Intune without Conditional Access

Brass Contributor

Our org has mainly Macs which are looked after by a different mdm, we also have about 20 Windows 11 devices. We use security defaults on our 365 tenant so do not have access to conditional access. I want to secure the windows devices and stop any windows device from accessing Microsoft apps which is not enrolled in intone. Is this possible without conditional access?

2 Replies

@robbo215 Do you want to do this for managed Windows devices or also unmanaged ones? If for managed only, you can use Applocker for this. If it's really for all Windows devices I recommend using conditional access. In the MS docs you can see exactly what the security defeault does so I think conditional access is always advantageous.

Hi @robbo215,

To secure your Windows 11 devices and stop any Windows device from accessing Microsoft apps which is not enrolled in Intune without Conditional Access, you can use the following combination of security features:

  • Device enrollment policies
  • App protection policies
  • Endpoint Detection and Response (EDR)


  1. Create a device enrollment policy. This policy will require all Windows devices to be enrolled in Intune before they can access corporate resources.
  2. Assign the device enrollment policy to your users or devices.
  3. Configure app protection policies. This policy will prevent users from accessing Microsoft apps on devices that are not enrolled in Intune. You can configure this policy to apply to all Microsoft apps or to specific apps.
  4. Deploy EDR to your devices. EDR will help to monitor and protect your devices from malware and other threats.

Here are some useful links:

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.

If the post was useful in other ways, please consider giving it Like.

Kindest regards,

Leon Pavesic