Intune Policy Coverage Gaps: Device Configuration & Compliance Blind Spots

Why this risk matters

Intune policies only protect the devices and users they are assigned to. When users or devices fall outside the scope of compliance policies, configuration baselines, or protection profiles, those gaps are often invisible — until a device is lost, compromised, or audited.

Overe flags users and devices that are enrolled in Intune but not covered by expected policy assignments, as well as gaps in coverage across compliance, endpoint security, and configuration profiles. A device can be enrolled and still be unprotected if the policies that should apply to it are not assigned correctly.

Coverage gaps are most commonly caused by new users added to the tenant without being included in the right groups, policy assignments targeting outdated group structures, or devices enrolled through a method that does not automatically inherit the expected policy scope.

What happens if this is abused

  • Device enrolled in Intune but not covered by a compliance policy returns no compliance state — which Conditional Access may treat as compliant by default, allowing unrestricted access to corporate resources
  • Missing endpoint security profile means no Defender configuration, BitLocker enforcement, or firewall baseline applied — leaving the device effectively unprotected despite being enrolled
  • Configuration gaps leave devices without expected security settings — screensaver timeout, diagnostic restrictions, update ring, or certificate deployment
  • User excluded from a protection policy receives email without attachment scanning, link detonation, or anti-phishing controls, increasing phishing risk for their account
  • Audit or regulatory assessment fails because expected controls cannot be demonstrated across all users and devices, creating compliance exposure
  • Coverage gap exploited by an attacker who identifies that a specific user's device has no compliance policy by observing that Conditional Access does not require compliance for their sign-ins
  • A compliance gap on an admin device means that device may access the tenant admin portal without the security baseline required for privileged access
  • New user enrolled from a remote office or personal device whose account is never added to the relevant Intune group, remaining permanently outside policy coverage without anyone noticing

When this is expected or acceptable

Some devices or user types have intentionally different policy assignments — kiosk devices, shared devices, or external contractor devices enrolled under a specific profile. These are acceptable when the alternate policy is documented and appropriate for the use case.

Gaps are more concerning for regular employee devices and admin devices than for managed edge cases. A gap affecting a standard knowledge worker's laptop is different from a gap affecting a conference room device with no user sign-in.

Checks to perform before taking action

Before remediating a policy coverage gap:

  • Identify which specific policies are missing — compliance, configuration profiles, or endpoint security
  • Check whether the device is in the expected Entra group that should trigger policy assignment
  • Confirm whether the gap is recent (new device, new user) or has existed for a longer period
  • For compliance gaps specifically, check how Conditional Access handles devices with no compliance state in your environment
  • Review whether the policy gap is affecting a single user or a broader population
  • Confirm with the Intune administrator whether the gap is known and intentional

Safe remediation steps

  1. Use Overe to review devices and users with policy coverage gaps, sorted by policy type and affected population size
  2. For devices missing compliance policy assignment, add them to the appropriate Entra group or assign the policy directly
  3. For configuration profile gaps, apply the relevant baseline profile and review the device after the next Intune check-in
  4. For endpoint security gaps, apply the Defender or BitLocker profile and confirm enforcement on the next sync
  5. Review whether Conditional Access marks devices with no compliance state as compliant — if so, adjust the grant control to require compliance explicitly
  6. For gaps caused by group membership issues, review the group structure and update dynamic membership rules if needed
  7. Set up a regular review of policy assignment coverage to catch new enrolments that fall outside expected scope

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

How Overe Helps

Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:

  • Windows Device Health — Ensures Windows devices boot securely and data is encrypted, protecting against physical theft and boot-level attacks.
  • Windows Device Security — Ensures Windows devices have hardware-backed security and active protection against network and malware threats.
  • MacOS Device Health — Protects Mac devices from OS-level tampering and rootkit attacks by ensuring the system kernel cannot be modified.
  • MacOS Device Security — Ensures Mac data is encrypted at rest, network access is restricted, and only trusted software can run on the device.
  • Windows Device Security Config Refresh — Prevents users from overriding managed security settings by automatically re-enforcing policies every 30 minutes.

Supporting documentation

Microsoft: Monitor device compliance policies in Intune - https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-monitor

Microsoft: Device configuration profiles in Intune - https://learn.microsoft.com/en-us/mem/intune/configuration/device-profiles

Microsoft: Endpoint security policies in Intune - https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-policy

Related risks and follow-on checks

After investigating Intune policy coverage gaps, review these related risk areas:

  • Devices Overview — devices without policy coverage often appear in the devices overview as unmanaged or non-compliant; review both reports together to identify the worst-exposed devices
  • Conditional Access MFA Bypass Paths — a compliance policy gap can translate directly into a CA bypass if your policy requires device compliance; a device outside coverage may receive a compliant signal it has not earned
  • Conditional Access Exclusions — some policy gaps are caused by deliberate CA exclusions that placed devices or users outside scope; review exclusions alongside coverage gaps for the same user population
  • Open Defender Incidents — devices without Defender security policies are more likely to generate security incidents because the protective baseline is absent; check for correlated incidents on affected devices
  • Admins with Risky MFA Settings — admin devices with policy coverage gaps represent a higher-risk scenario than standard user devices; prioritise any admin accounts that are also in the coverage gap population
Free Microsoft 365 assessment

Check this risk in your own tenant

This recommendation explains what should be configured. Overe shows you where the gaps actually exist.

Find risky users, devices, apps, policies and tenant settings in minutes.

No agents. No heavy setup. Clear results in minutes.