SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Intune Device Compliance and Baseline Gap
description: Audit Intune devices for missing compliance policies, security baselines and encryption against Essential Eight patching and hardening.
---
# Intune Device Compliance and Baseline Gap
> **TL;DR:** This skill inspects your Microsoft Intune fleet for devices missing compliance policies, security baselines and disk encryption, then produces a risk-scored gap report so you can close hardening and patching holes before they are exploited.
## What Microsoft Intune compliance and security baselines cover
Microsoft Intune device compliance policies define the rules a device must meet, such as minimum operating system version, BitLocker or FileVault encryption and required patch levels, and these compliance states feed Microsoft Entra Conditional Access decisions. Security baselines in Intune are pre-configured groups of recommended hardening settings curated by Microsoft Security engineers. When a device falls outside compliance or drifts from an assigned baseline, the gap weakens both your Conditional Access posture and your Essential Eight hardening and patching maturity.
## When should you run this skill?
- "Which Intune devices have no compliance policy assigned at all?"
- "Show me devices that are not encrypted with BitLocker or FileVault."
- "Are any of our Windows devices missing the Microsoft security baseline?"
- "Find devices that are non-compliant for operating system patch level."
- "I need an Essential Eight hardening gap report for our managed fleet."
- "Which platforms have the weakest baseline coverage before our audit?"
- "Show me devices reporting an error or grace-period compliance state."
## How this skill works, step by step
1. Connect read-only to Microsoft Intune through the Microsoft Graph beta and v1.0 device management endpoints using delegated, least-privilege scopes.
2. Enumerate all managed devices and record platform, ownership, operating system version and last check-in time.
3. Retrieve every device compliance policy and its assignments, then map which devices have no policy in scope.
4. Read each device compliance state, capturing compliant, non-compliant, in-grace-period, error and unknown results.
5. Inspect encryption reporting to confirm BitLocker or FileVault status for each applicable device.
6. Retrieve assigned security baselines and identify devices with no baseline or with settings drifting from the baseline.
7. Cross-reference patch-related compliance settings to flag devices behind on operating system updates.
8. Derive a per-device risk score by weighting missing policy, missing encryption, missing baseline and patch lag against Essential Eight patching and hardening expectations.
9. Aggregate findings into a prioritised report ordered by highest risk first.
## Output format
The skill returns a ranked table of device gaps followed by a short summary.
| Device name | Platform | Gap detected | Compliance state | Risk score |
| --- | --- | --- | --- | --- |
| LAPTOP-FIN-014 | Windows | No compliance policy assigned | Unknown | High |
| MAC-DEV-007 | macOS | FileVault encryption not reported | Non-compliant | High |
| SURFACE-HR-022 | Windows | No security baseline assigned | In grace period | Medium |
Summary of findings:
- Total managed devices inspected and the count with at least one gap.
- Breakdown of gaps by category: missing policy, missing encryption, missing baseline, patch lag.
- Count of devices by compliance state across the fleet.
- Top platforms ranked by aggregate risk score.
## Scope and safety
This skill is read-only by default and makes no changes to your tenant, devices or policies. It only reads device, compliance and baseline metadata to assess gaps.
This skill does NOT:
- Create, edit, assign or delete any compliance policy or security baseline.
- Trigger remediation, remote actions, wipe, retire or sync on any device.
- Modify Conditional Access, encryption keys or device enrolment settings.
- Read user files, application content or personal data from managed devices.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Intune device management, compliance policies and security baselines | Microsoft Intune Plan 1 |
| Conditional Access posture that consumes compliance state | Microsoft Entra ID P1 |
### Least-privilege roles
- Intune Administrator with read access, or the built-in Intune Read Only Operator role.
- Global Reader for tenant-wide read visibility where broader context is required.
### Microsoft Graph permissions (read-only)
- `DeviceManagementManagedDevices.Read.All` reads managed device inventory, ownership, operating system version and compliance state.
- `DeviceManagementConfiguration.Read.All` reads compliance policies, security baselines and their assignments.
## Sources and compliance
- [Get started with device compliance in Intune](https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started)
- [Use security baselines to configure devices in Intune](https://learn.microsoft.com/en-us/mem/intune/protect/security-baselines)
- Maps to Essential Eight Patch operating systems and Application hardening controls, supporting device patching and configuration assurance.
- Aligns with ISM guidance on hardening end-user devices and applying operating system updates.
- [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English.
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Intune Device Compliance and Baseline Gap
TL;DR: This skill inspects your Microsoft Intune fleet for devices missing compliance policies, security baselines and disk encryption, then produces a risk-scored gap report so you can close hardening and patching holes before they are exploited.
What Microsoft Intune compliance and security baselines cover
Microsoft Intune device compliance policies define the rules a device must meet, such as minimum operating system version, BitLocker or FileVault encryption and required patch levels, and these compliance states feed Microsoft Entra Conditional Access decisions. Security baselines in Intune are pre-configured groups of recommended hardening settings curated by Microsoft Security engineers. When a device falls outside compliance or drifts from an assigned baseline, the gap weakens both your Conditional Access posture and your Essential Eight hardening and patching maturity.
When should you run this skill?
- “Which Intune devices have no compliance policy assigned at all?”
- “Show me devices that are not encrypted with BitLocker or FileVault.”
- “Are any of our Windows devices missing the Microsoft security baseline?”
- “Find devices that are non-compliant for operating system patch level.”
- “I need an Essential Eight hardening gap report for our managed fleet.”
- “Which platforms have the weakest baseline coverage before our audit?”
- “Show me devices reporting an error or grace-period compliance state.”
How this skill works, step by step
- Connect read-only to Microsoft Intune through the Microsoft Graph beta and v1.0 device management endpoints using delegated, least-privilege scopes.
- Enumerate all managed devices and record platform, ownership, operating system version and last check-in time.
- Retrieve every device compliance policy and its assignments, then map which devices have no policy in scope.
- Read each device compliance state, capturing compliant, non-compliant, in-grace-period, error and unknown results.
- Inspect encryption reporting to confirm BitLocker or FileVault status for each applicable device.
- Retrieve assigned security baselines and identify devices with no baseline or with settings drifting from the baseline.
- Cross-reference patch-related compliance settings to flag devices behind on operating system updates.
- Derive a per-device risk score by weighting missing policy, missing encryption, missing baseline and patch lag against Essential Eight patching and hardening expectations.
- Aggregate findings into a prioritised report ordered by highest risk first.
Output format
The skill returns a ranked table of device gaps followed by a short summary.
| Device name | Platform | Gap detected | Compliance state | Risk score |
|---|---|---|---|---|
| LAPTOP-FIN-014 | Windows | No compliance policy assigned | Unknown | High |
| MAC-DEV-007 | macOS | FileVault encryption not reported | Non-compliant | High |
| SURFACE-HR-022 | Windows | No security baseline assigned | In grace period | Medium |
Summary of findings:
- Total managed devices inspected and the count with at least one gap.
- Breakdown of gaps by category: missing policy, missing encryption, missing baseline, patch lag.
- Count of devices by compliance state across the fleet.
- Top platforms ranked by aggregate risk score.
Scope and safety
This skill is read-only by default and makes no changes to your tenant, devices or policies. It only reads device, compliance and baseline metadata to assess gaps.
This skill does NOT:
- Create, edit, assign or delete any compliance policy or security baseline.
- Trigger remediation, remote actions, wipe, retire or sync on any device.
- Modify Conditional Access, encryption keys or device enrolment settings.
- Read user files, application content or personal data from managed devices.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Intune device management, compliance policies and security baselines | Microsoft Intune Plan 1 |
| Conditional Access posture that consumes compliance state | Microsoft Entra ID P1 |
Least-privilege roles
- Intune Administrator with read access, or the built-in Intune Read Only Operator role.
- Global Reader for tenant-wide read visibility where broader context is required.
Microsoft Graph permissions (read-only)
DeviceManagementManagedDevices.Read.Allreads managed device inventory, ownership, operating system version and compliance state.DeviceManagementConfiguration.Read.Allreads compliance policies, security baselines and their assignments.
Sources and compliance
- Get started with device compliance in Intune
- Use security baselines to configure devices in Intune
- Maps to Essential Eight Patch operating systems and Application hardening controls, supporting device patching and configuration assurance.
- Aligns with ISM guidance on hardening end-user devices and applying operating system updates.
- ASD Essential Eight Maturity Model
- Output in Australian English.
Last updated on