Intune compliance policies check device health. Conditional Access enforces access decisions based on that health. Without Conditional Access, compliance is monitoring. Without compliance, Conditional Access is guessing. This article covers the full device pillar implementation: compliance policies for Windows, macOS, iOS, and Android, Defender for Endpoint risk score integration, Conditional Access grant controls that require compliant devices, app protection policies for BYOD (MAM-WE), the "Require approved client app" retirement (June 30, 2026) and the OR transition pattern to "Require app protection policy," and a phased rollout approach that avoids the day-one lockout mistake.
