Endpoint and appsIntermediate23 min read

What Does Device configuration Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Device configuration means adjusting the settings on a computer, phone, or tablet so that it works correctly and securely within a company network. This includes things like installing updates, setting up security rules, and connecting to email or other work applications. Proper configuration helps keep devices safe from hackers and ensures they follow company policies.

Commonly Confused With

Device configurationvsDevice enrollment

Device enrollment is the initial step of registering a device with a management system like Intune. It establishes the management relationship and allows the device to receive policies. Device configuration happens after enrollment and involves applying settings. Without enrollment, configuration cannot occur.

Enrolling your phone in Intune is like checking into a hotel and giving your ID at the front desk. Configuration is like getting the room key and setting the room temperature to your liking.

Device configurationvsCompliance policy

A compliance policy defines rules that a device must meet to be considered secure and acceptable, such as having a minimum OS version or not being rooted. Device configuration profiles apply specific settings to a device. The compliance policy evaluates the state after configuration, but it does not apply the settings itself.

A configuration profile is like setting the thermostat to 72 degrees. A compliance policy is like a thermostat sensor that checks if the temperature is actually at 72 degrees and triggers an alarm if it is not.

Device configurationvsConditional Access

Conditional Access is a policy that controls access to resources based on conditions like user identity, location, or device compliance. It uses the output of compliance policies to decide whether to allow or block access. Device configuration is about setting up the device itself, while Conditional Access is about controlling access from that device.

Device configuration is like giving your car a working engine and good tires. Compliance policy is the inspection that checks those parts. Conditional Access is the toll booth that only lets cars with a valid inspection sticker pass through.

Must Know for Exams

In the MS-102 exam, device configuration is a core topic that appears across multiple objective domains. Specifically, the exam measures your ability to manage and secure endpoints using Microsoft Intune and Microsoft 365 Defender. You will need to understand how to create and deploy device configuration profiles, which control settings like device restrictions, feature settings, and endpoint protection.

Compliance policies are also heavily tested: you must know how to define conditions (e.g., minimum OS version, required antivirus status, jailbreak detection) and what actions to take when a device is non-compliant (block access, send notification, or wipe).

Questions often link device configuration to Conditional Access, where access to resources is granted only if the device is marked as compliant. You may be asked to interpret a scenario in which a user cannot access email on their phone, and you must determine whether the issue is a missing compliance policy, a misconfigured profile, or an incorrect Conditional Access rule. Another common question type involves planning device configuration for different device platforms (Windows, iOS, Android, macOS) and understanding which settings apply to each.

The exam also tests your knowledge of enrollment methods (e.g., Windows Autopilot, Apple DEP, Android Enterprise) and how they integrate with configuration profiles. For the MS-102 exam, you should be comfortable comparing configurations at the user level versus the device level, and knowing when to use a configuration profile versus a compliance policy.

You may also see questions about using scripts or custom OMA-URI settings for advanced configuration. The exam may present a scenario where a device is reporting as compliant but still denied access, requiring you to check the Conditional Access policy or the device's threat status from Defender for Endpoint. Understanding the end-to-end flow-from enrollment to configuration to compliance evaluation to access control-is critical.

Device configuration is not isolated; it interacts with identity management, threat protection, and app management, so exam questions often require you to integrate these concepts. Preparing for MS-102 means you must not only memorize steps but also understand the logic behind why certain configurations are applied and how they affect user experience and security.

Simple Meaning

Think of a brand new smartphone you just bought. Out of the box, it has basic functions, you can make calls, take photos, and browse the internet. But if you want to use that phone for work at a company, you cannot just start using it right away.

You need to configure it. That means setting up your work email account, installing the security software the company requires, turning on a lock screen with a password, and maybe connecting to the company's Wi-Fi network. Device configuration is that entire process of making the device ready for a specific environment.

In IT, device configuration is similar but much bigger. IT administrators manage hundreds or thousands of devices, like laptops, desktops, tablets, and phones, all at once. Instead of setting up each one by hand, they use tools like Microsoft Intune or Group Policy to apply a standard set of rules and settings automatically.

For example, they configure all company laptops to require a strong password, to update their software every night, and to block certain dangerous websites. This is like a school giving every new student a uniform and a set of classroom rules, everyone starts with the same foundation, which makes the whole system run smoothly and safely. Without proper configuration, devices could be vulnerable to viruses, data leaks, or unauthorized access.

So device configuration is not just about initial setup-it is an ongoing process of making sure every device stays compliant, secure, and functional throughout its use in the organization.

Full Technical Definition

Device configuration refers to the systematic application of settings, policies, software, and security controls to endpoints such as workstations, servers, mobile phones, and tablets, typically within an enterprise managed environment using centralized management tools. In the context of Microsoft 365, device configuration is commonly associated with Microsoft Intune, which is a cloud-based mobile device management (MDM) and mobile application management (MAM) service, and with Group Policy Management for on-premises Active Directory environments. The configuration process involves defining and enforcing compliance policies, device restrictions, configuration profiles, and security baselines.

A configuration profile in Intune, for instance, is a collection of settings that control features on a device, such as allowing or blocking the use of the camera, enforcing encryption, requiring a PIN length of at least six characters, or disabling Bluetooth tethering. Compliance policies define the conditions a device must meet to be considered compliant, such as having a minimum operating system version, being jailbreak- or root-detection-free, or having threat protection enabled. If a device falls out of compliance, Intune can take actions like blocking access to corporate email or data, sending notifications to the user, or even remote wiping the device.

For Windows devices, configuration can also be handled through Group Policy Objects (GPOs) in an Active Directory domain, applying registry-based settings, security templates, and scripted configurations. Modern device configuration increasingly uses cloud-based tools to support a remote and hybrid workforce. Protocols such as OMA-DM (Open Mobile Alliance Device Management) are used by Intune to communicate with devices over the internet, sending commands and receiving status reports.

This allows IT administrators to push configurations to devices anywhere in the world without needing direct network access. Windows Autopilot streamlines the initial configuration experience for new devices by pre-configuring settings before the user even logs in, using a hardware hash to identify the device and assign it to the appropriate configuration profiles. Device configuration also includes software deployment, such as installing required applications (e.

g., Microsoft 365 Apps, antivirus, VPN clients), applying Windows updates, and managing certificates for authentication. Effective device configuration is foundational to zero-trust security models, where every device must be verified and meet specific configuration standards before accessing resources.

In exam contexts like MS-102 (Microsoft 365 Administrator), candidates are expected to understand how to create and assign device configuration profiles, configure compliance policies, use Conditional Access policies based on device compliance, and integrate with tools like Microsoft Defender for Endpoint for advanced threat protection. Misconfiguration can lead to security vulnerabilities, user productivity loss, or compliance violations, making device configuration a critical skill for IT administrators.

Real-Life Example

Imagine you are moving into a new apartment building that has a very strict homeowners' association. Before you can even get the keys, the association gives you a list of rules: you must paint your front door a specific shade of blue, install a specific brand of smoke detector, set the thermostat no lower than 68 degrees in winter, and use only approved window blinds. They also require you to register your car with the security gate and get a parking permit.

Once you follow all those rules, you are allowed to move in. If you later install a satellite dish without permission, the association can fine you or even restrict your access to the building's fitness center. This is exactly how device configuration works in IT.

The company (the homeowners' association) decides on a set of security and compliance rules. Your device (your apartment) must be configured to follow those rules before it is allowed to connect to the corporate network or access company data. The IT department (the association manager) uses tools to remotely check if your device meets the rules, for example, is encryption turned on?

Is the operating system updated? Are unauthorized apps blocked? If your device breaks a rule, it gets flagged as non-compliant, and you might lose access to your email or company files until you fix it.

Just like the homeowners' association wants every apartment to be safe and uniform, IT wants every device to be secure and standardized. Without this configuration, some devices could be vulnerable, just like an apartment with a weak lock and no smoke alarm would be a risk to the whole building.

Why This Term Matters

Device configuration matters because it is the first line of defense for protecting an organization's data and networks. Every device that connects to corporate resources is a potential entry point for cyberattacks, data leaks, or non-compliance with regulations like GDPR, HIPAA, or PCI DSS. A poorly configured device might have outdated software, weak passwords, or unnecessary services running, which an attacker can exploit.

For example, if a laptop used for remote work does not have disk encryption enabled, and that laptop is stolen, the company's confidential client data could be exposed. Device configuration policies help prevent such incidents by enforcing encryption, requiring strong authentication, and keeping software patched. In addition to security, device configuration ensures consistency across the organization.

When every device is configured with the same baseline, IT support becomes simpler. Help desk staff know exactly what settings are on each machine, making troubleshooting faster. Updates can be rolled out uniformly, reducing compatibility issues.

Also, for organizations that undergo audits, having a documented device configuration policy proves that they are taking reasonable steps to protect data. On the user side, proper configuration can improve productivity. For instance, configuring devices with the correct VPN settings, email profiles, and common apps saves employees time and reduces frustration.

Without configuration, users might inadvertently enable settings that weaken security, like allowing personal accounts on a company device or disabling automatic updates. Device configuration is therefore not just an IT task-it is a strategic business practice that balances usability, security, and compliance.

How It Appears in Exam Questions

In the MS-102 and similar exams, device configuration questions appear in several distinct patterns. The most common is the scenario-based multiple-choice question, where you are given a company description and a set of requirements. For example: 'Contoso has 500 Windows 10 devices and 200 iOS devices.

They need to ensure that all devices have a screen lock password of at least 6 characters, and if a device is jailbroken, it should be blocked from accessing company email. Which two policies should you configure in Microsoft Intune?' The correct answer involves creating a device configuration profile for the password policy and a compliance policy for jailbreak detection.

Another pattern is the 'troubleshooting' question, where a device is not receiving the intended settings. You might see: 'A user reports that their Windows 10 device does not show the company logo on the lock screen, even though you assigned a configuration profile. What is the most likely cause?'

Here you need to know about conflict resolution between profiles, assignment to user groups vs device groups, or that the profile was not targeted to the correct group. There are also 'best practice' questions that ask you to order steps or choose the correct sequence for deploying a configuration. For instance: 'You need to deploy a new device restriction policy to all company laptops.

What is the correct order of actions?' Options might include creating the profile, assigning to a group, choosing settings, and monitoring deployment. You must know that you choose settings first, then create the profile, then assign, then monitor.

Another question type is 'comparison', asking you to differentiate between configuration profiles and compliance policies, or between user-based and device-based targeting. Some questions incorporate Conditional Access, such as: 'A user's device is marked as compliant, but they are still blocked from accessing SharePoint Online. What should you check first?'

The answer often involves reviewing the Conditional Access policy to ensure it is using the correct grant control (e.g., 'Require device to be marked as compliant'). You may also encounter 'drag and drop' or 'matching' questions that require you to associate settings with the correct platform (e.

g., 'App Lock' setting for iOS, 'Allow Microsoft Store' setting for Windows). Finally, be prepared for 'exam tip' style questions that test your knowledge of default behaviors, like what happens when a device is not assigned any configuration policy (it still functions but with no enforced settings).

The key is to understand the practical, administrative steps and the underlying logic behind each configuration choice.

Practise Device configuration Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You work as an IT administrator for a mid-sized company called 'Northwind Traders'. The company has just purchased 50 new Windows 11 laptops for a new sales team. The sales team will be working remotely and will need access to company email, SharePoint, and a CRM application.

Your task is to configure these devices before they are shipped to the employees. First, you decide to use Windows Autopilot enrollment. You upload the hardware hashes of the 50 devices to Microsoft Intune.

Then, you create a device configuration profile that enforces the following settings: the device must have BitLocker encryption turned on, Windows Update must be set to install updates automatically, the lock screen password must be at least 8 characters, and the device must not allow installation of apps from outside the Microsoft Store. You assign this profile to a group called 'Sales Devices'. Next, you create a compliance policy that requires the device to have a minimum OS version of Windows 11 22H2, have real-time virus protection enabled, and must not be jailbroken or rooted (which for Windows means no unauthorized kernel modifications).

You then set an action for non-compliant devices: if the device does not meet these rules, the user will be notified to fix it, and after 30 days of non-compliance, access to company email will be blocked. Finally, you configure a Conditional Access policy in Azure AD that says: for the Sales app group (which includes email, SharePoint, and the CRM), require that the device is marked as compliant. When the laptops arrive at the employees' homes, they unbox them and turn them on.

Windows Autopilot automatically enrolls the device in Intune. The device downloads and applies the configuration profile, enabling encryption and setting the password policy. The compliance policy checks the device's state.

If everything is okay, the user signs in with their Azure AD account and can immediately access their work apps. If a device fails the compliance check, the user receives a notification on the screen telling them what to fix, such as enabling virus protection or running Windows Update. This entire process happens without any IT person touching the devices.

Common Mistakes

Thinking that a configuration profile and a compliance policy are the same thing.

A configuration profile sets device settings (like password length or turning off the camera), but does not evaluate whether the device meets a standard. A compliance policy checks if the device adheres to rules and can trigger automatic actions like blocking access. They serve different purposes and are used together.

Use a configuration profile to enforce settings, and a compliance policy to monitor and react when those settings (or other conditions) are not met. They are complementary, not interchangeable.

Assigning a configuration profile to a user group when the setting is device-specific.

Some settings, like screen lock policies, affect the device itself. If assigned to a user group, the profile may not apply when the device is used by someone else, or may be applied inconsistently. Device-specific settings should be assigned to device groups.

Know which settings are user-based (e.g., app configuration) and which are device-based (e.g., encryption). Use the appropriate group type: user groups for user-scoped settings, device groups for device-scoped settings.

Forgetting that compliance policies can have multiple rules and the default action is to mark a device as non-compliant if any rule fails.

If you create a compliance policy with multiple conditions (e.g., password required AND encryption required), and a device meets all but one, it is still non-compliant. Learners sometimes assume only the failed rule triggers an action, but the entire device is flagged.

Always test compliance policies on a small set of devices first. Understand that each rule is additive-failure in any single rule results in non-compliance.

Believing that device configuration policies apply immediately to all existing devices as soon as they are created.

Policies need time to sync with devices. Intune checks for new policies every few hours by default, though you can initiate a manual sync. Also, the device must be enrolled and reachable.

Plan for delays. After creating or updating a policy, you can go to the device in Intune and click 'Sync' to force an immediate check, but in reality, full deployment can take up to 8 hours.

Confusing device configuration with device enrollment.

Enrollment is the process of registering the device with Intune so it can be managed. Configuration happens after enrollment, applying the settings. You cannot configure a device that has not been enrolled first.

Remember the sequence: first enroll the device (via Autopilot, Apple DEP, or manual method), then assign configuration profiles and compliance policies.

Exam Trap — Don't Get Fooled

{"trap":"In an exam scenario, you are asked to block access to corporate resources for a device that is not compliant. You see an option to configure a device configuration profile with a 'block' setting.","why_learners_choose_it":"Learners think that setting a 'block' configuration in a device restriction profile will prevent access to resources.

They confuse the enforcement of settings (like blocking the camera) with the Conditional Access mechanism that evaluates compliance.","how_to_avoid_it":"Remember that blocking access to corporate data is not done by device configuration profiles. It is achieved by creating a compliance policy that defines non-compliance conditions and then linking that policy to a Conditional Access rule.

The conditional access policy checks the device's compliance state before granting access. A configuration profile only sets device behavior, it does not grant or deny access to cloud resources."

Step-by-Step Breakdown

1

Define desired settings and policies

Before configuring any devices, you need to decide what settings are required for security, compliance, and user experience. This includes password policies, encryption, firewall rules, allowed apps, and update settings. These decisions are typically based on company security standards and industry regulations.

2

Enroll the device into management

The device must be enrolled in a management system like Microsoft Intune. Enrollment establishes a trust relationship where the device will accept commands and policies from the management server. This can happen automatically via Windows Autopilot, Apple Device Enrollment Program, or manually by the user installing the Company Portal app.

3

Create a device configuration profile

In Intune, you create a configuration profile for the specific platform (Windows, iOS, Android, macOS) and choose the settings you defined. This profile acts as a template of settings that will be applied to devices. It can include device restrictions (like disabling the camera) and feature settings (like setting the lock screen message).

4

Assign the profile to the appropriate group

You assign the configuration profile to a group of users or devices. For device-specific settings (like encryption), assign to a device group. For user-specific settings (like Outlook configuration), assign to a user group. The profile will apply to all members of that group.

5

Create a compliance policy (if needed)

To ensure devices remain secure, create a compliance policy that defines conditions such as minimum OS version, antivirus activation, and encryption status. If a device does not meet these conditions, it is marked non-compliant. This is separate from the configuration profile but works alongside it.

6

Set up Conditional Access to block non-compliant devices

Integrate the compliance policy with Conditional Access in Azure AD. This ensures that only compliant devices can access corporate resources like email and SharePoint. You create a policy that says 'Require device to be marked as compliant' for specific applications.

7

Monitor and troubleshoot deployment

After deployment, check the Intune console to see the status of each device. If some devices fail to apply the profile, review error messages, check if the device is enrolled correctly, or see if there is a conflict with other policies. You can manually trigger a sync to speed up the process.

Practical Mini-Lesson

Device configuration in a practical IT environment is a continuous cycle of planning, deploying, monitoring, and updating. As an IT administrator, your first task is to inventory all the endpoints in your organization-laptops, desktops, tablets, phones-and determine which management tools you will use. For Microsoft 365 shops, Intune is the primary tool for cloud-managed devices, while on-premises Active Directory environments still rely on Group Policy for Windows machines.

In practice, you will often have a mix: some devices are fully cloud-managed, others are hybrid. When configuring a device, you must consider the user's role. A salesperson might need different settings than a developer.

You can create different configuration profiles for different groups. For example, one profile might allow access to the Microsoft Store for line-of-business apps only, while another might block it entirely. A common real-world challenge is managing configuration conflicts.

If a device receives two different profiles with contradictory settings (e.g., one says password length 4, another says 6), Intune uses a priority system or the most restrictive setting applies, depending on the setting type.

You need to be aware of this to avoid unintended outcomes. Another practical aspect is that not all settings are available on all platforms. For instance, iOS has settings for app store ratings and managed open-in, which have no equivalent on Android.

You must create separate profiles per platform. Configuration also involves deploying certificates, Wi-Fi profiles, and VPN settings so that users can connect securely without manual intervention. For high-security environments, you might also use Windows Information Protection (WIP) or Microsoft Defender for Endpoint policies as part of configuration.

A key professional skill is understanding the difference between 'user intent' and 'device state'. A configuration profile represents your intent-what you want the device to do. But the actual state may differ due to user interaction, connectivity issues, or conflicting apps.

You need to monitor compliance reports and address drift. For example, a user might disable BitLocker themselves if they have admin rights-your compliance policy should catch that and either auto-remediate or block access. Device configuration is not a one-time event.

You need to manage updates to policies, handle device retirement, and ensure new devices are consistently configured from day one. Automation is your friend-use dynamic groups based on device attributes (e.g.

, all Windows 11 devices) to automatically assign profiles. This reduces manual work and configuration errors.

Memory Tip

Remember: 'Config sets the rules, Compliance checks the rules, Conditional Access enforces the rules.'

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What is the difference between a device configuration profile and a compliance policy?

A device configuration profile applies specific settings to a device, like turning on encryption or setting a password length. A compliance policy evaluates whether the device meets certain rules, like having that encryption enabled, and can trigger actions like blocking access if the device is not compliant.

Can I configure a device without enrolling it in Intune?

No, enrollment is required to manage a device with Intune. Once enrolled, the device receives a certificate and communicates with the service to apply configuration profiles. Without enrollment, the device cannot be centrally configured or monitored.

How long does it take for a device configuration profile to apply?

Typically, when you assign a profile, it can take up to 8 hours for the device to check in and apply it. However, you can force a sync from the Intune console or on the device itself to apply changes more quickly.

What happens if a device receives two conflicting configuration profiles?

Intune has a conflict resolution process. For most settings, the most restrictive setting is applied. For some settings, the setting from the profile with the highest priority (as defined in your environment) wins. You should review the Intune documentation for each setting's behavior.

Do I need separate configuration profiles for different operating systems?

Yes, each platform (Windows, iOS, Android, macOS) has its own set of configurable settings. You create separate profiles for each platform. Intune allows you to create platform-specific profiles and assign them to the appropriate groups of devices.

Can device configuration be used to install software?

While configuration profiles can install some built-in features (e.g., Windows languages), they are not primarily for installing software. For app deployment, you use 'Intune App Deployment' or manage software updates. Device configuration focuses on settings and restrictions.

Is device configuration the same as Group Policy?

Not exactly. Group Policy is an on-premises tool for Windows devices in Active Directory, while Intune is cloud-based and supports multiple platforms. Intune configuration profiles can be seen as the cloud equivalent of some Group Policy settings, but they are not exactly the same and have different capabilities.

Summary

Device configuration is a fundamental IT process that involves defining and applying a set of settings and policies to endpoints to ensure they are secure, compliant, and properly functioning within an organization. It goes beyond mere initial setup, as it encompasses ongoing management through tools like Microsoft Intune, which allow administrators to enforce password policies, encryption, software updates, and restrictions across hundreds or thousands of devices from a central console. The key distinction between configuration profiles (which apply settings) and compliance policies (which evaluate adherence to rules) is critical for both real-world administration and exam success.

Understanding how these components interact with Conditional Access to control resource access based on device compliance is a core skill for the MS-102 exam and for managing a secure enterprise environment. Common mistakes, such as confusing enrollment with configuration or misassigning policies to user groups versus device groups, can lead to security gaps or ineffective management. By following a structured approach-from defining requirements to enrolling devices, creating and assigning profiles, and monitoring compliance-IT professionals can maintain a consistent security baseline across their organization.

For learners preparing for the MS-102 exam, practicing with real scenarios and understanding the end-to-end flow from enrollment to access control is essential. Device configuration is not a static task; it evolves with new threats, OS updates, and business needs, making it a continuous discipline that directly impacts organizational security and user productivity.