Forum Discussion
Unmanaged Microsoft 365 Applications in Intune-Managed Windows 11 Devices
Hello Everyone,
We have identified in our Intune environment that several users have installed Microsoft 365 applications outside of Intune on their managed Windows 11 devices (Corporate).
Could you please confirm whether these users receive configuration profiles (for Microosft 365 app update enforcement for example)?
Additionally, we would appreciate guidance on the best practices for addressing unmanaged application replacements.
Thank you for your assistance. :)
Best regards,
1 Reply
Hi Ibteea
On Intune-managed Windows devices, configuration profiles are still applied at the device or user level, regardless of how Microsoft 365 Apps were installed. This includes security baselines, Settings Catalog, and ADMX-based profiles.
For Microsoft 365 Apps specific settings (such as update channel or update behavior), things are a bit more nuanced. These settings are typically enforced via registry and can also apply to manually installed Click to Run Office, but the behavior can be less predictable compared to apps deployed using Intune or ODT. This is why Microsoft generally recommends managing the full install lifecycle through Intune.
Regarding Policies for Microsoft 365: these are user-based policies delivered via the Cloud Policy Service and apply when users sign in to Office apps with their work account. They are useful for enforcing user-scoped Office settings, but they do not manage the app version, update channel, or installation source, and therefore are not a replacement for a managed deployment.
Best practice is to:
- Detect unmanaged Office installs using Proactive Remediations (with proper testing, as this can be environment-specific)
- Replace them with an Intune-managed Microsoft 365 Apps deployment
- Prevent future drift using controls like AppLocker or WDAC, keeping in mind that these tools require careful design and validation
Hope this helps.
