@robbo215 Do you want to do this for managed Windows devices or also unmanaged ones? If for managed only, you can use Applocker for this. If it's really for all Windows devices I recommend using conditional access. In the MS docs you can see exactly what the security defeault does so I think conditional access is always advantageous.

Hi @robbo215,

To secure your Windows 11 devices and stop any Windows device from accessing Microsoft apps which is not enrolled in Intune without Conditional Access, you can use the following combination of security features:

• Device enrollment policies
• App protection policies
• Endpoint Detection and Response (EDR)

1. Create a device enrollment policy. This policy will require all Windows devices to be enrolled in Intune before they can access corporate resources.
2. Assign the device enrollment policy to your users or devices.
3. Configure app protection policies. This policy will prevent users from accessing Microsoft apps on devices that are not enrolled in Intune. You can configure this policy to apply to all Microsoft apps or to specific apps.
4. Deploy EDR to your devices. EDR will help to monitor and protect your devices from malware and other threats.

Here are some useful links:

• Device enrollment policies in Intune: https://learn.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set
• App protection policies in Intune: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy
• Endpoint Detection and Response (EDR) in Microsoft Defender for Endpoint: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-endpoint-detecti...