Sign In
In this module

AD3.2 Auditing Your Current Device Estate

5-6 hours · Module 3 · Free
Operational Objective
Before you build compliance policies, you need to know what will break. How many devices are enrolled? How many are corporate vs personal? How many would fail a BitLocker check right now? How many are running outdated operating systems? If you enforce compliance without this data, the morning after enforcement is a helpdesk disaster — 40 users locked out of email because their laptop needs a Windows update, 15 users locked out because BitLocker was never enabled, and 3 executives furious because their iPads are personal devices that aren't enrolled. This subsection runs the device audit that prevents every one of these surprises — giving you exact numbers for enrollment gaps, compliance failures by category, and the remediation work required before enforcement.
Deliverable: A complete device estate audit showing enrollment coverage, predicted compliance failures by check type, and a remediation plan — with specific actions and timelines for each gap category.
Estimated completion: 30 minutes
DEVICE ESTATE AUDIT — FOUR CATEGORIES ENROLLED + HEALTHY In Intune · Current OS BitLocker on · AV active Firewall on · Secure Boot Ready for compliance No action needed Target: 100% ENROLLED + UNHEALTHY In Intune · But failing checks: old OS, no BitLocker, AV disabled, FW off Remediate before enforcement Push updates, enable BitLocker Typically 10-25% of fleet NOT ENROLLED (CORP) Corporate device · Not in Intune Missed during deployment or enrolled and lapsed Enroll before enforcement Contact user, enroll device Typically 5-15% of fleet PERSONAL (BYOD) Employee personal device Checking email on phone/tablet Not enrolled, won't enroll App protection policies Browser-only or MAM container Typically 10-20% of users

Figure AD3.2 — The four device categories you'll discover during the audit. Enrolled + healthy devices are ready for compliance enforcement. Enrolled + unhealthy devices need remediation first. Unenrolled corporate devices need enrollment. Personal BYOD devices need app protection policies. Each category requires a different action before you can enforce CA003.

Running the enrollment audit

Navigate to intune.microsoft.com → Devices → All devices. Export the device list to CSV by clicking the "Export" button. This gives you every enrolled device with its OS, last check-in date, enrollment date, and management state.

In parallel, get your total device count from the M365 Admin Center → Devices → Active devices. This shows every device that has authenticated to M365, including devices not enrolled in Intune. The difference between the M365 device count and the Intune enrollment count is your enrollment gap.

For a more precise audit, use PowerShell to pull enrollment data programmatically:

Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"

# Get all Intune-managed devices
$devices = Get-MgDeviceManagementManagedDevice -All
$total = $devices.Count

# Group by OS
$devices | Group-Object OperatingSystem |
    Select-Object Name, Count |
    Sort-Object Count -Descending | Format-Table

# Find devices with outdated OS
$devices | Where-Object {
    $_.OperatingSystem -eq "Windows" -and
    $_.OsVersion -lt "10.0.22631"  # Windows 11 23H2
} | Select-Object DeviceName, OsVersion, UserPrincipalName |
    Format-Table -AutoSize

# Find devices that haven't checked in for 30+ days
$stale = (Get-Date).AddDays(-30)
$devices | Where-Object { $_.LastSyncDateTime -lt $stale } |
    Select-Object DeviceName, LastSyncDateTime, UserPrincipalName |
    Format-Table -AutoSize

The stale devices check is critical. A device that hasn't checked into Intune for 30+ days isn't receiving policy updates, configuration changes, or compliance evaluations. It's functionally unmanaged even though it shows as "enrolled." These devices need investigation: is the device still in use? Has the employee left the company? Is the device broken or decommissioned?

Predicting compliance failures

Before building the compliance policy, predict how many devices would fail each check. This tells you the remediation workload before enforcement.

BitLocker. Check how many enrolled Windows devices have BitLocker enabled:

$devices | Where-Object { $_.OperatingSystem -eq "Windows" } |
    Select-Object DeviceName, IsEncrypted, UserPrincipalName |
    Group-Object IsEncrypted |
    Select-Object Name, Count

If IsEncrypted = False shows 30 devices, you have 30 devices that need BitLocker enabled before compliance enforcement. BitLocker can be pushed via Intune configuration profile — but it requires TPM and may need the user to set a PIN or save the recovery key. Plan for 15-30 minutes per device.

Operating system version. The query above (filtering by OsVersion -lt) shows how many devices are running an outdated OS. Each one needs a Windows Update, which may require a restart and 30-60 minutes of downtime. For devices that are multiple versions behind, the update may take longer.

Firewall and antivirus. These are harder to check before compliance policy deployment because Intune evaluates them during compliance check-in, not as static properties. The practical approach: deploy the compliance policy in report-only mode (or with a long grace period) and let Intune evaluate each device. After 48 hours, the compliance dashboard shows exactly which devices fail which checks.

Building the remediation plan

For each category of predicted failure, create a remediation action with a timeline:

BitLocker not enabled (estimated: 15-20 devices). Create an Intune configuration profile to enable BitLocker silently. Navigate to intune.microsoft.com → Devices → Configuration profiles → Create profile → Windows 10 and later → Endpoint protection → Windows Encryption. Configure BitLocker to enable silently (requires TPM 2.0, which all modern devices have). Deploy to a pilot group first, then all devices. Allow 1 week for deployment to complete across all devices.

Outdated OS (estimated: 10-15 devices). Verify your Windows Update ring in Intune is configured to deploy security updates within 7 days of release and feature updates within 30 days. For devices that are significantly behind, create a one-time update deployment or contact users individually to initiate updates.

Stale devices (estimated: 5-10 devices). Contact the assigned user for each stale device. If the device is no longer in use, remove it from Intune. If it's still in use, the user needs to connect to the network and sync with Intune. If the user has left the company, wipe the device remotely (corporate-owned) or remove corporate data (BYOD).

Unenrolled corporate devices (estimated: 10 devices). Contact the assigned user and walk them through Intune enrollment. For Windows devices joined to Azure AD, enrollment is typically automatic via Windows Autopilot. For devices that were set up before Autopilot, manual enrollment takes 5-10 minutes.

Compliance Myth: "We'll just enforce compliance and let users figure it out"
If you enforce compliance without remediation, the morning after enforcement looks like this: 30 users can't access email, the helpdesk is overwhelmed, an executive escalates to the CTO, and you're asked to "turn off that security thing" within hours. The audit and remediation process takes 1-2 weeks. Skipping it to save time costs you far more in helpdesk load, user frustration, and credibility damage. Every user who gets locked out and calls the helpdesk is a user who now associates "security" with "the thing that stopped me working." Do the remediation first.
Decision point

Your audit reveals 180 enrolled devices: 145 are Windows, 25 are iOS, and 10 are macOS. Of the 145 Windows devices, 22 don't have BitLocker enabled, 8 are running Windows 10 21H2 (end of support), and 3 haven't checked into Intune in 60+ days. Your compliance enforcement date is in 3 weeks. Can you meet this timeline?

Option A: Yes — push BitLocker and Windows Updates now, investigate the stale devices, and enforce in 3 weeks.

Option B: Extend to 5 weeks — the BitLocker rollout alone takes 1-2 weeks to complete across 22 devices, the OS updates require user coordination, and the stale devices need investigation.

Option C: Enforce now and give users a 7-day grace period to remediate.

The correct answer is Option A, but with the caveat that you start remediation today. BitLocker can be pushed silently via Intune to all 22 devices this week — most will enable within 24-48 hours. The 8 devices on old OS need Windows Update forced this week — contact those 8 users directly. The 3 stale devices should be investigated immediately — they may be former employee devices that need wiping. If you start remediation now and run the compliance policy in report-only mode for 2 weeks to verify, enforcement in week 3 is achievable. Option B is the safer choice if you can't start remediation today.

Try it: Run your device estate audit

Run these four checks now and record the numbers:

1. Total enrolled: intune.microsoft.com → Devices → All devices → count (or export to CSV) 2. Total expected: admin.microsoft.com → Devices → Active devices → count 3. Enrollment gap: expected minus enrolled = devices needing enrollment 4. Stale devices: filter enrolled devices by "Last check-in" older than 30 days

Then check BitLocker status:

5. Encryption coverage: Devices → All devices → add "Encrypted" column → filter by "No"

Record these five numbers. They form the basis of your remediation plan and your deployment timeline for compliance enforcement. Share them with your manager: "We have X devices enrolled, Y need enrollment, Z need BitLocker enabled. I need [timeline] to remediate before enforcing device compliance."

Your device audit shows 12 Windows devices that haven't checked into Intune for 45+ days. All 12 show an assigned user who is still employed. What's the most likely cause and what should you do?
The devices were manually unenrolled by users — re-enroll them — Possible but uncommon. Most users don't know how to unenroll from Intune. More likely causes exist.
Intune has a bug — ignore it — No. Stale check-ins are almost always a real issue with the device, not an Intune reporting error.
The devices need a manual sync — push a sync from Intune — You can try, but a device that hasn't checked in for 45 days is unlikely to respond to a remote sync command. Remote commands require the device to have an active connection to Intune.
The devices are likely offline (broken, replaced, or sitting in a drawer), never connected to the network (remote workers who haven't connected to VPN), or have Intune enrollment issues — contact each assigned user to determine the device status and either re-enroll or decommission — Correct. A 45-day stale check-in means the device hasn't connected to Intune's management infrastructure. The device may be physically offline, replaced with a new device the user forgot to report, or experiencing an enrollment issue. Contact the user, determine the status, and either remediate (reconnect/re-enroll) or decommission (wipe and remove from Intune).

Cross-referencing Entra ID devices with Intune enrollment

Intune shows enrolled devices. Entra ID shows all devices that have authenticated. The gap between them reveals unenrolled devices accessing your data.

Connect-MgGraph -Scopes "Device.Read.All","DeviceManagementManagedDevices.Read.All"

# All devices registered in Entra ID
$entraDevices = Get-MgDevice -All |
    Where-Object { $_.OperatingSystem -ne $null }

# All devices managed in Intune
$intuneDevices = Get-MgDeviceManagementManagedDevice -All

Write-Host "Entra ID devices: $($entraDevices.Count)"
Write-Host "Intune managed:   $($intuneDevices.Count)"
Write-Host "Enrollment gap:   $($entraDevices.Count - $intuneDevices.Count) devices"

# Find Entra devices NOT in Intune
$intuneIds = $intuneDevices | Select-Object -ExpandProperty AzureAdDeviceId
$unmanaged = $entraDevices | Where-Object { $_.DeviceId -notin $intuneIds }
$unmanaged | Select-Object DisplayName, OperatingSystem,
    @{N="LastSignIn";E={$_.ApproximateLastSignInDateTime}} |
    Sort-Object LastSignIn -Descending | Format-Table -AutoSize

This gives you the exact list of devices that authenticate to M365 but aren't managed by Intune. Each one needs a plan before CA003 enforcement: enroll it (corporate device), apply app protection (BYOD), or accept it will be blocked.

For a visual overview, navigate to intune.microsoft.com → Devices → Enrollment → Overview. The enrollment dashboard shows enrollment trends, failure rates, and devices pending enrollment. If you see enrollment failures, investigate the cause (license assignment, MDM authority, or user/device limits) before building compliance policies.

Additionally, check whether Windows Autopilot is configured for your environment. Navigate to intune.microsoft.com → Devices → Enrollment → Windows → Windows Autopilot → Devices. If you have Autopilot profiles, new devices automatically enroll during setup — reducing the future enrollment gap. If Autopilot isn't configured, new devices need manual enrollment, which means the enrollment gap will grow with every hardware refresh unless you address it.

Estimating your BYOD population

The enrollment audit tells you about managed devices. But some employees access M365 from personal devices that aren't enrolled and won't appear in Intune. Estimate this population from the Entra ID sign-in log:

Connect-MgGraph -Scopes "AuditLog.Read.All"
$start = (Get-Date).AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ")

# Sign-ins from unmanaged devices in the last 30 days
Get-MgAuditLogSignIn -Filter "createdDateTime ge $start" -Top 500 |
    Where-Object { $_.DeviceDetail.IsManaged -eq $false -and $_.Status.ErrorCode -eq 0 } |
    Group-Object UserPrincipalName |
    Select-Object Name, Count |
    Sort-Object Count -Descending |
    Format-Table -AutoSize

This shows every user who successfully signed in from an unmanaged device in the last 30 days. Each of these users needs a plan before CA003 enforcement: either enroll their device (if it's a corporate device that was missed) or configure app protection policies (if it's a personal BYOD device). Without this analysis, enforcement day blocks users you didn't know were accessing M365 from unmanaged devices.

Documenting and sharing the audit results

Compile your audit findings into a brief summary for your manager. The summary should include: total enrolled vs total expected (with enrollment percentage), the count and list of unenrolled corporate devices (with remediation plan), the BYOD population estimate (users accessing from personal devices), predicted compliance failures by check type (BitLocker, OS, firewall, AV), and the timeline to remediation before enforcement.

This summary serves two purposes: it secures management buy-in for the enforcement timeline (showing you've done the preparation work), and it sets expectations for the enforcement day impact ("we expect 2-3 users to need helpdesk support on day one, down from 30+ if we hadn't done the audit"). Keep the audit data alongside your configuration register — it's the baseline that demonstrates improvement when you run the same audit after enforcement.

Operational Artifact — Device Estate Audit Template
Record five numbers: total enrolled, total expected, enrollment gap, stale devices (30+ days no check-in), and unencrypted devices. For each gap category, document: the count, the assigned users, the remediation action, and the timeline. This audit is the prerequisite for compliance enforcement — don't skip it. Run this audit again monthly after enforcement to catch new gaps (new devices, devices falling out of compliance, enrollment lapses).
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →