Intune: Disallow Windows 10 devices from unenrollment

August 3, 2017 - Uncategorized

With Intune and OMA-URI settings, you can disallow Windows 10 devices to unenroll from Intune.
Here follows a description on how to do it.

Navigate to Microsoft Intune via and click on Intune.
Select Device ConfigurationProfiles and click on Create profile.

Enter the necessary information like name and/or description.
platform: Windows 10 and later
Profile type: Custom

Click on Settings Configure to configure the OMA-URI details.

Click on Add.

Enter the following details:
OMA-URI: ./Vendor/MSFT/Policy/Config/Experience/AllowManualMDMUnenrollment
Data type: Integer
Value: 0 (0 = disallow manual unenrollment / 1 = allow manual unenrollment)

Click on OK and Create to save your changes. The rule should now be available in the profiles list:
Make sure to assign the profile to a user or computer group.


On your Windows 10 device, you can check if the policy is applied. Check the following reg key:
HKLM\Software\Microsoft\PolicyManager\Current\Device\Experience – AllowManualMDMUnenrollment.
The value should be 0.

As you can see on the screenshot, the configuration has been applied successfully.

Now, I will try to unenroll my device from MDM. (this is not the same as unenrolling from Azure AD. this will still work.)
On the Windows 10 device, navigate to Settings – AccountsAccess work or school.
Select the MDM account and click on Disconnect.

You will see the following message: This work or school account cannot be removed by system policy.

You can do the same for Windows Phone 8.1. it requires you to create a profile for Windows Phone 8.1 and use the following OMA – URI setting:

An overview of URI settings for Windows 10 can be found on the link below: