Drift Detection
Monitor configuration drift across managed devices to identify when settings deviate from assigned policies. Drift detection alerts you to unauthorized changes and compliance gaps.
How Drift Detection Works
- Intune policies define the desired configuration state
- Devices report current settings during sync
- Drift engine compares actual vs. expected values
- Deviations are flagged and reported
Drift Categories
Security Drift
- BitLocker encryption disabled
- Firewall turned off
- Antivirus real-time protection disabled
- Password policy weakened
- Security baseline settings changed
Configuration Drift
- Wi-Fi profile settings modified
- VPN configuration changed
- Device restrictions altered
- Email profile settings changed
Compliance Drift
- OS version fell below minimum
- Required app uninstalled
- Encryption removed
- Jailbreak or root detected
Drift Reports
| Column | Description |
|---|---|
| Device Name | Affected device |
| Policy Name | Expected policy |
| Setting | The drifted setting |
| Expected Value | Value defined in policy |
| Actual Value | Current value on device |
| Detected | When drift was first detected |
| Severity | Critical, Warning, or Info |
Automated Remediation
- Re-apply policy — Force policy re-evaluation
- Sync device — Trigger immediate sync
- Notify admin — Send alert for review
- Mark non-compliant — Update compliance status
Alert Configuration
- Email notifications for critical drift
- Teams/Slack integration
- Severity-based thresholds
- Per-policy or per-device alert rules
Best Practices
- Enable for all security-critical policies
- Configure alerts for high-severity events
- Review reports weekly
- Investigate recurring drift patterns
- Use automated remediation for common scenarios
API Reference
GET /api/devices/drift/report— Get drift reportGET /api/devices/drift/alerts— Get drift alertsPOST /api/devices/drift/remediate/:deviceId— Trigger remediationGET /api/devices/drift/settings— Get configuration
Last updated on