We're starting down our CMMC journey on behalf of a customer and working with a consultant. It sounds like there's some ambiguity around the endpoint being in-scope even if you're using something like PreVail. Is it possible to have a few users in the organization using their standard, Entra Joined/Intune Managed endpoint with something like PreVail and be compliant? Our auditor's recommendation was to use something like Azure Virtual Desktop in GCC in addition to an enclave but being new to this I wanted to gather thoughts from the community. Our goal is to be on the journey but not panic move some portion of the organization to GCC or GCC High if it's not necessary.

I did ask their thoughts, and they alluded to not hearing anything definitive around it. They're not a fan of PreVeil either, I believe because it technically caches data on the endpoint, but I haven't confirmed that myself yet.