Sign In
In this module

AD3 — Managing Devices and Endpoints

5-6 hours · Module 3 · Free

Managing Devices and Endpoints

Identity is secured. Email is protected. The third layer is the device.

Your conditional access policy CA003 from Module AD1 is sitting in report-only mode, waiting for this module. It requires a compliant device for access to Exchange Online, SharePoint, and Teams — but it can't enforce anything until you define what "compliant" means. A compliant device in Intune is one that meets every requirement in your compliance policy: encrypted, running a supported OS version, firewall enabled, antivirus active and up to date. Without compliance policies, every enrolled device is "compliant by default" — which means the conditional access policy has no teeth.

This module builds the compliance policies that give CA003 meaning. You'll define the Windows compliance baseline (BitLocker required, minimum OS version, Defender Antivirus active, firewall enabled), create matching policies for macOS and mobile devices, integrate compliance with conditional access for enforcement, handle the non-compliant devices that appear on day one, and build the exception workflow for devices that legitimately can't meet every requirement.

The result: when an attacker replays a stolen session token from an AiTM attack, the conditional access policy checks the device. The attacker's device isn't enrolled in Intune — it's not compliant — access is blocked. The stolen token is useless without a managed device. This is the defense-in-depth layer that catches what MFA alone cannot.

What you will learn

  • Why device compliance is the third security priority (after identity and email)
  • Intune enrollment: what's already enrolled, what's missing, and how to close the gap
  • Building Windows compliance policies with the five checks that matter most
  • macOS, iOS, and Android compliance for multi-platform environments
  • Integrating compliance with conditional access — moving CA003 from report-only to enforcement
  • Security baselines vs custom configuration profiles — when to use each
  • Handling non-compliant devices: grace periods, notifications, and remediation
  • The exception workflow for devices that can't meet every requirement
  • Device compliance monitoring with Intune reports and the compliance dashboard
  • Reporting device security posture to management

Subsections

AD3.1 Why Device Compliance Is the Third Priority · AD3.2 Auditing Your Current Device Estate · AD3.3 Building the Windows Compliance Policy · AD3.4 macOS, iOS, and Android Compliance · AD3.5 Integrating Compliance with Conditional Access · AD3.6 Security Baselines vs Custom Profiles · AD3.7 Handling Non-Compliant Devices · AD3.8 The Exception Workflow · AD3.9 Device Compliance Monitoring · AD3.10 Reporting Device Security to Management · AD3.11 Interactive Lab: Device Compliance Deployment · AD3.12 Module Summary · AD3.13 Check My Knowledge

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →