A CMMC gap often starts as a small mismatch. The policy says one thing, the endpoint does another, and the reporting still looks fine until someone checks the real device state.
That is Intune policy drift, and I see it hurt CMMC Level 2 readiness more than almost any flashy security issue. If I can’t prove that my Windows endpoints stay aligned with the baseline, I can’t claim the control is operating the way my documentation says it is.
Why Intune drift matters in a CMMC Level 2 assessment
CMMC Level 2 tracks the security expectations in NIST SP 800-171, so assessors care about implemented controls, not policy intent. In Microsoft 365, Intune is one of the main places I enforce endpoint configuration, device compliance, and security settings. Still, Intune is only part of the picture.
I don’t treat Intune as a magic compliance button. It can help me apply settings for BitLocker, firewall, antivirus, account protection, and device restrictions. However, CMMC also depends on identity controls, audit logging, incident response, access reviews, documented processes, and evidence retention outside the MDM plane.
Microsoft makes a similar point in its CMMC Level 2 control guidance. The guidance ties Microsoft Entra and Intune configuration to control outcomes, but it still assumes I will build a larger compliance program around those technical controls.
CMMC Level 2 gives credit for enforced state and objective evidence, not for a policy PDF that looked right six months ago.
When drift appears, endpoint configuration enforcement starts to weaken in ways that are easy to miss. A device may keep checking in, yet the assigned settings are conflicted, stale, or bypassed by a second policy. A local admin account might get added during support work and never removed. A re-enrolled laptop may land in the wrong group and miss the hardened baseline.
That is why evidence collection matters so much. For each control area, I want to show the baseline, the assignment, the resulting device state, the remediation path, and the exception process. Screenshots help, but they rarely stand on their own. Assessors usually want exports, reports, logs, tickets, and sample-device validation that all line up.
The drift patterns I fix first on CMMC-scoped endpoints
I start with a short list because the same drift patterns show up again and again. In Small Business IT, the team that owns Intune often also owns Cloud Infrastructure, Office 365 Migration, and old Data Center Technology. In some firms, that same team also supports Restaurant POS Support and Kitchen Technology Solutions. When people are juggling all of that, baseline hygiene slips.
This quick reference is where I usually begin.
| Drift area | What I usually find | What I need to prove |
|---|---|---|
| BitLocker drift | Encryption required in policy, but recovery keys are missing, encryption method changed, or silent enablement failed | Device encryption state, escrow status, assignment, remediation history |
| Firewall drift | Domain firewall profile disabled, rule merge allowed, or local changes override baseline | Effective firewall state on sampled endpoints and policy status |
| Defender AV drift | Real-time protection off, exclusions expanded, cloud-delivered protection changed, tamper controls inconsistent | AV health, policy source, alerts, and corrected state |
| Local admin drift | Extra admins added outside approved workflow, or old support accounts remain | Current group membership, LAPS settings, removal evidence, approvals |
| Device compliance drift | Device marked noncompliant too late, or compliance policy no longer matches access intent | Compliance report, conditional access relationship, exception handling |
BitLocker drift is a common problem because the policy object can exist while the endpoint never fully encrypts. Firewall drift is quieter. A conflicting setting or a local exception can leave a laptop exposed while the tenant still looks tidy at first glance.
Defender AV drift often appears after troubleshooting. Someone adds a broad exclusion to fix a business app, and months later that exception is still there. Local admin drift is even more direct. If I can’t show who has admin rights, why they have them, and when I remove them, I have an evidence gap and a security gap at the same time.
How I detect and remediate Intune policy drift
When I deliver Cybersecurity Services, I treat Endpoint Security and Device Hardening as ongoing operations. That work sits beside Cloud Management, Technology Consulting, and the daily tasks a Business Technology Partner handles for clients. So I need a remediation method that is simple enough to run every week.
My process usually follows five steps:
- I define one owned baseline for each setting family, such as BitLocker, firewall, Defender AV, local admin, and compliance.
- I check for drift through Intune reports, endpoint status, conflict reports, stale device objects, and recent change activity.
- I remediate with the right tool, such as Endpoint security policies, Settings Catalog profiles, Remediations scripts, or Windows LAPS.
- I validate the fix on live endpoints, not only in the admin portal.
- I document exceptions, approvals, and follow-up dates.
The first step matters more than most teams expect. If two policies try to own the same setting, conflict is not a rare corner case. It is a design problem. I keep one source of truth per control area whenever I can, and I retire superseded profiles instead of leaving them assigned “for safety.”
For BitLocker, I verify encryption status on the device, confirm key escrow, and re-run enablement where needed. For firewall drift, I prefer one clear profile path through Endpoint security and then test the effective state with local commands during validation. For Defender AV drift, I check both policy assignment and actual protection status because those do not always match. For local admin drift, Windows LAPS helps, but I still review membership changes and remove standing admin access that no longer has a business need.
Device compliance drift needs extra care because it affects Conditional Access and can create false confidence. A laptop can appear managed while missing a compliance prerequisite, or it can stay in a grace period longer than expected. I treat compliance policies as gates, not as proof of full security posture.
Even a practitioner discussion on Intune control coverage lands on the same core point I see in real assessments: Intune helps enforce a large share of endpoint settings, but it does not close the full CMMC story by itself. Good IT Strategy for SMBs and Infrastructure Optimization depend on knowing where Intune ends and where other controls begin.
What good CMMC evidence looks like after remediation
Once I fix the drift, I build evidence that can survive scrutiny. The Cyber AB and DoD guidance both push toward objective evidence, so I want records that show repeatable control operation, not a one-day cleanup.
My strongest evidence package usually includes the policy export, group assignments, device status reports, a sample of validated endpoints, tickets for exceptions, and proof of corrective action. If I used a script or Remediations package, I keep the output and the change record. If I removed local admins, I keep the approval and the before-and-after membership view.
I also watch for operational caveats that can distort the story. Co-managed devices can take settings from more than one place. Re-enrolled devices can create duplicate objects. Assignment filters can exclude machines I thought were protected. Offline endpoints can lag long enough to make the dashboard look healthier than the fleet. Because of that, I always pair portal reporting with live endpoint checks.
This is where Secure Cloud Architecture, strong Cloud Management, and sound Business Continuity & Security practices meet the real world. If I only collect evidence during assessment season, I usually find old exceptions, stale devices, and half-retired policies. If I collect evidence every month, I spot drift before it grows into a finding.
Conclusion
The hard part of CMMC Level 2 is rarely writing the policy. The hard part is keeping the enforced endpoint state aligned with that policy month after month, then proving it with evidence that matches production.
I get better results when I treat Intune drift as an operating issue, not a portal issue. That mindset fits Managed IT for Small Business, supports Digital Transformation without weakening controls, and turns Innovative IT Solutions into Tailored Technology Services that hold up under assessment.
When my baselines stay clean, my remediation loop stays short, and my reports match the device in front of me, CMMC conversations get much simpler.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.