Ensure device enrollment for personally owned devices is blocked by default
Why This Matter
Allowing personally owned devices to enroll in Microsoft Intune increases your attack surface. If an attacker compromises a user's credentials, they could register a rogue device to bypass conditional access policies and maintain persistent access to sensitive organizational data. By blocking personal device enrollment by default, you force all enrolled devices to be managed corporate assets, reducing the risk of undetected compromise.
What Aether365 Checks
Aether365 verifies that the default device type restriction policy in Microsoft Intune blocks personally owned devices from enrolling. This check appears in your Aether365 dashboard under microsoft-365 checks and flags noncompliance with CIS benchmark recommendation M365.2157.