In a recent task, I was asked to target unmanaged devices in the environment, which means excluding Intune-enrolled mobile devices, on-prem AD-joined servers (not Entra-joined), and hybrid-joined desktops.
Originally, in my conditional access policy, I was using “Exclude filtered devices from policy” and “OR” conditions. But it just won’t work. After talking to a Microsoft support, I was able to fix it by using “Include filtered devices in policy” and “AND” conditions. Isn’t that crazy?
One of the key points, though, is that unmanaged devices’ attributes are treated as null.