Use Intune to Restrict NON Patched Windows Devices from Accessing eMail


Security patching is vital to every organization. Now with Intune, you can restrict Windows 10 devices which are not patched with latest patches. Non patched devices are risky to the organization. Use Intune to restrict non patched Windows devices from accessing mail. There are two options to limit Windows devices from connecting to the corporate network. We will see these options in the following sections of the article.

Subscribe the YouTube channel here

I have uploaded a video tutorial to my YouTube channel. I hope this video will help you to set these restrictions up on your Intune test tenant. I would recommend testing these in a staging environment before implementing it in production. As you are aware patching is essential in any modern workplace project implementations.

Intune and Windows Update for Business can ensure all the Windows devices managed through Intune are patched promptly. There is no need for on prem components like WSUS to patch Windows 10 devices using Intune and Windows update for Business. When you set the Windows 10 Update rings in Intune then, there won’t be any concern for security.

Read my previous post “How to Setup Windows 10 Software Update Policy Rings in Intune Azure Portal” to learn more about Windows 10 update rings.

How to Restrict Non patched Windows Devices from Enrolling into Intune?

This option is available only for NEW Windows devices which are getting enrolled to Intune environment via MDM channel. This option is not available for Intune PC agent managed devices. The setting which is explained in this section won’t apply to already enrolled and non patched Windows devices. If you have already enrolled and non patched Windows devices then, you need to check out the compliance policy option mentioned in the below part of the post.

Intune to Restrict NON Patched Windows Devices

We need to setup Intune enrollment restriction policies to restrict Windows devices from enrolling into Intune. The above table is the best reference to setup Intune enrollment restriction policies for non patched Windows devices. First of all, we need to decide about your Windows 10 minimum and maximum patch level requirement. You can have more patch level version details from

In my video, I have selected Windows 10 minimum patch level 15063.877 & maximum patch level 16299.201. You can also leave maximum patch level as blank if you want to support all the latest patched Windows devices. I have uploaded a video tutorial to my youtube channel. And this video has a more detailed explanation how to set up enrollment restriction policies.

You can read my previous post “How to Prevent Windows Devices from Enrolling to Intune“. This post provides more details about settings up Intune enrollment policies. And this also covers the end user experience of Windows 10 devices if the device patch level is lesser than “Minimum version”.

For example:-

I have a Windows 10 device, and it’s non patched device. And the patch version of that device is “15063.250”. In this scenario, Intune will check whether the device is patched with a minimum version of patch required for the organisation and that version is 15063.877.

The current patch level of Windows 10 device is below the minimum version requirement set in enrollment restriction policy. Hence the device won’t be allowed to enroll into Intune. Update the patches on that Windows 10 device to get successfully enrolled to Intune.

Intune to Restrict NON Patched Windows Devices

How to Force Users to Install Patches on Windows 10 Devices to Get Access back to eMails?

Most of the end users are not always happy to install latest patches and restart the devices on time. But as an IT admin, it’s our responsibility to make enterprise environment secure with latest patches. Intune probably can help you to force users to install patches on their non patched Windows devices.

We can create a new compliance policy in Intune to set rules and force users to install patches immediately. Intune compliance policy gives an option to set minimum & maximum patch levels for Windows devices. When a device is not matching the minimum compliance requirement then, that device will be flagged as a non compliant device.

When you have conditional access associated with compliance policies then, the Windows device will lose access to enterprise applications (like mail, SharePoint online, Skype, etc.) associated with that conditional access policy. Once users update their Windows version with latest patches then, their devices get the access back to mail.

You can create WINVER command to decide the baseline Windows 10 version with certain patch level for your organization. Or you can use the following links to get the latest patch versions of Windows 10.

In my scenario, I set up a new compliance policy with minimum patch level is 15063.877 and maximum patch level is 16299.201. This will ensure that all Windows 10 devices which have access to enterprise applications are patched, and patch level version will be greater than 15063.877.

I have uploaded a video tutorial to my YouTube channel. And this video has a more detailed explanation on how to create new compliance policy for minimum and maximum patch level supported within your organisation. I explained best practices of building compliance policies for Windows devices in my previous post. Get more details from “How to Setup Intune Compliance Policy for Windows 10 Devices“.

Navigate via Azure portalMicrosoft AzureMicrosoft IntuneDevice compliance – Policies” and create a new compliance policy called “Restrict Window device depending on patches“.

Intune to Restrict NON Patched Windows Devices


Please enter your comment!
Please enter your name here