Non persistent session on not joined devices

Hi, yes, exactly. To exclude registered devices and apply the policy only to non-registered devices, you need to use the filter for devices in Conditional Access.

From your screenshot, I can see that you have set the filter with the rule:

device.trustType -eq "ServerAD", which corresponds to Microsoft Entra hybrid joined devices
You have selected Exclude filtered devices from policy
This way, the policy will apply only to non-registered devices, meaning those that are not hybrid joined.

As a result, these devices will not maintain an active session persistently, since the default behavior for non-registered devices is already non-persistent.

Hi, unfortunately, in the Intune interface, you can't directly set "Never persistent" for non-registered devices because the persistent session control is tied to Entra hybrid joined devices.

But there’s a workaround! It’s best to create two separate policies:

For registered devices - Use the "Require Microsoft Entra hybrid joined device" option and configure the session behavior as needed.
For non-registered devices - Create a policy that excludes registered devices. The good thing is that, by default, non-registered devices do not maintain an active session, so you still achieve a "non-persistent" session without explicitly selecting that option.

If you want to be extra sure, you can adjust Sign-in Frequency or access token lifetime, so users on non-registered devices have to authenticate more frequently.