Have Windows revert to default settings when Windows 10 MDM Policy is changed to "Not Configured" or removed
I've just started trying to use Windows 10 MDM policies instead of the Intune Agent and ran into a major issue.
When a policy is applied to a Windows 10 computer, and then that policy is either set to "Not Configured" or even removed, Windows 10 does not revert the affected settings back to their default state.
We had tried to turn off the Windows Defender Firewall for troubleshooting purposes when we ran into this issue. We needed to turn off the firewall to determine if an issue was with a firewall rule not set correctly or that a service was not communicating with the computer.
This behavior is documented here; https://docs.microsoft.com/en-us/intune/device-profile-troubleshoot,
Unfortunately, this creates a hard stop for us using Intune MDM to manage Windows 10 computers. Without the ability to remove a restriction, profile or setting and have Windows 10 honor that setting change, we cannot use Windows 10 MDM enrollment.
This puts a stop gap on my implementation. Why won't this revert back or update to not configured/disabled as a GPO does?
I thought AAD and Intune MDM was the future replacement of local on-premises ADDS but I guess not. Nice half work Microsoft!
Removing system tattoos should be considered a minimal viable feature.
Nigel Clark commented
This would be such a time saver when testing. Having to manually revert or, last resort, 'reset' a laptop after each change is returned to not-configured is tiresome. What could have taken a day to create and test a policy has taken me over a week so far.
Where are we up to with this, we have a situation where we had blocked USB devices. We now need to reverse this change, we undid the change but the machines will not take it and the USB's remain blocked.
Albert Neef commented
Me too... did some changes for power management with OMA-URI/Custom for Win10. Unfortunately, after removing the policy the settings weren't set back to its defaults. Now, I got still that power management is being managed by the policy. OMA-URI values are still active on the endpoint.
Stanley Lim commented
Having a the same issue here. Applied a Wifi profile through OMA-URI previously. Have changed the application of setting to Intune new build-in Wifi profile. But the old OMA-URI policies are still there.
I have wasted so much time resetting PC's during testing because of this limitation. Does not make sense to me at all.
Tom Kuster commented
The same happens when using the "Shared PC" Intune policy. This policy will allow guest users to be able to log on to computers and will also change some Power settings. After removing this policy; the guest user account will remain and local admin accounts will be unable to change any Power settings (the settings keep stating that they are managed by "your administrator", even though the policy is removed). Removing the computer from Intune also doesn't remove/revert the settings applied by the Shared PC policy.
I agree. If you deploy Startlayout policy, and remove the feature.. it does not place the desktop back to Standard/non policy deployed configuration. You havre to recapture a baseline before, and after.. as an Admin.. and that's a lot of overhead.