A lot of it is compliance. To get some types of customers you need to pass some security compliance certification or checks, which often have requirements like only giving access to crucial infrastructure when devices are up-to-date, the possibility to remote-disable/erase a device when it is stolen, some kind of anti-virus installed (yeah, I know), etc.
I can understand the underlying reasons, you would be surprised how many employees have bad security hygiene, which becomes an issue when they have access to high value information, tokens, etc. But since they often somewhat draconian rules, they tend to have bad side-effects (similar to password reminders). E.g. Linux users will often set up ClamAV to fulfill the anti-virus requirement. However, ClamAV parses untrusted data in C code without any sandboxing, so it probably opens a new attack vector (as opposed to Windows Defender, which as far as AFAIR uses sandboxing or a micro-VM to parse untrusted data).
I can understand the underlying reasons, you would be surprised how many employees have bad security hygiene, which becomes an issue when they have access to high value information, tokens, etc. But since they often somewhat draconian rules, they tend to have bad side-effects (similar to password reminders). E.g. Linux users will often set up ClamAV to fulfill the anti-virus requirement. However, ClamAV parses untrusted data in C code without any sandboxing, so it probably opens a new attack vector (as opposed to Windows Defender, which as far as AFAIR uses sandboxing or a micro-VM to parse untrusted data).