Unmanaged Microsoft 365 Applications in Intune-Managed Windows 11 Devices

Hi Ibteea​ 

On Intune-managed Windows devices, configuration profiles are still applied at the device or user level, regardless of how Microsoft 365 Apps were installed. This includes security baselines, Settings Catalog, and ADMX-based profiles.

For Microsoft 365 Apps specific settings (such as update channel or update behavior), things are a bit more nuanced. These settings are typically enforced via registry and can also apply to manually installed Click to Run Office, but the behavior can be less predictable compared to apps deployed using Intune or ODT. This is why Microsoft generally recommends managing the full install lifecycle through Intune.

Regarding Policies for Microsoft 365: these are user-based policies delivered via the Cloud Policy Service and apply when users sign in to Office apps with their work account. They are useful for enforcing user-scoped Office settings, but they do not manage the app version, update channel, or installation source, and therefore are not a replacement for a managed deployment.

Best practice is to:

• Detect unmanaged Office installs using Proactive Remediations (with proper testing, as this can be environment-specific)
• Replace them with an Intune-managed Microsoft 365 Apps deployment
• Prevent future drift using controls like AppLocker or WDAC, keeping in mind that these tools require careful design and validation

Hope this helps.