@DaNmAN Thanks for posting in our Q&A.
Based on my understanding, intune evaluates whether the device is compliance, rather than CA. For this issue, I have done some research. I find that a device can't be evaluated for compliance until it's enrolled.
On the other hand, if we select "Require device to be marked as compliant" for All users and All cloud apps, it will trigger device enrollment. We can read the following article as a reference.
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device#create-a-conditional-access-policy
In conclusion, access to resources depends on whether the device is compliant in intune.
Hope the above information will help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.