Back to GSO Recommendations

Intune Policy Coverage Gaps: Device Configuration & Compliance Blind Spots

Why this risk matters

Intune policies only protect the devices and users they are assigned to. When users or devices fall outside the scope of compliance policies, configuration baselines, or protection profiles, those gaps are often invisible — until a device is lost, compromised, or audited.

Overe flags users and devices that are enrolled in Intune but not covered by expected policy assignments, as well as gaps in coverage across compliance, endpoint security, and configuration profiles. A device can be enrolled and still be unprotected if the policies that should apply to it are not assigned correctly.

Coverage gaps are most commonly caused by new users added to the tenant without being included in the right groups, policy assignments targeting outdated group structures, or devices enrolled through a method that does not automatically inherit the expected policy scope.

What happens if this is abused

  • Device enrolled in Intune but not covered by a compliance policy returns no compliance state — which Conditional Access may treat as compliant by default
  • Missing endpoint security profile means no Defender configuration, BitLocker enforcement, or firewall baseline applied
  • Configuration gaps leave devices without expected security settings — screensaver timeout, diagnostic restrictions, update ring, or certificate deployment
  • User excluded from a protection policy receives email without attachment scanning, link detonation, or anti-phishing controls
  • Audit or regulatory assessment fails because expected controls cannot be demonstrated across all users and devices
  • Coverage gap exploited by an attacker who identifies that a specific user's device is outside policy scope

When this is expected or acceptable

Some devices or user types have intentionally different policy assignments — kiosk devices, shared devices, or external contractor devices enrolled under a specific profile. These are acceptable when the alternate policy is documented and appropriate for the use case.

Gaps are more concerning for regular employee devices and admin devices than for managed edge cases. A gap affecting a standard knowledge worker's laptop is different from a gap affecting a conference room device with no user sign-in.

Checks to perform before taking action

Before remediating a policy coverage gap:

  • Identify which specific policies are missing — compliance, configuration profiles, or endpoint security
  • Check whether the device is in the expected Entra group that should trigger policy assignment
  • Confirm whether the gap is recent (new device, new user) or has existed for a longer period
  • For compliance gaps specifically, check how Conditional Access handles devices with no compliance state in your environment
  • Review whether the policy gap is affecting a single user or a broader population
  • Confirm with the Intune administrator whether the gap is known and intentional

Safe remediation steps

  1. Use Overe to review devices and users with policy coverage gaps, sorted by policy type and affected population size
  2. For devices missing compliance policy assignment, add them to the appropriate Entra group or assign the policy directly
  3. For configuration profile gaps, apply the relevant baseline profile and review the device after the next Intune check-in
  4. For endpoint security gaps, apply the Defender or BitLocker profile and confirm enforcement on the next sync
  5. Review whether Conditional Access marks devices with no compliance state as compliant — if so, adjust the grant control to require compliance explicitly
  6. For gaps caused by group membership issues, review the group structure and update dynamic membership rules if needed
  7. Set up a regular review of policy assignment coverage to catch new enrolments that fall outside expected scope

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

Supporting documentation

Microsoft: Monitor device compliance policies in Intune - https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor

Microsoft: Device configuration profiles in Intune - https://learn.microsoft.com/en-us/mem/intune/configuration/device-profiles

Microsoft: Endpoint security policies in Intune - https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-policy

Related risks and follow-on checks

  • Devices overview
  • Conditional Access exclusions creating risk
  • Conditional Access MFA bypass paths
TBD CTA