Have Windows revert to default settings when Windows 10 MDM Policy is changed to "Not Configured" or removed
I've just started trying to use Windows 10 MDM policies instead of the Intune Agent and ran into a major issue.
When a policy is applied to a Windows 10 computer, and then that policy is either set to "Not Configured" or even removed, Windows 10 does not revert the affected settings back to their default state.
We had tried to turn off the Windows Defender Firewall for troubleshooting purposes when we ran into this issue. We needed to turn off the firewall to determine if an issue was with a firewall rule not set correctly or that a service was not communicating with the computer.
This behavior is documented here; https://docs.microsoft.com/en-us/intune/device-profile-troubleshoot,
Unfortunately, this creates a hard stop for us using Intune MDM to manage Windows 10 computers. Without the ability to remove a restriction, profile or setting and have Windows 10 honor that setting change, we cannot use Windows 10 MDM enrollment.
Oliver Kieselbach commented
It looks like it is changed now, I've compiled my findings here:
Changed Intune Policy Processing Behavior on Windows 10
I was only just now explaining to my boss the inner workings of Intune, and that after changing a setting to Not configured, we still had to apply counter-config profile or scripts to revert the settings on previously affected computers.
He then tested one of our Device restrictions profiles and edited one (Microsoft account) from Block to Not configured, and a few moments later, he was actually allowed to add his personal Microsoft account on his own computer! (previously denied)
So is it official? Has Microsoft let Intune revert settings back to their OS defaults now? But can't find anything pertaining to this in the What's new log.
Guess it works now?
This needs fixed. But even if this is a big feat - include a way to force GP/button to force update from Intune. No way we can touch every PC in the org individual if we need to roll back a policy setting.
As a small way forward this partly work-around might be interesting to read, until this is fixed properly by Microsoft (crucial that this is fixed).
This puts a stop gap on my implementation. Why won't this revert back or update to not configured/disabled as a GPO does?
I thought AAD and Intune MDM was the future replacement of local on-premises ADDS but I guess not. Nice half work Microsoft!
Removing system tattoos should be considered a minimal viable feature.
Nigel Clark commented
This would be such a time saver when testing. Having to manually revert or, last resort, 'reset' a laptop after each change is returned to not-configured is tiresome. What could have taken a day to create and test a policy has taken me over a week so far.
Where are we up to with this, we have a situation where we had blocked USB devices. We now need to reverse this change, we undid the change but the machines will not take it and the USB's remain blocked.
Albert Neef commented
Me too... did some changes for power management with OMA-URI/Custom for Win10. Unfortunately, after removing the policy the settings weren't set back to its defaults. Now, I got still that power management is being managed by the policy. OMA-URI values are still active on the endpoint.
Stanley Lim commented
Having a the same issue here. Applied a Wifi profile through OMA-URI previously. Have changed the application of setting to Intune new build-in Wifi profile. But the old OMA-URI policies are still there.
I have wasted so much time resetting PC's during testing because of this limitation. Does not make sense to me at all.
Tom Kuster commented
The same happens when using the "Shared PC" Intune policy. This policy will allow guest users to be able to log on to computers and will also change some Power settings. After removing this policy; the guest user account will remain and local admin accounts will be unable to change any Power settings (the settings keep stating that they are managed by "your administrator", even though the policy is removed). Removing the computer from Intune also doesn't remove/revert the settings applied by the Shared PC policy.
I agree. If you deploy Startlayout policy, and remove the feature.. it does not place the desktop back to Standard/non policy deployed configuration. You havre to recapture a baseline before, and after.. as an Admin.. and that's a lot of overhead.