With Intune and OMA-URI settings, you can disallow Windows 10 devices to unenroll from Intune.
Here follows a description on how to do it.
Click on Settings Configure to configure the OMA-URI details.
Enter the following details:
Data type: Integer
Value: 0 (0 = disallow manual unenrollment / 1 = allow manual unenrollment)
On your Windows 10 device, you can check if the policy is applied. Check the following reg key:
HKLM\Software\Microsoft\PolicyManager\Current\Device\Experience – AllowManualMDMUnenrollment.
The value should be 0.
As you can see on the screenshot, the configuration has been applied successfully.
Now, I will try to unenroll my device from MDM. (this is not the same as unenrolling from Azure AD. this will still work.)
On the Windows 10 device, navigate to Settings – Accounts – Access work or school.
Select the MDM account and click on Disconnect.
You can do the same for Windows Phone 8.1. it requires you to create a profile for Windows Phone 8.1 and use the following OMA – URI setting:
An overview of URI settings for Windows 10 can be found on the link below: