Menu

Intune: Disallow Windows 10 devices from unenrollment

August 3, 2017 - Uncategorized

With Intune and OMA-URI settings, you can disallow Windows 10 devices to unenroll from Intune.
Here follows a description on how to do it.

Navigate to Microsoft Intune via Portal.azure.com and click on Intune.
Select Device ConfigurationProfiles and click on Create profile.
image

Enter the necessary information like name and/or description.
platform: Windows 10 and later
Profile type: Custom
image

Click on Settings Configure to configure the OMA-URI details.

Click on Add.
image

Enter the following details:
OMA-URI: ./Vendor/MSFT/Policy/Config/Experience/AllowManualMDMUnenrollment
Data type: Integer
Value: 0 (0 = disallow manual unenrollment / 1 = allow manual unenrollment)

image
Click on OK and Create to save your changes. The rule should now be available in the profiles list:
image
Make sure to assign the profile to a user or computer group.

image

On your Windows 10 device, you can check if the policy is applied. Check the following reg key:
HKLM\Software\Microsoft\PolicyManager\Current\Device\Experience – AllowManualMDMUnenrollment.
The value should be 0.
image

As you can see on the screenshot, the configuration has been applied successfully.

Now, I will try to unenroll my device from MDM. (this is not the same as unenrolling from Azure AD. this will still work.)
On the Windows 10 device, navigate to Settings – AccountsAccess work or school.
Select the MDM account and click on Disconnect.
image

You will see the following message: This work or school account cannot be removed by system policy.
image

You can do the same for Windows Phone 8.1. it requires you to create a profile for Windows Phone 8.1 and use the following OMA – URI setting:
./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment

An overview of URI settings for Windows 10 can be found on the link below:
https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference

Leave a Reply