Devices

Tier 1 Checks

#	Check	License
D01	Windows automatic device enrollment is enforced to eliminate risks from unmanaged endpoints	—
D02	Compliance policies protect Windows devices	—
D03	Compliance policies protect iOS/iPadOS devices	—
D04	Defender for Endpoint automatic enrollment is enforced to reduce risk from unmanaged Android threats	MDE P1
D05	Local administrator credentials on Windows are protected by Windows LAPS	—
D06	Data on Windows is protected by BitLocker encryption	—
D07	Attack Surface Reduction rules are applied to Windows devices to prevent exploitation of vulnerable system components	MDE P1
D08	Defender Antivirus policies protect Windows devices from malware	—
D09	Windows Firewall policies protect against unauthorized network access	—
D10	Windows Update policies are enforced to reduce risk from unpatched vulnerabilities	—
D11	Security baselines are applied to Windows devices to strengthen security posture	—
D12	Data on iOS/iPadOS is protected by app protection policies	—
D13	Conditional Access policies block access from noncompliant devices	P1
D14	Compliance policies protect macOS devices	—
D15	FileVault encryption protects data on macOS devices	—
D16	Defender Antivirus policies protect macOS devices from malware	MDE P1

Tier 2 / Tier 3 coverage

Tier 1 covers the highest-impact device-posture essentials. Tier 2 and Tier 3 add depth on macOS-specific hardening, Android Enterprise governance, Endpoint Privilege Management, application protection beyond mobile, and Endpoint Analytics-driven risk identification.