliancevsConfiguration baseline

A configuration baseline is the set of desired settings and versions that devices should meet. Device compliance is the process of comparing a device's actual state to that baseline and taking action if they don't match. The baseline is the checklist; compliance is the inspection and enforcement.

If the baseline requires Windows 10 22H2, then a device running 21H2 is non-compliant. The baseline is the 'what', compliance is the 'check and enforce'.

Device compliancevsMobile device management (MDM)

MDM is the technology used to manage and monitor devices, including deploying compliance policies. Device compliance is a function or capability of MDM. MDM does more than just compliance (e.g., app deployment, remote wipe, inventory). Compliance is one of the core use cases for MDM.

Intune is an MDM tool. One of its features is device compliance. But you can also use Intune to push apps and configure Wi-Fi.

Device compliancevsZero trust

Zero trust is a security model that assumes no device or user is inherently trusted. Device compliance is a key component of zero trust because it continuously verifies device health before granting access. Zero trust is the philosophy; device compliance is one of the mechanisms to implement it.

In a zero trust environment, every access request requires checking device compliance, among other signals, before allowing access.

Step-by-Step Breakdown

1

Define the compliance baseline

The organization decides which security requirements devices must meet. This is documented in a policy. For example, it might require Windows 10 version 22H2, BitLocker enabled, and firewall active. This baseline is the standard against which devices will be measured.

2

Create a compliance policy in the management tool

The IT admin uses a tool like Intune or Configuration Manager to create a compliance policy that contains the baseline requirements. This policy is assigned to specific users or device groups. The tool provides options for each requirement (e.g., 'require device encryption', 'minimum OS version').

3

Deploy the policy to devices

The policy is pushed to managed devices through the MDM channel. Devices that have the management client installed (e.g., Company Portal app) receive the policy and store it locally. This is often done at device enrollment or when the policy is created or updated.

4

Device evaluates its own compliance

The client agent on the device reads the policy and checks the device's actual configuration. For example, it checks if BitLocker is on, what OS version is installed, and if the firewall is running. The evaluation happens locally and then the results are reported to the management service.

5

Report compliance state to management service

The device sends a compliance status report back to the MDM server. This report includes pass/fail for each requirement. The management service updates the device's compliance state in its database and in the identity provider (e.g., Azure AD). This state is stored as a boolean: compliant or non-compliant.

6

Enforce access decisions based on compliance

When the user tries to access a resource (email, SharePoint, VPN), the authentication system checks the device compliance state. If the device is compliant, access is granted according to other policies. If non-compliant, the system can block access, allow limited access, or prompt the user to fix the issue.

7

Continuous monitoring and remediation

Compliance is not a one-time check. Devices check in regularly (e.g., every 8 hours in Intune) and re-evaluate. If a device becomes non-compliant later (e.g., the user disables encryption), the system can revoke access. Users are often notified and given options to remediate, like updating the OS or enabling encryption. Administrators can set actions for non-compliance, such as sending email, marking device for remote wipe, or blocking further access.

8

Reporting and auditing

The management console provides reports on overall compliance rates, which devices are non-compliant, and which policies are failing most often. This data is used for security audits, identifying trends, and updating policies. For example, if many devices fail the 'require latest OS' policy, the admin might extend the grace period or update the baseline to a more realistic version.

Practical Mini-Lesson

Understanding device compliance in practice is essential for any IT professional managing endpoints. Let's walk through a typical scenario using Microsoft Intune as the MDM, because it's widely tested and used. The first step is to access the Microsoft Intune admin center at endpoint.microsoft.com. Under 'Devices', you find 'Compliance policies'. Here, you can create a new policy. You choose the platform: Windows 10/11, macOS, iOS/iPadOS, Android, or Linux. Each platform has different available settings. For Windows, you can set the minimum OS version required, the maximum OS version allowed (to avoid premature upgrades), require BitLocker encryption, require a secure boot to be enabled, require that antivirus (Windows Defender or third-party) is enabled and up-to-date, and require that the device password meets certain complexity. For mobile devices, you can also check if the device is rooted or jailbroken, and require that encryption is enabled.

Once the policy is created, you assign it to a group. This group could be 'All Users' or a specific security group like 'Finance Team' if they need stricter compliance. After assignment, the policy is applied to all devices of those users. The policy evaluation is not instant; it depends on the device check-in interval, which is usually every 8 hours for active devices, but you can trigger a manual sync from the console or the device side. When a device checks in, it sends its compliance status. You can see this status in the Intune console under the device's properties.

Now, what can go wrong? A common issue is that devices show 'Not evaluated' or 'Pending'. This often means the device has not yet communicated with Intune, or the policy hasn't been pushed. Another issue: devices show as compliant but you still want to block them. That might be because the conditional access policy is not configured to use the compliance state. You must create a conditional access policy in Azure AD that targets the application you want to protect (e.g., Exchange Online) and uses the condition 'Require device to be marked as compliant.' Without that, compliance alone does nothing. Another common issue is that users on older OS versions may be blocked. Administrators should set a grace period: allow non-compliant devices to access for a few days while users update. This is configured in 'Actions for non-compliance' within the compliance policy. You can set a schedule: after 0 days block, after 1 day send email, etc.

For troubleshooting, you can use the Intune Device Diagnostics tool or check the client logs on the device. On Windows, the Event Viewer under 'Applications and Services Logs / Microsoft / Windows / DeviceManagement-Enterprise-Diagnostics-Provider' shows compliance evaluation events. For mobile devices, you can use the Company Portal app to see the compliance status and trigger a sync. In a real enterprise, you might also integrate with a NAC like Cisco ISE. In that case, the NAC uses the device compliance status from Intune to enforce network access. This is a more complex setup, but the principle is the same: compliance is the key to access.

How Device Compliance Defines Security Posture in Cloud and Hybrid Environments

Device compliance is a core mechanism within endpoint management and identity-driven security frameworks that ensures devices accessing corporate resources meet predefined security baselines. In modern cloud and hybrid architectures, device compliance is not a static checklist but an evolving state governed by policy engines such as Microsoft Intune, Azure Active Directory (now Microsoft Entra ID), and third-party mobile device management solutions. The fundamental premise is that a device-whether a Windows 10/11 workstation, macOS laptop, iOS tablet, or Android smartphone-must satisfy a set of conditions before being granted access to applications, data, and network resources. These conditions typically include having operating system patches up to date, antivirus software active and reporting, disk encryption enabled (such as BitLocker or FileVault), a non-jailbroken or non-rooted status, and a compliant password policy.

From an exam perspective, device compliance is central to the Security+ (SY0-601) and CySA+ (CS0-002) domains because it directly enforces the principle of least privilege and continuous monitoring. For the AWS Certified Solutions Architect (SAA-C03), device compliance appears indirectly through AWS Device Farm for testing but more prominently through integration with third-party identity providers that enforce conditional access based on device state. In the CISSP framework, device compliance ties to the asset security domain and the concept of information lifecycle protection-ensuring that endpoints are not the weakest link in the chain. For Microsoft exams (MD-102, MS-102, AZ-104, SC-900), device compliance is a first-class concept: it is the gatekeeper for Conditional Access policies in Entra ID, and the primary mechanism for achieving zero-trust architectures.

The lifecycle of device compliance begins with enrollment. When a device joins a management system-either through Azure AD join, hybrid join, or mobile device management enrollment-it receives a compliance policy. This policy contains rules that the device must evaluate on a recurring schedule. For example, a Windows device might need to report that Windows Defender is running and real-time protection is enabled. The device sends this compliance status to the compliance service, which then returns an overall compliance state: Compliant, Noncompliant, or Conflict. This state is then exposed to the Conditional Access engine, which can block access, grant limited access, or require reauthentication. In high-security scenarios, devices that lose compliance mid-session can have their tokens revoked, forcing immediate re-evaluation. This real-time enforcement is what differentiates modern device compliance from older methods like VPN posturing, which only checked at connection time.

Exam questions frequently test the distinction between device compliance and configuration profiles. While configuration profiles push settings (such as Wi-Fi credentials or VPN configurations), compliance policies audit and enforce security requirements. A common trap question presents a scenario where a user is blocked from accessing Office 365 even though they have an active license-the root cause is often a device compliance failure. Another recurring theme is the difference between device-based conditional access and user-based conditional access. Device compliance enables conditional access that is independent of the user’s identity context; a compromised user on a compliant device may still be allowed limited access, while an administrator on a noncompliant device may be blocked entirely. This concept is heavily tested in the SC-900 and MS-102 exams under the zero-trust principle of “verify explicitly.”

Cloud-native device compliance solutions, such as Microsoft Intune, use the concept of compliance policies assigned to groups of devices. These policies can be device-level (applying to the operating system) or user-level (applying to the user context). The compliance evaluation runs at least every eight hours by default, but administrators can trigger a manual sync. In AWS, device compliance is often achieved through integration with third-party MDM vendors and using AWS IAM Identity Center to evaluate device trust. For CISSP, the key takeaway is that device compliance increases the security assurance level of the asset portfolio, directly supporting the risk management process. For CySA+, the analyst must understand that noncompliant devices are a leading indicator of potential breaches and should be investigated immediately. Throughout all exams, the emphasis is on continuous, automated, policy-driven enforcement rather than manual audits.

How Device Compliance Integrates with Conditional Access to Enforce Zero Trust

Device compliance and Conditional Access are two sides of the same zero-trust coin. Conditional Access policies in Microsoft Entra ID evaluate signals from a variety of sources-user identity, location, application, risk score, and device state-to decide whether to allow, block, or require additional authentication steps. Among these signals, device compliance is arguably the most powerful because it provides a hardware and software trust anchor that is harder to spoof than user credentials. When a device is compliant, it is considered a trusted managed device. When noncompliant, it is treated as an unmanaged or potentially compromised device. Conditional Access policies can use this classification to enforce session policies like requiring browser-only access (no native apps), limiting download capabilities, or blocking entirely.

For example, an organization might create a Conditional Access policy called “Block legacy authentication for noncompliant devices.” This policy would target all cloud apps and require device compliance. If an iPad occurs as noncompliant (perhaps it is jailbroken), the Conditional Access engine intercepts the authentication request and denies access. Because the policy applies to legacy authentication protocols (POP3, IMAP, or basic auth), the device cannot bypass the block by using an older email client. This integration is why device compliance is a must-know for the MD-102 exam (Managing Modern Desktops) and the MS-102 (Microsoft 365 Administrator). In the AZ-104 (Azure Administrator) exam, device compliance appears in the context of implementing Azure AD Conditional Access to secure hybrid workloads. The administrator must understand how to create compliance policies in Intune and then reference them in Conditional Access policies in Entra ID.

The relationship between the two services is sometimes confusing to learners. Intune is the engine that evaluates device compliance; Entra ID holds the Conditional Access policies. The chain works like this: the device enrolls in Intune, receives compliance policies, evaluates them, and sends the status to Intune. Intune reports the status to Entra ID via the Microsoft Graph. When a user authenticates, Entra ID reads the device compliance attribute (compliant, noncompliant, or unknown) and applies the relevant Conditional Access policies. If the device has never enrolled in Intune, the compliance status is unknown, and many organizations configure Conditional Access to block or require reauthentication for unknown devices. This is a frequent exam question: “What happens when a device is not enrolled in MDM?” The answer is that it cannot be evaluated for compliance, so access may be blocked or limited.

For CISSP and Security+ candidates, the integration illustrates the principle of defense in depth. Device compliance provides a device-level control, while Conditional Access adds a session-level control. Together, they reduce the risk of lateral movement by ensuring that even if credentials are compromised, the attacker must also use a compliant device. In the CySA+ exam, this integration is relevant to incident response workflows. If a user reports being unable to access a cloud app, the analyst should first check the device compliance status in the MDM console. A common symptom is a device that shows “Not compliant” due to a missing security patch, which triggers a Conditional Access block. The analyst then coordinates with the endpoint administrator to remediate the device. This cross-team collaboration is a typical exam scenario in the CySA+ performance-based questions.

Another critical integration point is the use of Windows Hello for Business and compliance. A device that is compliant and has Windows Hello enabled can be allowed access without a password (passwordless authentication). This aligns with the zero-trust goal of removing passwords. For the SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) exam, the question often asks which signals are used in Conditional Access. Device compliance is one of the five core signals, alongside user and group membership, location, application type, and real-time risk. The exam expects the candidate to know that device compliance is not evaluated if the device is not managed-this is a common distractor. The correct answer emphasizes that Conditional Access requires a managed, compliant device to fully enforce zero-trust session controls.

How Device Compliance Remediation and Grace Periods Affect User Experience and Security

Device compliance is not binary in its enforcement; it supports nuance through grace periods and automatic remediation. Grace periods allow users a specific window (for example, 24 hours) to resolve noncompliance issues before access is fully blocked. This design is critical for user productivity, especially in organizations with mobile workforces or shift workers who may not immediately see a notification to update their operating system or restart the device for a pending patch. The grace period is defined within the compliance policy in Intune. For Windows devices, the policy can specify a ‘Days until compliance status becomes noncompliant’ setting. During the grace period, the device appears as “In grace period” in the Intune console, and Conditional Access policies can be configured to allow limited access (e.g., web-only access to email) rather than full blocking.

Remediation actions can be automated or manual. For example, if a device is noncompliant because the operating system build is below a minimum version, Intune can trigger an automatic update if the device is configured for updates via Windows Update for Business. In other cases, remediation may require user interaction-such as a user tapping “Sync” on their mobile device or restarting to apply a patch. Exam questions on the MD-102 often test the administrator’s ability to configure compliance policies with grace periods and distinguish between “Noncompliant” and “In grace period” states. For the MS-102 exam, understanding how grace periods affect Conditional Access policies is crucial. A common exam scenario presents a user who can still access SharePoint Online but cannot download files-the correct interpretation is that the device is in grace period and the Conditional Access policy is applying a specific session control.

Another remediation pathway involves configuring notifications to the user. Intune can send emails or push notifications warning the user that their device will lose compliance unless they act. For iOS and Android devices, the Company Portal app displays a list of noncompliance issues with remediation steps. For Windows, the Settings app or the Microsoft Intune app can show the same information. In high-security environments, administrators may choose to skip grace periods entirely, immediately blocking noncompliant devices. This is typical in industries like defense or finance, where a single noncompliant device is considered a critical risk. The exam question often asks: “You need to enforce that a noncompliant device is immediately blocked. How do you configure the policy?” The answer is to set the grace period to 0.

From the CySA+ and CISSP perspectives, remediation is a key incident response action. When a device repeatedly fails to become compliant, it may indicate a more serious underlying issue-such as a malware infection that disables the security agent or a user who has intentionally modified security settings. The analyst must understand the difference between a policy misconfiguration and a true security violation. For example, if the device reports that BitLocker is not enabled, but the IT department believes it was pushed, the analyst might check the BitLocker status via PowerShell or the Security Compliance Toolkit. The clue that this appears in exams is when a device shows a status of “Conflict” meaning the device received contradictory policies from different sources-a trick to remember is that “Conflict” often arises from multiple policy assignments with overlapping settings.

Grace periods also have implications for reporting and compliance auditing. Administrators must monitor devices stuck in grace period for extended durations, as these devices represent a security gap. In the SC-900 foundational exam, a typical question might ask: “What is the purpose of a grace period in a device compliance policy?” The correct answer is to give users time to remediate noncompliance without losing productivity, but the key distractor is: “To give the administrator time to review the compliance report.” That is incorrect because the grace period applies to the device, not the admin. Understanding these operational nuances helps candidates not only pass exams but also design effective, user-friendly compliance programs.

How Device Compliance Across Platforms Creates Unique Challenges for Administrators and Exams

Device compliance in a heterogeneous environment-Windows, macOS, iOS, Android, and even Linux-introduces complexity that directly influences exam questions in the Security+, CySA+, CISSP, and Microsoft certification tracks. Each operating system has its own security architecture, available controls, and reporting capabilities. For example, Windows devices managed through Intune can report a wide range of telemetry: Windows Defender status, BitLocker encryption, secure boot, code integrity, and device health attestation (via TPM 2.0). In contrast, macOS compliance relies on Kernel Extension (kext) and system extensions, FileVault for encryption, and the XProtect malware detection system. Mobile operating systems like iOS and Android use app-based attestation, with iOS devices providing a more closed environment that prevents tampering, while Android devices require SafetyNet (now Play Integrity) attestation to verify the device has not been rooted.

A common exam scenario in the MD-102 (Managing Modern Desktops) and MS-102 (Microsoft 365 Administrator) tests the candidate’s knowledge of which compliance settings are platform-specific. For instance, Windows devices have a “Require BitLocker” setting, but macOS devices have “Require FileVault.” iOS devices have a “Require passcode” and “Allow device to be backed up to iCloud” settings that do not exist on Android. Android devices have “Require Google Play Integrity Check” which does not exist on iOS. The candidate must map each compliance policy rule to the correct operating system. A question might present a list of settings and ask which one applies only to Android, or ask the candidate to identify why a compliance policy for iOS is being applied to Windows devices-this would result in a “Not applicable” status rather than noncompliance because the policy detects the OS type and does not evaluate unsupported properties.

Another cross-platform challenge is device attestation. Windows has “Device Health Attestation” (DHA) that uses the TPM to report boot integrity, which is a critical security control for highly secure environments. macOS does not have a TPM equivalent in the same way; it relies on the Apple T2 chip or Apple Silicon’s Secure Enclave for attestation, but integration with Intune is less granular. For exam purposes, the CYSA+ analyst might be asked to triage a noncompliant macOS device that shows “Unable to verify disk encryption.” The cause could be that FileVault was initiated but not fully completed (a known issue when the device is required to log out users). Similarly, for Android devices, a common exam issue is that the device shows as compliant in the Company Portal but not in the compliance report-this usually happens because the device is using a personal profile and the corporate profile evaluation did not run.

For the CISSP exam, the cross-platform aspect ties to the asset security domain’s requirement to implement consistent security controls across different operating environments. The security manager must understand that not all platforms can enforce the same policies. For example, Linux devices commonly used in development environments may have limited support for compliance policies; often they are enrolled in management only through open-source tools like Munki or through custom scripts. The exam may present a scenario where a Linux device is exempt from compliance policies, and the candidate must identify the risk-such as the device lacking antivirus or timely patching. The correct answer would involve incremental security controls like network segmentation until the Linux device can be brought into compliance.

Finally, exam questions often focus on the “Not applicable” status. A frequent trick is to ask: “A user reports their macOS device status as ‘Not applicable’ for a compliance policy. What does this mean?” The answer is that the compliance policy contains rules that are only evaluated on Windows devices, so the macOS device is not being assessed for those rules. This is different from “Noncompliant” or “Compliant.” Administrators must be careful to assign policies only to the appropriate platform groups to avoid confusion. For the SC-900 foundational exam, a typical question tests the candidate’s knowledge that compliance policies are platform-specific and that some settings, like a minimum OS version, exist across all platforms, while others, like requiring a specific antivirus product, are Windows-specific. Understanding these nuances equips test-takers to answer platform-specific questions confidently and apply this knowledge in real-world hybrid endpoint management.

Troubleshooting Clues

Device reports 'Not applicable' status for a compliance policy

Symptom: The device is compliant and functional, but the compliance overview shows 'Not applicable' instead of 'Compliant'.

The compliance policy contains rules that are only evaluated on another platform (e.g., a BitLocker rule on macOS device), so the device does not receive a compliance verdict for that policy.

Exam clue: Exams like SC-900 and MD-102 test this as a distractor: candidates think the device is noncompliant, but the correct answer is 'No evaluating because policy is platform-specific.'

Device shows 'Conflict' status after multiple policy assignments

Symptom: Intune shows a yellow warning icon with 'Conflict' for the device compliance status.

Two or more compliance policies with conflicting rules (e.g., one requires a 8-digit passcode, another requires 6-digit) were assigned to the same device or user group. Intune cannot resolve the conflict and flags it.

Exam clue: In MD-102, the troubleshooting step is to check the Effective Policies view and remove overlapping assignments. The exam may ask what the cause of 'Conflict' is.

Device cannot access Office 365 despite showing 'Compliant' status

Symptom: User is blocked from accessing Exchange Online or SharePoint Online, but the device compliance dashboard shows 'Compliant'.

The Conditional Access policy may be targeting a different compliance attribute (e.g., 'Require managed device' instead of 'Require device compliance') or the user is excluded from the policy. Alternatively, the device may be compliant for one policy but noncompliant for another policy referenced by Conditional Access.

Exam clue: CySA+ and AZ-104 exams present this scenario. The solution is to review the Conditional Access policy 'Grant' settings, not the compliance dashboard.

macOS device is noncompliant due to 'FileVault not enabled' even though user says it is

Symptom: The device reports as noncompliant, and the Intune console shows the FileVault rule failed, but the user sees the FileVault icon in System Preferences as active.

FileVault encryption may be in progress (pre-boot authentication not yet completed) or the user has not fully signed out/rebooted. The Intune agent reads the state from the system, but the user interface may show the toggle as on while the process is pending.

Exam clue: Security+ and MS-102 test that FileVault requires a full restart or logoff to complete. The correct action is to reboot the device manually.

Android device is noncompliant due to 'SafetyNet attestation failed'

Symptom: Device is noncompliant with the policy requiring Google SafetyNet Check, and the device cannot access corporate resources.

The device may have a modified bootloader, custom ROM, or root access. SafetyNet uses hardware-backed attestation to verify the device hasn't been tampered with.

Exam clue: In CISSP and CySA+, this is a key indicator of a compromised device. The exam question may ask which control (SafetyNet) is being triggered for a rooted Android device.

Windows device shows 'Not compliant' due to missing security update, but update is installed

Symptom: The device is noncompliant for 'Minimum OS version' rule even though Windows Updates show the latest patch installed.

Compliance policy checks the OS build number, not the installed update KB. The device might have a cumulative update installed that fixes the vulnerability but may not change the build number if the rule requires a feature update (e.g., 22H2 vs 21H2).

Exam clue: MD-102 exam tests the difference between 'Minimum OS version' and 'Required update criteria'. The fix is to update to a supported feature release.

Device compliance status stuck on 'Evaluating' for long period

Symptom: The device enrollment succeeded, but the compliance status remains 'Evaluating' for over 24 hours.

The device has not contacted the Intune service to send its compliance status. This may be due to network issues, the Intune Management Extension not running, or the device being offline for an extended period.

Exam clue: In AZ-104 and MS-102, the solution is to manually sync the device via the Company Portal app or use the command 'Get-MgDeviceManagementComplianceSetting' to force a check. The exam asks for the first step: verify device connectivity.

Device is compliant but still blocked by Conditional Access

Symptom: Compliance dashboard shows 'Compliant', but users still get an 'Access Denied' message.

Conditional Access may be evaluating other signals, such as location risk (unknown IP) or sign-in risk. Device compliance is just one of multiple conditions. Alternatively, the policy may contain a 'Session' control that applies even when device compliant.

Exam clue: SC-900 and CISSP exam questions often ask to check all Conditional Access conditions, not only device compliance. The answer is to review the full policy set in Azure AD.

Memory Tip

Compliance is like a digital bouncer: it checks the device's ID (policy) before letting it into the corporate club.

Learn This Topic Fully

This glossary page explains what Device compliance means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

SY0-601SY0-701(current version)

Related Glossary Terms

Quick Knowledge Check

1.What is the primary purpose of a grace period in a Microsoft Intune device compliance policy?

2.An organization uses a Conditional Access policy that requires a compliant device. A user on a Windows 10 device that is enrolled in Intune is blocked from accessing SharePoint Online. The device compliance dashboard shows the device as 'Noncompliant' because BitLocker is not enabled. Which action should the administrator take?

3.A macOS device is enrolled in Intune and assigned a compliance policy that includes 'Require FileVault encryption.' The device shows as 'Not applicable' in the compliance status. What does this mean?

4.A company requires all devices accessing its cloud applications to be managed and comply with minimum OS version policies. Which two components must be integrated to enforce this requirement? (Choose two.)

5.An Android device is noncompliant because the compliance policy requires Google SafetyNet attestation. What is the most likely cause of this noncompliance?

6.In a hybrid Azure AD joined environment, a user reports that their Windows device was working yesterday but today is blocked from accessing corporate email. The Intune dashboard shows the device as 'Noncompliant' due to 'Windows Defender real-time protection disabled.' What is the first step the administrator should take?

Frequently Asked Questions

What happens if my device is marked non-compliant?

You will lose access to certain corporate resources like email, SharePoint, or the corporate network. You will usually receive a notification with instructions on how to fix the issue, such as updating your OS or enabling encryption. Once you fix the issue, your device will re-check and become compliant again.

Can a compliant device still be infected with malware?

Yes, because compliance only checks for baseline security settings like antivirus being on and patches applied. It doesn't guarantee the device is free of zero-day malware or sophisticated threats that evaded detection. Additional measures like endpoint detection and response (EDR) are needed for deeper protection.

Is device compliance the same as device quarantine?

Not exactly. Device compliance is the state of meeting policy requirements. Quarantine is a possible action taken for non-compliant devices, such as placing them on a restricted network segment. Compliance is the evaluation; quarantine is a remediation action that may be triggered by non-compliance.

Can I bypass device compliance on a personal device?

Generally no, if the organization has enforced it. However, some organizations offer a web-only access option that bypasses the device check but may limit functionality (e.g., view-only mode). In a strict environment, bypassing compliance will result in no access to corporate data.

How often does my device get checked for compliance?

By default, devices check in with the MDM service every 8 hours in Intune, but this can vary. Some systems also trigger a check on specific events like a user trying to access a resource or after a restart. The check-in interval is configurable by administrators.

What is the difference between device compliance and device configuration profiles?

Device compliance checks the device's current state against a baseline to decide if it can access resources. Configuration profiles actively set device settings (like Wi-Fi, VPN, email accounts). Compliance is about enforcement; configuration is about provisioning. They often work together: a configuration profile ensures the device has the right settings, and compliance checks that those settings are actually active.

Can device compliance be enforced on Linux or macOS devices?

Yes, modern MDM solutions like Intune support macOS compliance policies and some Linux distributions. macOS compliance can check FileVault encryption, firewall status, and OS version. Linux support is more limited but growing, often focusing on OS version and basic security settings.

Summary

Device compliance is a foundational concept in modern IT security and endpoint management. It refers to the process of automatically checking whether a device meets a set of predefined security policies before it is allowed to access corporate resources. These policies typically include requirements like having an up-to-date operating system, enabled encryption, active antivirus, a secure password, and being free from root or jailbreak modifications.

Compliance is not a one-time event but an ongoing process, with devices re-evaluated regularly. Enforcement is achieved through a combination of MDM (like Intune), conditional access (like Azure AD), and network access control (like Cisco ISE). Understanding device compliance is critical for several IT certification exams, including Security+, CySA+, CISSP, AZ-104, SC-900, MD-102, and MS-102.

On these exams, you need to know how to configure compliance policies, how they integrate with identity and access management, and how to troubleshoot when devices fail compliance. The most common exam traps are confusing compliance with device health, assuming it's only for company-owned devices, and forgetting that compliance is just one condition in a larger access control system. In practice, device compliance reduces the attack surface, helps meet regulatory requirements, and is an essential building block of a zero-trust security model.

The key takeaway for your exam: device compliance is the 'what' of device security policy enforcement, it checks the box, but it is not the whole story.