A Conditional Access policy is structured around assignments (who the policy applies to) and access controls.

1. Conditions: This section defines the signals that trigger the policy. To restrict access based on the device's operating system, you would configure the Device platforms setting under Conditions. This allows you to include or exclude specific platforms like Windows, macOS, iOS, and Android. Therefore, to only allow access from Windows, the Conditions setting is used.
2. Grant: This section defines the access controls that are enforced once the conditions are met. To ensure a device meets organizational standards for security and configuration, you use the Grant control "Require device to be marked as compliant". This control checks the device's compliance status (managed by a solution like Microsoft Intune) before granting access.

Microsoft Learn | Conditional Access: Conditions: This official documentation details the various conditions available in a Conditional Access policy. Under the "Device platforms" section, it states, "Conditional Access identifies the device platform by using information provided by the device... By default, a Conditional Access policy applies to all device platforms." This confirms that filtering by device type (like Windows) is handled within the Conditions settings.

Microsoft Learn | Conditional Access: Grant: This document explains the available grant controls. It explicitly lists "Require device to be marked as compliant" as a grant control. The document states, "This control requires the device used to access the cloud app is marked as compliant by a mobile device management (MDM) solution like Microsoft Intune." This verifies that enforcing compliance is a Grant control.