Block users from unenrolling from Intune
In this blog post, we explore the various ways to block Intune unenrollment. The options vary based on whether or not they have administrator rights.
One of the best features of Autopilot is that it allows a standard-user enrollment (meaning users don’t have local admin rights). If you’ve set this up – you’re done! The option to disconnect won’t be available for the end user:
Let’s say you’re using Autopilot but setting the profile for administrators (or just using AADJ & Intune for new devices, which can’t restrict admin rights). Now we’re a bit stuck. Users with admin rights should, in theory, be allowed to configure anything on the device – which includes enrollment into Intune.
One option here would be blocking access to the account pane. This would stop a subset of users from disconnecting, since it would then require scripting a solution to disconnect. In Intune, select Device Configuration > Device restrictions and select Block for Accounts in Control Panel and Settings.
The other option is more of a fun realization. If we do click disconnect for an AADJ+Intune or Autopilot w/admin profile device, it’ll ask us to create another admin account:
This means that although admin users can remove Intune management, they will also be removing their Azure AD credentials – meaning that they’re locked out.
The way I think about this is that since everything will be removed from the profile when the account is disconnected, in a way we’re preventing admins from disconnecting. It would be the same as giving a user rights to join any device to your tenant, except this device they previously removed from your tenant. Unfortunately, even if we lock down the device using Autopilot, this would circumvent those settings and allow them to use a local admin account.
If that paragraph is confusing all you really have to know is that local admins can’t access managed data on a device after they disconnect it from Intune.
Local admin enrolled in Intune device management only
Now what if in your environment users have local admin accounts to their devices and are enrolled in Intune MDM only (without auto-enrollment, meaning their device isn’t registered or joined in Azure AD). If you’re thinking to yourself “Huh?”, just stay with me for one second.
This isn’t a good scenario. Either give them corporate devices if you want to manage them, or allow personal enrollment and enable auto-enrollment. The only way to do this (at least that I’ve found) is using the Enroll only in device management option which already isn’t a common way to use Intune.
So you may be thinking – and rightfully so – why in the world would do this? And that’s exactly the rabbit hole I went down trying to figure out what the purpose of the Manual unenrollment device restriction setting in Intune is for.
This “block” in device restrictions won’t actually stop manual unenrollments for Azure AD Joined devices (automatically enrolled). We see this on the CSP page for the manual unenrollment setting. So since I’m not sure why it exists – I wrote this blog post to see what it does.
To test this I created the device restriction policy above, and then select the Enroll only in device management option in the Accounts pane.
After signing it, it’ll set up the device:
And in a few minutes, the device completes enrollment! You’ll notice that it says Connected to Device Advice MDM instead of Connect to Device Advice’s Azure AD.
But what happens when we click disconnect?
The account cannot be removed! (Clicking Yes confirms the prompt and nothing else)
Should you ever use the manual unenrollment setting? Probably not. But hopefully this post clarified any confusion if setting was enabled in your Intune tenant but it wasn’t blocking unenrollment. Thankfully, for most users unenrollment is automagically blocked and we don’t have to configure a thing.